BigCommerce PCI Compliance Scans Blocked: Unraveling Merchant Responsibilities

BigCommerce PCI Compliance Scans Blocked: Unraveling Merchant Responsibilities

Navigating the complexities of PCI DSS (Payment Card Industry Data Security Standard) compliance is a critical aspect of running any e-commerce business. For BigCommerce merchants, this often involves ensuring their store passes regular security scans. However, what happens when these crucial scans are repeatedly blocked, leaving a merchant in a frustrating loop between their scanning provider and platform support?

This was the precise dilemma faced by Travis Joyce, a BigCommerce merchant attempting to get his store scanned for compliance through Aperia via PCI Apply. For months, Travis reported that Aperia's scans were consistently blocked. Despite Aperia claiming they were scanning in a "normal manner," and repeated attempts to engage both BigCommerce support and Aperia, no resolution was found. Both companies, according to Travis, would close his cases, reiterating a default process without offering a path forward. This left Travis feeling "completely stuck," seeking community insight on similar experiences or effective ways to facilitate communication between BigCommerce and third-party compliance providers.

The Community Weighs In: Clarifying PCI Responsibility

The BigCommerce community, specifically Daniel Olvera from Trepoly.com, offered a crucial piece of advice that helps clarify the often-confused lines of responsibility in PCI compliance for platform users. Daniel's response highlighted a key distinction:

• Customizations and API Calls: If a BigCommerce store incorporates any customizations to its storefront or checkout process via API calls, the merchant is directly responsible for ensuring that all these custom connections and integrations are PCI compliant. This means any third-party apps, custom scripts, or direct API integrations that handle or interact with payment data fall under the merchant's compliance scope.
• Standard BigCommerce Functionality: For stores that rely solely on BigCommerce's out-of-the-box functionality without custom API integrations affecting the checkout or payment process, BigCommerce provides an Attestation of PCI DSS Compliance. This document confirms that the BigCommerce platform itself adheres to PCI standards, thereby covering the merchant for the platform's core services.

Daniel also directed Travis to the official BigCommerce support article on PCI Compliance, which serves as an essential resource for merchants to understand their role and BigCommerce's responsibilities in maintaining a secure payment environment.

Key Takeaways for BigCommerce Merchants

This thread, while brief, underscores a vital point for all BigCommerce store owners: understanding the scope of your PCI compliance responsibility. When a PCI scan is blocked, especially by a third-party provider like Aperia, the first step should be to meticulously review your store for any custom code, third-party apps, or API integrations that might be interfering with the scanner or falling outside of BigCommerce's inherent PCI scope. If such customizations exist, they are likely the source of the issue, and their compliance must be independently verified and maintained.

For merchants operating a purely standard BigCommerce store, the platform's Attestation of PCI DSS Compliance is a valuable asset. However, even then, ensuring that your store configuration, theme, and any installed apps do not inadvertently introduce vulnerabilities is paramount. This community interaction serves as a reminder that while BigCommerce handles the heavy lifting of platform-level PCI compliance, merchants must remain vigilant about their own operational and developmental choices.

Ultimately, clear communication and a thorough understanding of where BigCommerce's PCI responsibility ends and the merchant's begins are crucial for successfully navigating compliance scans and maintaining a secure e-commerce presence.