PCI Compliance

If you have merchant services (credit card processing), you probably have heard the term "PCI compliance." PCI compliance is now enforced by all agencies as of January 1, 2011. PCI compliance is set up by the payment card industry as a set of security standards to protect against credit card fraud. By enforcing these standards they lower the risk of card data being exposed or compromised. These standards apply to all organizations that hold, process, or exchange card holder data from any type of credit card.

Build and Maintain a Secure Network
This includes installing a firewall configured to protect cardholder data. Do not use default settings supplied by vendors.

Protect Cardholder Data
Protect stored cardholder data when transferring the data from your terminal or website. All information should be encrypted before any type of submission to the bank. Cardholder data should never be stored on on your site's database or server unless you have bank level security. The risk is far too high if a hacker were to gain access.

Maintain a Vulnerability Management Program
Keep your anti-virus and malware information up to date. Develop and maintain secure systems and applications. When choosing a webmaster for designing your website, it is important that the section of your website handling the processing of cardholder data is secure and cannot be compromised.

Implement Strong Access Control Measures
Implementing strong access can be as simple as having a need-to-know basis for people handling credit card data. Assign each person a separate ID so that you can track who is doing what on the application. Restrict physical access to all cardholder data. For ecommerce, you should never store the credit card data. If your website has recurring billing, your should store the cardholder data on the bank's site and call it each time you need to process it.

Regularly Monitor and Test Networks
You should track and monitor all access to your networks and applications handling cardholder data. Test security systems on a regular basis.

Maintain an Information Security Policy
This is a set of standards that your employees must follow when handling sensitive data.

When developing an ecommerce module for a website there are several requirements you must have reached before you will be PCI compliant.

  • DBA Name (as it will appear on your customer's statements) prominently displayed on your homepage.
  • Refund/Cancellation Policy.
  • Privacy Policy.
  • Terms & Conditions.
  • Products/Services and Pricing.
  • 128-bit minimal SSL technology. 256-bit is available if supported by your SSL provider.
  • Full contact information including phone number.
  • Shipping & Handling method and time from end of sale until item is shipped.

Not being PCI compliant or having cardholder data compromised can result in large fines that the business owner is responsible for. It's important to check with your webmaster and IT staff that all bases are covered. Merchant service companies typically send out annual questionnaires to ensure you are taking the proper measures to be PCI compliant.