PCI Compliance Checklist 2022: Plus, 17 Ways to Increase Security, Trust & Sales

PCI Compliance Checklist 2022: Plus, 17 Ways to Increase Security, Trust & Sales
  • International Military Antiques spent three months and $50K trying to secure its Magento site before replatforming 
  • A year into self-hosting, DollarHobbyz was compromised, impacting 150K user accounts; it then decided to migrate to a SaaS-hosted platform
  • Merchants have until the start of 2019 to complete their transition to the new version (3.2.1) of the PCI Security Council’s validation requirements and standards
  • For big-box retailers that are hacked, 19% of current customers would stop shopping and, of those that would return, 52% would wait three months to over a year

In the dark corners of the internet, an enemy lurks. It doesn’t matter how big or small your organization is; or, what you sell.

If your company processes online payments, you’re on their hit list.

In fact, just this year Shape Security found that upwards of 80-90% of log-in traffic to retail ecommerce sites is fraudulent. That’s a higher percentage than any other sector.

80-90% of an online retailer’s login traffic is made up of credential stuffing attacks

Major corporations like Macy’s, Adidas, Best Buy, Forever 21, and Sears are among at least 15 brands that have been hacked in the past 18 months.

The fallout from these breaches can do serious damage to your brand and sales long-term.

A study by KPMG revealed that 19% of consumers would completely stop shopping at a retailer after a breach. Of those that would return, 52% would wait an extended period of time: three months to over a year.

Security and online shopping

Data compiled within the PCI Compliance Checklist

What can you do to prevent this from happening to you? How do you earn and keep your customers’ trust in order to boost conversions and sales?

To answer both questions, this guide is broken down into three sections …

  1. What Is PCI Compliance?
  2. 2018 PCI Compliance Checklist
  3. 17 Ways to Increase Trust and Sales

Already on Shopify Plus?

Then feel free to skip past the PCI compliance sections and go straight to 17 Ways to Increase Trust and Sales.

Out-of-the-box, all Shopify stores are hosted in virtual (cloud-based) environments with industry-standard security certifications including:

  • Level 1 PCI DSS
  • ISO 27001
  • SOC 2

Shopify has been a Level 1 service provider under PCI DSS since 2011 — undergoing the annual onsite audits — actively participates in the PCI community, and has been a participating organization in the PCI council since 2012.

If you’re not on Shopify Plus yet …

Request pricing here

What Is PCI Compliance?

PCI compliance — or, PCI DSS compliance — stands for Payment Card Industry Data Security Standard (PCI DSS). It’s a proprietary information security standard for all organizations that store, process, or transmit branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.


Its security requirements are broken out into six key milestones that “help merchants and other organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance.”

The milestones offer helpful benefits:

  • Roadmap to assess, address, and report on prioritized risks
  • Objective and measurable indicators of progress
  • Consistency among assessors

First set up in December of 2004 when the aforementioned credit card companies came together to form Payment Card Industry Security Standards Council (PCI SSC) – the organization behind PCI DSS — the most current PCI DSS (version 3.2.1) came out in May 2018.

The changes from version 3.2 are outlined here, demonstrating that certain requirements were moved up in order of priority from previous versions – to address “evolving security risks” such as SSL/early TLS that requires ecommerce merchants to migrate to a more secure form of encryption by a specific deadline that has now passed.

The aim of PCI compliance is simple: to protect card issuers and cardholders by ensuring merchants meet minimum levels of security when they store, process, and transmit cardholder data.

Is PCI Compliance Mandatory for Everyone?

By federal law, PCI DSS is not required in the U.S. However, some state-level laws refer to PCI DSS directly.

For example, in 2009, Nevada incorporated PCI compliance into state law, requiring compliance of merchants doing business in the state and shielding compliant organizations from liability. Similar laws were also enacted in Washington in 2010.

Even without federal laws, PCI DSS compliance is required by major credit card schemes once your business reaches a certain size.

