Website Legal Requirements 6 – PCI DSS

5th October, 2009 in Website Policy 2 Comments

The sixth blog of my Website Legal Requirements series, explains how the Payment Card Industry Data Security Standard (PCI DSS) affects not only your E-Commerce site, but your website server too, and what you should do in order to comply.


The Payment Card Industry Data Security Standard (PCI DSS) was created to help prevent credit card fraud with organisations that process credit or debit card payments. It ensures controls around data are increased and reduces exposure to compromise. The standard applies to all organisations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

The industry standard PCI DSS, includes 12 key requirements for organisations that accept or processes card payments:

  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor-supplied defaults for passwords or other security parameters
  3. Protect stored data
  4. Encrypt the transmission of cardholder data and sensitive information
  5. Use and regularly update anti-virus software
  6. Develop and maintain securer systems and applications
  7. Restrict access to data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security

How Does This Affect My Website?

It is not only your website that are affected, but the server your website is hosted on also. You should check with your web hosting developer and e-commerce system provider that:

  • you have a suitable firewall on the server
  • system passwords are secure
  • if you save credit/debit card that it is protected, the website have a suitable SSL certificate to encrypt transmitted data
  • the server uses anti virus software
  • the systems are secure and access is only granted to those who need it.

Sources & More Info:

Picture of Peter

Peter 25th September, 2012 at 11:59 am

PCI DSS is not a legal requirement. It may be a contractual requirement for doing business and is mandated by the card schemes and axcquiring banks.

Picture of charles denyer

charles denyer 28th December, 2014 at 15:17 pm

Laurence, good comments on PCI that everyone needs to be aware of. As a licensed PCI-QSA, I can tell you that the two most challenging aspects of PCI compliance are (1). Determining which of the Self-Assessment Questionnaires (SAQ) to use (they seem to keep adding more!) and (2) developing all the mandated information security and operational policies and procedures for PCI compliance. With the introduction of SAQ A-EP, the laundry list of SAQ documents keeps getting longer and complex. Additionally, if you look at the actual PCI standards, there’s literally dozens of mandated policies and procedures that must be in place for both merchants and service providers. Luckily, you can find free and cost-effective templates online for download. And don’t forget that security awareness training is also mandated, which is highly essential for not just compliance with PCI, but from an information security best practices perspective.

Leave a Reply