Compliance With E-Commerce Sites – WPQuickies

What regulations and laws do your e-commerce site need to comply with to trade online legally?

What Is Online Business Compliance?

In most countries, online businesses must comply with regulations and laws, especially those that directly trade commodities and services.

Regulations and laws may differ depending on which country or state your business is conducted in, so you will need to look up those specific to your business situation.

Do I Need To Comply?

Yes, you do!

Various governmental and regulatory agencies put rules in place to protect consumers.

Proclaiming “I didn’t know I should be compliant with that!” will not work. In this case, ignorance is not a valid defence.

The consequences of not complying with regulations and laws are severe and could result in:

• Taxation audits and investigations (very costly)
• Fines in the millions of dollars range
• Business shut-down
• Jail time

Significant E-Commerce Regulations

Here are the four significant e-commerce regulations that you should be aware of for compliance;

• GDPR
• PCI DSS
• COPPA
• Shipping

GDPR

GDPR, the General Data Protection Regulation, offers privacy protection to users when browsing or shopping online.

The regulation was ratified by the European Commission (EU) and requires websites to notify EU users of what data they collect and how the information is collected, processed and used.

Even if your business is based outside the EU, if you are directly targeting EU users, this regulation will apply to you.

GDPR is also known as the “Cookie Law” because the regulation covers the disclosure of data collected in cookies on a user’s local web browser.

PCI Compliance

PCI stands for Payment Card Industry which has a Security Standards Council oversight.

The Security Standard Council sets the Payment Card Industry Data Security Standard  (PCI DSS) guidelines to protect the security of credit card payments.

Ecommerce businesses must comply with PCI standards to ensure credit card data and payments accepted from branded credit cards (such as Visa or MasterCard) are handled accordingly and uphold the strictest privacy measures.

There are 12 PCI DSS requirements.

1. Build, maintain, and secure networks by installing firewalls

Choose a credible web host or install your firewall plugin such as Wordfence.

2. Don’t use vendor-supplied default settings

Default vendor settings such as usernames and passwords are widely documented and available to hackers and could be used as an attack vector in your systems.

3. Protect all cardholder data

Even if you are not storing the actual credit card information, you still need to protect the additional cardholder data such as name, email, phone and physical address.

4. Encrypt transmission of cardholder data

All cardholder data needs to be transmitted using SSL encryption. 

SSL certificates are issued freely through the Let’s Encrypt organisation, so there is no excuse not to have your entire site running on the HTTPS protocol.

You’ll also receive a slight SEO benefit from Google if your entire site runs on HTTPS.

5. Maintain a policy that addresses information security

Ensure you regularly keep your WordPress website, theme and plugins up-to-date to apply the latest security patches.

Also, ensure that you and your customers use secure usernames and passwords, ideally using multifactor authentication.

This also covers any third-party systems connected to your e-commerce sites, such as CRMs or EMS’.

6. Install and actively update anti-virus software

Your web host provider should have this covered on the web server. 

However, as a shop manager and website owner, you need to have anti-virus software installed on the local computers you use to manage your websites.

7. Restrict access to cardholder data on a need-to-know basis

If you are storing cardholder (customer) data on your e-commerce website, WooCommerce registrations, for example, ensure that only those who need access to that data can obtain it.

Restrict user roles and levels. Don’t make everyone an administrator, editor or shop manager.

8. Restrict physical access to data

Whether customer data is stored in data centres, paper copies, or workstations, necessary measures must be taken on-site to ensure the data stays secure. 

Do you download CSV sales or purchase reports from your e-commerce site to your local machine?  You need to protect that data too!

9. Assign a unique ID for all user access

This requirement is for tracking or tracing in the case of a security breach.

WordPress gives each registered user a unique ID; usually, an email address is unique to a single person.

10. Regularly test security systems and processes

You should regularly update your WordPress core, theme and plugins to the latest versions.

You should also be aware of how your website system is set up and actively ensure that all entry points are updated and secure.

Keep up with notifications and announcements from software that makes up your business systems.

11. Track and monitor network access

Your web host provider will do this on your behalf for your website.  

If you have customer data on a local network or in the cloud that you share with your employees, you may need to implement monitoring software to comply with this directive.

12. Maintain a policy to address information security

The policy addresses the usage of critical technology, how to implement a risk-assessment process and the information security responsibilities of all personnel. 

The information security policy needs to be maintained annually and record changes.

COPPA

Every website (e-commerce or otherwise) that targets minors in the USA are subject to the Children’s Online Privacy Protection Act (COPPA). 

COPPA was signed into US law in 1998 and sought to protect children’s data from being collected without their consent.

Even if your website is hosted outside the USA, if you directly target children from the USA, your website should comply with COPPA.

Because COPPA is a US-based regulation, it would be difficult but not impossible for them to act against a foreign or Australian business.

However, Australia does protect the consent and collection of children’s data under the Privacy Act 1988, which you should most definitely comply with if your target audience includes kids.

Shipping Compliances

Shipping companies and couriers will have restrictions on certain items they will not ship.

Restricted items could include aerosols, dry ice, gas bottles, explosives and weapons.

Some countries also ban importing and exporting certain commodities, so check with your couriers to see which items are restricted.

Also, check with your country’s government trade body to see what items you can and can’t import and export.

In Australia, you can check the Australian Border Force (ABF) website for restrictions across state borders, the Australian Government website for import and export laws and DFAT for trade agreements with other countries.

Other Legals For Your Website

There are other legal requirements that your general business website should comply with, such as privacy policy, terms and conditions, disclaimer, code of conduct etc.

I have a blog post with an infographic explaining what legal pages you need on your website.

Summary

Compliance and legal requirements are often overlooked in the website design process and the day-to-day operation of running an online business.

Ensure your online business complies with the rules, regulations, and laws of your business operations.

Do you still have questions about e-commerce compliance?

Ask in the comments below.

#WPQuickies

Join me every Thursday at 1 pm Sydney time for some more WPQuickies – WordPress tips and tricks in thirty minutes or less.

Broadcasting live on YouTube and Facebook.

Suggest a #WPQuickies Topic

If you have a WordPress topic you want to see explained in 30 mins or under, fill out the form below.

https://forms.gle/mMWCNd3L2cyDFBA57

Watch Previous WPQuickies