Non-compliance can result in monetary penalties — ranging from hundreds to hundreds of thousands of dollars — and, in the case of a breach, you’ll be liable for all damages.

On top of that, both banks and credit card companies can enforce additional requirements that are not covered by PCI documentation. So, be prepared for unforeseen hurdles on a case-by-case basis.

2018 PCI Compliance Checklist

When dealing with PCI DSS requirements, you can either go through the process yourself or get help from a PCI SSC Qualified Security Assessor (QSA) who will do most of the work for you.

It’s a good idea to go through the process at least once to get an overview of what’s required and make informed decisions.

Then, as your organization grows (and it gets increasingly difficult to manage everything by yourself) it makes sense to bring in expert help.

Step 1: Determine Your Compliance “Level”

The first thing you need to do is to figure out which “level” of compliance your business falls under. For that you need to collect data on how many transactions are done with all the major credit card brands, ideally separated also by channel, e.g. in-store or online.

There are four levels of compliance standards, as outlined in the chart below. Each level is determined by the number of transactions your organization processes per year:

PCI Compliance Level 1-4

Infographic transcript:

PCI Compliance Levels

Based on major credit card requirements

Level 1

6 million or more Discover, Mastercard, or Visa transactions annually; 2.5 million or more American Express Card transactions

Level 2

1-6 million Discover, Mastercard, or Visa transactions annually; 50k-2.5 million American Express Card transactions

Level 3

20k-1 million Discover, Mastercard, or Visa transactions annually; less than 50k American Express Card transactions

Level 4

All other merchants processing credit card transactions less than the above-stated levels

Available within the PCI Compliance Checklist

Below is a handy list of links to help you understand the definition of compliance “levels” for each of the credit card brands:

If your organization is at PCI compliance level 2, 3, or 4, your validation requirements are basically the same and include:

Since PCI level 1 compliance involves the highest number of annual transactions, you must also enlist a Qualified Security Assessor (QSA) to complete an Annual Report on Compliance (ROC), in addition to a quarterly network scan and attestation of compliance.

Step 2: Follow the Self-Assessment Questionnaire

The PCI DSS Self-Assessment Questionnaire (SAQ) is a set of documents that contain questions based on the requirements of the PCI DSS.

In total, there are 12 requirements for compliance that are organized into six logically related groups. The chart below details the most current version (v3.2.1).

PCI Data Security Standards

Infographic transcript:

Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
  3. Use and regularly update anti-virus software or programs
  4. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need to know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel

Each of the 12 high-level requirements described above has additional sub-requirements. For example requirement 11, “Regularly test security systems and processes,” has six sub-requirements.

In total there are 9 different variations of the SAQ. But you only need to comply with the specific SAQ that corresponds to your setup.

The variation that you need is dependant on how your organization handles credit card data. For ecommerce-only setups, the ones to look into are SAQ type A or alternatively type A-EP (as described below):

SAQ Type A: Description

Card-not-present merchants (ecommerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises

Shopify Plus enables merchants to outsource credit card data storage, which means you don’t have access to any customer credit card information via your admin, and therefore fit under this SAQ type out-of-the-box.

SAQ Type A-EP: Description

Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

The key difference between SAQ A or A-EP is in the requirements that you need to fulfill in order to be compliant. It’s important that you identify the right questionnaire early on so you don’t waste time filling out unnecessary paperwork.

To make your life easier, contact your payments provider to find out which version of the SAQ (A or A-EP) you can or should use. For example, Stripe, is fully compatible with the latest revisions to SAQ A, while others might not be.

As a final note on SAQs, the various versions of the questionnaire contain only the questions/requirements and offer no guidance. If you need help, open up the PCI DSS source document and follow the requirements from there. The document contains procedures and guidance on all requirements and sub-requirements.

Step 3: Complete Your Attestation of Compliance

After answering the SAQ, you’ll need to complete the relevant Attestation of Compliance (AOC). This is necessary to validate that you have complied with all the applicable steps.

Like the SAQ before, AOC has 9 different versions (and you only need to complete the one that is relevant to your business).

