SSL, HTTPS and PCI Compliance
In order to accept credit cards on your site, you must have an SSL certificate and use HTTPS on all pages that collect credit card information. This is necessary to meet PCI-DSS specs which state that if you collect payment data, you have to use SSL. However, just having an SSL certificate and using HTTPS doesn't necessarily mean that you will be fully PCI compliant. The requirements vary based on your business-type, technical setup, and/or volume. If you have PCI compliance concerns, it is best to speak with your payment processor or a PCI-DSS expert. This article (http://tomkconsulting.com/news049-PCI-Overview.htm) is a good primer on the subject and can help you understand what, if any, additional steps you'll need to take. These PCI FAQ guides are also succinct and helpful. This is a general one - https://www.pcicomplianceguide.org/faq/#4 and this is specifically for eCommerce - https://www.pcicomplianceguide.org/pci-saq-3-1-e-commerce-options-explained/.
HTTPS provides authentication for your website and associated web server, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a customer's browser and your server, which protects against eavesdropping and tampering with and/or forging the contents of the communication.
Please review our article, Securing Your Site with HTTPS, for specific steps and tools to help check and improve the security of your site, as well as more information on how to go through basic security procedures for your checkout pages.
MemberMouse Security Features
MemberMouse uses tight security protocols for password, licensing and payment transactions. MemberMouse doesn't store your customers' payment details; instead they are stored on your payment processor's servers. There are also some extra settings you can tweak to add to the security features of the plugin and payment handling:
- Account Sharing Protection (enabled by default) allows you to limit the number of IP addresses that can access an account over a 24 hour period.
- Configuring Stripe to use Stripe.js will send credit card and billing information directly to Stripe so it never touches your server.
- Configuring Authorize.net CIM will enable the customer information manager that stores customer details on the Authorize.Net servers. Additionally, the Accept.js token exchange has been incorporated into our Authorize.net CIM integration, so credit card and billing information is sent directly to Authorize.net and never touches your servers.
For more information about how MemberMouse handles recurring billing and payment information, please refer to our article How MemberMouse Handles Recurring Billing
You want to make sure that the hosting company you use is security minded. Meaning they keep good server firewalls in place, update all essential software regularly, have good data backup options, are willing to talk you through what they have in place at the server level and help you harden anything else you might need to add at your account level. And also critical, has a way to contact them immediately to shut down access and retrieve any logs you may need if there is ever a problem.
For further advice on choosing a host provider as well as minimum requirements for running MemberMouse, you can review our article WordPress Hosting Providers.
The WordPress Codex has a massive article on Hardening Wordpress that discusses vulnerabilities, setting secure file permissions, securing database and admin panel access, etc. You can also look into additional security software and solutions from the WordPress Plugins Section.
Additionally, keeping your WordPress, plugins, themes, and PHP version (if you have access to the PHP settings) all up-to-date can make a big impact on keeping holes plugged as soon as they are found. Making sure that you Select Strong Passwords that are different than the passwords you use for other things, and setting up Two-Step Authentication in Stripe or any other accounts that may link to or contain your user's data.
So while there are a lot of considerations to accepting payments on your server, you can see there are some areas that if kept up with will mitigate the risks to you and your customers substantially, as well as ways to eliminate certain risks all together.