What is Payment Card Industry Data Security Standard (PCI DSS)
Do I need to be PCI DSS compliant?
Costs for taking payments on your website using a hosted payment gateway
Additional costs incurred in order to take payments directly on your website thereby storing, processing and/or transmitting
Which Self-Assessment Questionnaires (SAQ) do you have to complete?
|A||E-commerce, mail or telephone order merchants that do not store cardholder data (CHD). All cardholder data functions are outsourced. This does not include face-to-face merchants.|
|B||Merchants that do not store electronic cardholder data. Instead, this applies to merchants that use an imprint machine to copy cardholder information. Also applies to standalone, dial-out terminal merchants.|
|C-VT||Web-based virtual terminal merchants that do not store electronic cardholder data.|
|C||Merchants that use a payment application system connected to the Internet and do not store electronic cardholder data. If using a software vendor for the payment application system, they must take security measures to ensure the app meets PCI compliance.|
|D||This includes all of the other merchants that aren’t included in the above categories, including all service providers defined as eligible to complete an SAQ and approved by a payment brand.|
What do you need to know most about PCI compliance as a website owner?
The 12 steps to PCI DSS compliance (taken from PCI DSS v2)
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect cardholder data.|
2. Do not use vendor-supplied defaults for system passwords and other security parameter.
|Protect cardholder data||3. Protect stored cardholder data.|
4. Encrypt transmission of cardholder data across open, public networks.
|Maintain a vulnerability management program||5. Use and regularly update anti-virus software or programs.|
6. Develop and maintain secure systems and applications.
|Implementing strong access control measures||7. Restrict access to cardholder data by business need to know.|
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data.|
11. Regularly test security systems and processes.
|Maintain an information security policy||12. Maintain a policy that addresses information security for all personnel.|