Additionally, in extraordinary cases, merchants might be asked to also fill “PCI DSS Designated Entities Supplemental Validation.”

Examples of organizations that would need this include those storing, processing, or transmitting very large volumes of cardholder data; or businesses that have suffered significant or repeated breaches of cardholder data.

Step 4: Enlist an ASV for External Vulnerability Scans

An Approved Scanning Vendor (ASV) is an organization with a set of security services and tools (ASV scan solutions) that conduct external vulnerability scanning services to validate adherence with the external scanning requirements.

If you’re applying for an SAQ A-EP, you need it. It’s one of the questions in the form:

PCI DSS Questionnaire example

And while AOC A includes the question in the screenshot below, it doesn’t necessarily mean that you need to be performing scans by approved ASVs. The form (SAQ A) doesn’t say that you need to check that box, it only says to “Check all that apply.”

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

So, from the point of view of SAQ/AOC A, an ASV scan is not needed. At the same time, some acquirers (payment providers) have it as one of the requirements to use their services.

Again, it’s important to speak with your providers directly – even if you’re applying for SAQ A.

For a list of PCI SSC approved scanning vendors, click here. The scanning vendors’ ASV scan solution is tested and approved by PCI SSC before an ASV is added to the list.

Step 5: Submit the Documents to Your Acquirer Bank & Card Brands

The final step is to submit your filled SAQ and the AOC along with any other documentation, such as an ASV scan reports (see below for more details) to your acquirer bank and to the relevant credit card and other payment brands as requested.

Validation of compliance is then performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

2018 PCI Compliance Checklist Summary

  1. Determine Your Compliance “Level”
  2. Follow the Self-Assessment Questionnaire
  3. Complete Your Attestation of Compliance
  4. Enlist an ASV for External Vulnerability Scans
  5. Submit Documentation to Your Acquirer Bank & Payment Brands

17 Ways to Increase Trust and Sales

First and foremost, it’s essential to achieve PCI compliance to earn your customers’ trust that you are keeping their personal information safe.

Below are additional tips on how to make your customers’ buying journey worry-free, with no surprises when they checkout.

1. Offer secure payment options

As mobile shopping goes mainstream, customers want to know that their payment information is safe – wherever and whenever they check out online.

That’s why mobile commerce is won and lost at the checkout. If you’re losing more sales to mobile users than on the desktop, you may need to optimize your checkout process. That’s where Shopify Plus can help.

Once a mobile user begins the checkout process on your site, they should be offered secure mobile-first payment options. On Shopify Plus, you can do this through:

  1. Shopify Pay
  2. Apple Pay
  3. Android Pay
  4. PayPal
  5. Amazon Pay

Displaying all five options is overwhelming. So, only include options that are popular with your existing customer base.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

MVMT Watches’ mobile-optimized checkout does more than just display beautifully; it also defaults to two of the most-popular mobile-payment methods

These payment options offer ease and added security for the user as their saved credit card information is password protected and, in many cases, not stored on the merchant’s site.

2. Show the required checkout steps

The tips above don’t mean you should skip traditional logins and credit cards, as long as those methods are still important to shoppers – especially those checking out on a desktop.

A visual progress indicator in your traditional checkout flow prepares your customers in advance for the number of steps required to complete an order. Of course, too many steps can hurt your conversion rate.

Adding a description is also helpful as they’ll know what’s coming and can decide if they want to proceed. As you can see in the screenshot below, Shopify Plus merchant Dormify keeps its checkout flow short and simple with customer information, shipping method, and payment method.

Dormify increases trust by showing the steps required to checkout

Dormify also offers customers the option to quickly and securely checkout as a guest via their PayPal account.

3. Let customers buy immediately via a preferred payment method

If a mobile shopper only wants to buy one product, why should they have to add it to a cart before checking out? Even back in 2012, Econsultancy was preaching “to make the purchase journey as short as possible.” Today, fewer clicks, screens, and taps drive more sales and customers.

