BigCommerce is Getting Ready for PCI DSS 4.0

At BigCommerce, we endeavor to provide our merchants with all the tools they need for success, along with the peace of mind that comes from a robust set of security measures. 

With PCI DSS 4.0 set to replace v3.2.1 on March 31, 2024, we’re working hard to ensure our servers are compliant with the new standards and ready for the compliance deadline on March 31, 2025. With that in mind, we are implementing new security features and requirements that will help you to make sure your ecommerce store is PCI compliant.

Security features to help you meet PCI compliance requirements

Meeting PCI compliance requirements is a shared responsibility between you and BigCommerce. Generally, if you haven’t customized your checkout in a way that affects the flow of card payments, you can rely on BigCommerce’s PCI AOC. If you’re unsure of what your compliance requirements and obligations are, you can fill out the PCI DSS Self Assessment Questionnaire for guidance. To help you reach and maintain compliance, BigCommerce has implemented several security features designed to help mitigate the threat of malicious code sneaking into your store’s checkout pages. 

Partnering with Reflectiz for payment security

We’ve partnered with Reflectiz, a cybersecurity platform that scans your store’s checkout pages for malicious javascript and other unusual activity designed to steal your customers’ payment information. 

To help you comply with PCI DSS requirements, your store will be automatically onboarded to Reflectiz. The process is automated, and there will be no disruptions to shoppers’ experience on your storefront. 

Reflectiz works by mimicking a shopper’s behavior on your storefront, going through the checkout process while scanning each page for malicious code or other activities. If any code is detected, Reflectiz will alert our Security team so we can notify you of what was found along with any actions taken. 

Adding an extra layer of security to your checkout scripts

Using scripts to customize your checkout pages can open your store up to malicious attacks and attempts to steal your shopper’s credit card information. To combat this, we’ve added the ability to add Subresource Integrity (SRI) hashes in Script Manager. 

SRI hashes are included with a script and ensure that any time scripts with an integrity attribute don’t match with the expected integrity hash, browsers won’t load the script. This can help to mitigate any potential web skimming attacks on your store by making sure infected scripts aren’t able to execute.

Keeping a justification record of why each script is used on your checkout pages is also part of PCI 4.0 compliance requirements. To make this requirement more manageable, we include a designated Description field directly in Script Manager.

You aren’t required to use this field and you can keep your justification records elsewhere, but you may find it useful to keep it all easily accessible in one place.  

Making passwords difficult to steal

In our efforts to reach compliance with PCI 4.0 requirements, we implemented a 12 character minimum length for all passwords at the end of 2023. In combination with our 90 day password reset cycle, all BigCommerce store passwords will be PCI compliant by the end of March 2024. 

The longer password length and 90 day reset cycle will help to ensure a higher security level for your store by making your password harder to steal. 

The final word

For more information on our Script Manager enhancements, see Using Script Manager in the Help Center. 

You can read more about Reflectiz and how it helps to keep your checkout pages safe and secure with our Understanding Reflectiz for PCI Compliance article in the Help Center. 

To learn more about the new minimum length password requirements and 90 day password reset cycle, see Logging into Your Store.

We strive to help you create an engaging shopping experience for your customers, with the knowledge that their payments are safe and secure, every time a purchase is made. With these new tools and the knowledge that BigCommerce works hard in maintaining PCI compliance on our platform, you can manage your business with peace of mind knowing that your shoppers’ payments are quick, easy, and safe.