Every week a client calls or emails with PCI compliance issues. Usually they merchant account provider has initiated a software scan of their website and created a report showing at least 5 or 6 items that are ‘serious’ issues. While the credit card companies and major banks such as BoA, JPM, Citi that own majority stake of them, along with the merchant account companies, use PCI standards and regulations as a way to push liability for data breaches to businesses that accept the cards from end users. They have a vast set of compliance regulations (https://www.pcisecuritystandards.org/) in place that make it nearly impossible and largely uneconomical for small business to abide. However, if you want to be complaint these are some of the items you need to look at:
- Use a software scanning company to check your site. They will give you a report that shows some of the items that you need to change on your site, hosting account, security setup, and more.
- Look at using a secure firewall / vpn appliance like the Cisco ASA 5505 to secure your server (cloud, dedicated, or colo). You have to use a separate application firewall to protect your data – not the firewall built into the OS and not a shared firewall.
- Encrypt your communications from end users with SSL certificate. Use SSL 3, not 2.
- Once the data makes it to your server, encrypt it there. Encrypt the database. Make sure any backups are encrypted.
- Most all shared servers are inherently not PCI complaint. Despite what the low-cost, shared hosting providers say. They guarantee compliance, say everything is secure, etc for $1.95 per month. What do you think is going happen if there is a problem. You will find out that their terms of service didn’t allow you use their service if you were actually accepting credit cards (this really happened to one of our newer clients), they have all sorts of options that you have to ask for to really get compliance (all adding to the price), etc.
There is more, but you’ll have to email us to find out. Thanks for reading.