This past April, Shopify announced an accelerated Dynamic Checkout flow to enable mobile customers to check out single products immediately via a product page using their preferred payment method or wallet. Current payments are available via Shopify Pay, Apple Pay, and PayPal.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

Benefits of providing a dynamic checkout button include:

  • Accelerating mobile conversions by reducing the number of steps to complete a purchase
  • Delivering a personalized mobile checkout experience by serving up your customer’s preferred payment method or wallet
  • Capturing customer intent earlier with a custom checkout button directly via the product page and circumvents the need to add a product to cart first

More details about dynamic checkout can be found on the Shopify Help Center.

4. Ensure price and shipping cost transparency

Have you ever added a product to your cart that you thought was a great deal, then found out that there were added shipping costs, duties and taxes when you went to check out?

Customers often abandon their carts at this point because they feel like they’re being ripped off.

Whether your customers are B2C or B2B, the more transparent you can be with them regarding prices, the more trust and loyalty you will build.

In an ideal world, you should always offer free shipping and ensure that your customers are well aware of this at every point in the buyer journey. This post will help you figure out exactly how your organization can afford to foot the bill for the customer.

If you can’t offer free shipping on all orders, then create order value thresholds that automatically adjust as they approach free shipping.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

Fashion Nova uses Shopify Scripts to automatically update customers on how much more they need to add to their cart to qualify for free shipping

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

Bombas also uses Shopify Scripts to automatically tally how close the user is to earning free shipping; the notification appears in the user’s shopping cart 

The sooner a customer knows what they’re going to pay when they go to check out, the better.

5. Use a reliable ecommerce platform

When your desktop site crashes or lags during peak traffic days — or, when your mobile site takes more than a few seconds to load — you could lose those would-be customers for good:

79% of customers who report dissatisfaction with website performance are less likely to buy from that site again.

When Bombas was in high-growth mode and appearing on high-profile TV shows like Shark Tank, the company’s sales surged from doing 500 transactions a day to up to 4,000 a day.

Unfortunately, broken product images and the fact that customers couldn’t check out meant the company was hemorrhaging potential sales by the minute. By choosing to replatform with Shopify Plus, Bombas’ team now rests easy knowing that the platform can scale and handle high-volume shopping days.

Regarding Black Friday Cyber Monday, David Heath, co-founder at Bombas, says:

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

“It’s the one time of year that we offer a sale, so preparing for this is a year-long effort — between customer acquisition, our email plan, developing and releasing new product, making sure that we’re in stock, and then making sure that we’re fully staffed up on customer service to make sure that everything runs smoothly, and that all our customers get their products when they’ve ordered them.”

Whether we’re doing 500 or 5,000 orders a day, Shopify Plus automatically scales with us, without us having to do anything extra.

6. Support customers on their preferred platform

According to a Ubisend report, 51% of people say a business needs to be available 24/7. And 46% would rather contact a company through messaging than email.

Whether they prefer chatbots over humans or a self-service knowledge base versus a phone call, you should provide support to your customers via the platform of their choosing. Here are some tools to help you do that …

(1) Gorgias

Shopify Plus technology partner Gorgias helps stores like Thrive Cosmetics, Timbuk2, and Fjallraven manage all their customer support in one app.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

With Gorgias, you can access all of your customer interaction data in one place to immediately gain a contextual understanding of the current issue. It not only saves time but also arms you with the information you need to deliver personalized service to your ecommerce site shoppers and build a brand that customers love.

Gorgias helped Maverick by Logan Paul set up an automation layer to immediately respond to customers most common requests, such as delivery questions or returns.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

(2) Zendesk

Zendesk provides omni-channel customer support – from live chat to social media, and phone support. The customer service platform allows Shopify Plus merchants, who integrate the Zendesk app with their ecommerce store, to be there for shoppers at every touchpoint.

Shopify Plus agency partner Fame House, owned by Universal Music, manages customer service in-house for 80+ client ecommerce stores (primarily selling merchandise for major recording artists) via a centralized Zendesk integration.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

(3) Native integration with Facebook Messenger

Via your Shopify store, you can set up a native sales channel on Facebook Messenger to allow your customers to purchase your products directly via the app.

