Let's kick this short document off on what we are talking about here.
What is PCI DSS ?
Back in 2004 the Payment Card Industry founded a security standard council that manages the standard, or better described as a minimum set of security requirements to be implemented by all merchants and service providers that handle sensitive credit card data. In June 30th of 2005 the regulations took effect as the PCI Data Security Standard. So, this is a good thing, everyone should be PCI Compliant and the importance of looking after not only payment card information but customer data should be paramount. We are highlighting the outline to being PCI Compliant below:
1. Security a) Install and maintain a firewall configuration to protect data
2. Protection a) Protect stored data (use encryption) b) Encrypt transmission of cardholder data and sensitive information across public net
3. VPM (Vulnerability Management Program) a) Use and regularly update anti-virus software b) Develop and maintain secure systems and applications
4. Strong Access Control Measures a) Restrict access to data by business need-to-know b) Assign a unique ID to each person with computer access c) Restrict physical access to cardholder data
5. Monitor and Test a) Track and monitor all access to network resources and cardholder data b) Regularly test security systems and processes
6. Information Security Policy a) Maintain a policy that addresses Information Security So this is all pretty straightforward, and what we would call basic housekeeping on custom data. What does this really mean to you if you run an online store? We have gathered up some quick FAQs for you to have a read.
I use Paypal, do I need to do all of this? Depending on what service you have from Paypal will depend on how much of the PCI burden gets shifted from you to Paypal. At the end of the day, you have to get a consumer from your website to Paypal and back again so you are likely to be liable for certain elements of the PCI compliance transaction.
I don't store card data on my servers, do I need to be PCI compliant? As above, you are still liable for certain elements of the PCI liability and need to reach down deep inside your own internal security policies. If you have any questions regarding PCI Compliancy contact your aquiring bank