Everyone who accepts credit/debit card payments online needs to be familiar with and implement the Payment Card Industry Data Security Standard. This is easiest for merchants who don’t directly handle any cardholder data. For example, if your store hands the shopping cart information over to a third-party provider like PayPal, and customers enter their payment information on that website before being redirected back to yours, you only need to ensure that the third-party provider you use is PCI DSS compliant. Visa has a registry of validated service providers on their website.
The next level of complexity is accepting and transmitting cardholder data. If you receive the data on your website’s server but pass all the credit card processing data to a third-party service provider, verify that they have validated PCI DSS compliance, and ensure that all communications with their servers are over a valid encrypted connection. In this case, it’s usually not necessary to maintain cardholder information on your servers once the transaction is complete. This means that if possible, you should only store the data in volatile memory (RAM) and clean it out once the transaction is processed. At no time should the information be made available to other processes on the system or to users. Further, steps should be taken to protect against vulnerabilities to attacks such as code injection.
If cardholder data actually needs to be stored long-term on your server, there are many more steps required. For one thing, in addition to the previous measures, the data received from magnetically scanning a card, as well as the CVV number, should never be stored after the payment is processed under any circumstances. Anything that is stored should first be encrypted. The data should be accessible only by those employees with a business “need-to-know,” and every person with access to the system must have a unique login ID with a strong password, ideally changed frequently. Firewall and anti-virus/anti-malware systems should be in place and up-to-date. No passwords should be left as the system or manufacturer defaults. Never transmit the information over a network unencrypted. Basically, everywhere the data goes needs to be well-protected from all directions, and these protections need to be regularly tested and updated.
Note that depending on how your website is hosted, some of these responsibilities may lie with your hosting provider. In these cases, you are still responsible for making sure that your hosting provider follows all the necessary steps to ensure the safety of data transmitted and stored in their systems, including regularly updated protection measures. Never assume that anyone is PCI compliant – look through the feature list or contact customer support if necessary. If your host doesn’t meet or exceed PCI requirements, get a different host.
Keep in mind that this is meant to be a brief overview of the steps needed to secure client data on the web, and is not fully comprehensive. You should absolutely read all the detailed technical information straight from the source. (PCI Security Standards Council) If this article helped you get a cursory understanding of PCI DSS concepts, please share it using the social buttons above and below.