For example, Cupshe lets its 600,000+ Facebook fans browse and shop conversationally within the Messenger platform. Approximately 35% of its sales now come, either directly or indirectly, via social media.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

7. Show prices in a customer’s local currency

It’s also helpful to display prices in your customer’s local currency. Otherwise, it’s a shock for international shoppers to see the actual cost when they get their monthly credit card bill.

According to Open To Export, “Pricing in the local currency of your customer puts the customers’ needs first. It lets them know how much your offer really is in terms that they can understand, especially if your price includes freight or shipping costs and insurance.”

Blenders Eyewear offers a currency selector on its site so that customers know what the true cost of the product will be.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

8. Use the same domain and design from product to purchase

If a customer clicks the checkout button and lands on a page and URL that doesn’t match the previous one, it can be very unsettling. That’s why Peepers customized the HTML on its Shopify Plus platform checkout to offer a visually consistent experience to build trust with the consumer via design and the URL.

This is a best practice as you want customers to always feel like they are on the same website – especially if you are redirecting them to another page to check out.

Likewise, the Baymard Institute found that more “robust-looking” pages and elements are perceived to be more secure: “visual clues such as background colors and borders can help increase the user’s perceived level of security.”

“The ability to customize with Shopify Plus,” says Peepers ecommerce manager, John Hart, “allows us to push it to the limit and create a custom checkout experience customers can trust and be confident that their personal and payment information is safe. It makes customers feel like the site is going to take care of them.”

9. Place “trust seals” near high-value buttons

Seeing a trust seal near the buy button at the bottom of a checkout page gives customers peace of mind that their payment is secure – helping to reduce cart abandonment rates. They can include:

  • Guarantees
  • Payment options
  • Security certifications
  • Logos of trust-inducing organizations

Which badge gives you the best sense of trust when paying online?

10. Cultivate honest ratings and reviews

Ratings and reviews provide social proof that your business and products are trustworthy. According to Spiegel Research Center and PowerReviews, “even negative online reviews can be helpful, as retailers that display online reviews see conversion rates rise by as much as 270 percent, with higher-priced and higher-consideration items benefiting more.”

The study also revealed that:

“Purchase likelihood peaks for products with average ratings between 4.0 and 4.7 on a five-star ratings system, with those closer to 5.0 viewed with skepticism as being ‘too good to be true.’”

Roughly a year after integrating user-generated reviews app Yotpo with its Shopify Plus site, Pura Vida Bracelets found that:

  • Conversion rate of customers on-site who engage with reviews is 11.4% which is over 400% higher than customers who don't engage with reviews
  • Average order value of customers who engage with reviews is $34, which is about 11% higher than customers who don't engage with reviews

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

“Since we started our partnership with Yotpo, we’ve been able to easily connect with, and leverage relationships with new and existing customers like never before,” says Griffin Thall, Co-founder at Pura Vida Bracelets.

What about offsite UGC content on social media?

Monitoring your brand’s reputation is critical to trust. Especially when you’re paying for exposure through Facebook ads or running organic promotions through your page. That’s where tools like Sour Grapes comes in.

Sour Grapes automatically scans your branded Facebook content in real time using natural language processing and sentiment analysis to identify when, as they put it, “comments [start] sippin’ on too much Haterade.”

Joking aside, negative comments can profoundly impact ROAS as well as onsite conversion rates. That’s why the app auto hides negative comments — rather than delete them (which can cause even more negative responses).

Once they are flagged, you can address complaints from within the app’s dashboard instead of just letting them “sour” your reputation.

Sour Grapes for monitoring negative comments on Facebook ads

11. Increase page speeds

Building loyalty and trust with customers also depends on how fast your pages load on their browsers. According to Mobile 1st:

Slow pages are the number one issue that irate mobile users complain about — ranking even higher than site crashes.

