Website Legal Requirements 6 – PCI DSS
The sixth blog of my Website Legal Requirements series, explains how the Payment Card Industry Data Security Standard (PCI DSS) affects not only your E-Commerce site, but your website server too, and what you should do in order to comply.
The Payment Card Industry Data Security Standard (PCI DSS) was created to help prevent credit card fraud with organisations that process credit or debit card payments. It ensures controls around data are increased and reduces exposure to compromise. The standard applies to all organisations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.
The industry standard PCI DSS, includes 12 key requirements for organisations that accept or processes card payments:
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for passwords or other security parameters
- Protect stored data
- Encrypt the transmission of cardholder data and sensitive information
- Use and regularly update anti-virus software
- Develop and maintain securer systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
How Does This Affect My Website?
It is not only your website that are affected, but the server your website is hosted on also. You should check with your web hosting developer and e-commerce system provider that:
- you have a suitable firewall on the server
- system passwords are secure
- if you save credit/debit card that it is protected, the website have a suitable SSL certificate to encrypt transmitted data
- the server uses anti virus software
- the systems are secure and access is only granted to those who need it.