And, according to Skilled, “for every 1-second delay in page speed, there is a 7% reduction in sales.” That’s why you must optimize your page speed performance.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

To learn how to improve page speeds that include using Shopify Plus platform-specific optimizations, refer to this post: 15 Ways to Improve Ecommerce Site Performance for Faster Page Speed and Better Sales.

12. Offer free trials or sample sizes

If your organic face cream or artisanal olive oil has a high price point, consumers may be nervous to invest that much money before knowing if they like it.

One solution is to offer free trials or sell smaller travel or sample sizes.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

Fruit pigmented cosmetics brand, 100% Pure, sells “Travel Sizes” on its site to encourage customers to try its products at a discounted price

For larger or more heavy-use products, “Try Before You Buy” are often musts:

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

On average, 70% of women keep their bras acquired via THIRDLOVE’s “Try Before Buying” offer which allows them to try products, free of charge, for 30 days before paying

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

Leesa combines two trust-building elements: (1) a “100-night risk-free trial” and (2) a payments calculator

13. Beware of the security risks on self-hosted platforms

While many self-hosted ecommerce platforms like Magento offer the option to deploy PCI compliant storefronts, merchants are still on the hook for ensuring your site is secure. It can cost you a lot of money and time that you may not have right now.

Choosing a platform like Magento can also leave your site vulnerable to regular Malware attacks. In 2015, 10,000+ Magento sites were compromised by the Guruncsite malware. Within the first 90 days of the security breach, over 8,000 of those storefronts were immediately blacklisted by Google.

Merchant Spotlight: Dollar Hobbyz

Dollar Hobbyz was a year into self-hosting its site when a hack occurred.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

“That was an awful email to have to send out to our list of over 150k people. It broke our hearts, and frustrated our customers,” says William Harris, VP of Marketing at Dollar Hobbyz

The security breach wasn’t entirely the platform’s fault; it was due to “the way our Magento site was set up. All of that data, all of that information – it was all stored on our own hosting server. If one area of the website security was weak, it opened up issues with critical pieces in our backend.”

According to The 2016 Trustwave Global Security Report:

“In the ecommerce space, the Magento open-source ecommerce platform was the target of choice for attackers, with Magento installations accounting for 85 percent of compromised systems.”

Most of the compromised sites weren’t fully up to date with security patches. One of Magento’s own best practices alludes to the bigger issue:

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

In other words, the onus is on you to to set-up and maintain a secure site.

14. Consider using a cloud-based solution instead

Rather than carrying the full weight of the responsibility to be PCI DSS compliant, why not rest easy knowing that your ecommerce platform has your back?

Out-of-the-box, Shopify is hosted in virtual (cloud-based) environments with industry-standard security certifications including:

  • Level 1 PCI DSS
  • ISO 27001
  • SOC 2

With a fully hosted SaaS solution, built to handle any level of transaction volume, Shopify Plus allows you to focus on your business. It also frees you from costly IT maintenance, management, and security requirements.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

“Shopify undergoes an annual PCI DSS onsite assessment by a qualified security assessor,” says Io Hanson, Solutions Engineer at Shopify Plus.

“All credit card data processed by Shopify is performed in a purpose-built environment, isolated from the Shopify platform, our corporate networks, or any other systems maintained by Shopify.”

The Shopify Plus platform is also audited to ensure this isolation is robust and that the appropriate controls are in place for:

  • Network security
  • Data protection
  • Vulnerability management
  • Access control
  • Policy compliance

Shopify has been a Level 1 service provider under PCI DSS since 2011, undergoing the annual onsite audits. Shopify actively participates in the PCI community and has been a participating organization within the PCI council since 2012.

Participation includes attending annual conferences and collaborating with numerous payment processing partners to ensure Shopify remains on the leading edge of new PCI developments.

Merchant Spotlight: IMA

International Military Antiques’ (IMA) site was hacked while it was self-hosted with Magento. All it took was a piece of javascript in the footer that was scraping credit cards, similar to many other Magento sites.

IMA was facing potential fines by Visa while the team “spent $50,000 and three months of sleepless nights trying to secure the site,” says Alex Cramner, VP at IMA.

After replatforming with Shopify Plus to avoid future PCI compliance and security issues, not only is IMA saving $300 per month that was previously spent on Magento server space; it’s overall operating costs have been slashed in half.

The company achieved a 19.16% YoY increase in conversion rates and 35.86% increase in YoY revenue from Q4 2016 to Q4 2017.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

“Switching to Shopify Plus is one of the best decisions I’ve made in my business career. The record fourth quarter is very validating after having been on Magento almost seven years,” says Alex Cranmer, VP International Military Antiques.

15. Improve your on-site search

Your on-site search should function like an in-store sales clerk who assists customers to find what they want to buy. If your site search is substandard, you could lose a lot of customers who feel like you don’t care enough to help them shop.

It’s a tremendous missed opportunity because...

Customers who use site search are almost 2X more likely to convert on your site and can generate upwards of 40% of your site’s revenue.

In fact, IMA’s use of InstantSearch+ after they replatformed led to conversion rates from visitors who use IMA’s custom search engine of 7X times higher than who browse.

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

These posts provide more detail on how to do it right:

16. Build instant credibility with an Extended Validation SSL Certificate

According to Google, first impressions about a website’s “visual complexity (VC) and prototypicality (PT)” are formed in as few as 17 milliseconds. That’s not a lot of time to build trust with a new customer.

If you replatform with Shopify Plus, a simple thing you can do is add an Extended Validation SSL Certificate (also known as EV SSL). They appear in the URL window of all major browsers as a green lock, green text, or “Secure” message:

Pci Compliance Checklist 2018: Plus 17 Ways To Increase Security Trust & Sales

A DigiCert white paper revealed that 67% of survey respondents would “not buy from an unfamiliar website that didn’t have an EV SSL Certificate” and 100% “prefer doing business” with a site that has one.

The largest independent footwear retailer in the UK, Fitness Footwear, saw shopping cart abandonment drop by 13.3 percent and conversions increase by 16.9 percent after adopting an EV SSL certificate.

The results demonstrate that EV SSLs are the highest form of SSL certification on the web. Shopify Plus automatically provides Level 1 PCI DSS compliance, a site-wide SSL certificate to redirect traffic from HTTP to encrypted HTTPS, data protection, and risk assessment for every order.

But while all Shopify merchants can secure their stores with Domain Validated SSL, only merchants on Shopify Plus can set up EV SSL with their store by following these steps...

  1. Shopify Plus merchants can order EV Certificates from within the Domains page of their admin. From there, fill out a form and order the certificate. Note: The actual badge text will always need to include your legal business name. It can either be: “DBA (Legal Business Name)” or “Legal Business Name.”
  2. Globalsign will reach out to the Approver to have them complete and sign two forms: one to verify the company information and one to confirm their authority to sign on behalf of the company.
  3. Globalsign will also check the company name against a global company database. Based on that search, they’ll confirm the Merchant through a phone call, notarized letter, or a letter from Globalsign.

It takes just a few minutes to set up your EV SSL, a couple of weeks at most to confirm, and can have a lasting impact on your business.

17. Remain vigilant

Ensuring the safety and security of your customers’ personal data is an ongoing process. Even if you choose to use a SaaS platform like Shopify Plus that is Level 1 PCI compliant out-of-the-box, it’s important to stay up to date on what’s going on in regards to security breaches and hacks affecting your industry peers.

Likewise, you should take measures to ensure your customers feel like they can trust your business with their personal information. Doing so includes offering secure payment options, upgrading to an Extended Validation SSL certificate, displaying trust seals and other helpful information that builds credibility like shipping costs and local currencies.

For more information on what Shopify Plus is working on in regards to the safety and security of your customers, contact us today.

About the author

Andrea Wahbe

Andrea Wahbe is a freelance B2B marketing strategist and corporate storyteller who writes about Canadian SMEs, marketing, and digital media trends.

Follow Andrea Wahbe on Twitter