What is PCI compliance?
PCI (Payment Card Industry) compliance is a Data Security Standard (PCI DSS) is a set of requirements compiled by the PCI Security Standards Council. The PCI SSC is made up of businesses associated with credit card providers, debit card providers, credit card/debit processors, and card pre-pay providers. The standards created by the PCI SCC are guidelines to process, store or transmit credit card information while maintaining a secure environment.
Listed below are 12 requirements needed for maintaining a secure PCI compliant operation
- Firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Cardholder data stored and protected
- Encrypted transmission of cardholder data across open, public networks
- Regularly updated anti-virus software
- Maintain secure systems and applications
- Restricted access to cardholder data by business
- Unique ID assigned to each person with computer access
- Restricted physical access to cardholder data
- All access to network resources and cardholder data tracked and monitored
- Security systems and processes regularly tested
- Information security policy maintained
Do I need my site to be PCI compliant?
Many sites do not need to be PCI compliant. If you have not been told that PCI compliance is absolutely necessary, you may not need it. The best approach is usually to evaluate the needs of your site and examine the list of requirements above.
If it is determined that you will need PCI compliance, you should work with your internal teams to come up with a strategy on how to become PCI compliant. Making sure your site is PCI compliant is not supported by (mt) Media Temple. While we can assist with some aspects of PCI compliance, meeting the full requirements listed above will be up to you.
Can I host a PCI compliant site on the Grid?
Because of its shared environment, sites will not meet PCI compliance if they are hosted on the Grid. This does not mean that eCommerce on the Grid is impossible. Many well-known eCommerce sites do not require PCI compliance, and SSL certificates may still be used to verify the validity of a site and create encrypted connections to transfer information securely across HTTPS. However, without a dedicated hosting environment, the PCI Security Standards Council compliance cannot be met.
Payment gateway services may also be used to satisfy a need for PCI compliance. Some of these include PayPal, Amazon Webpay, Google Wallet, Authorize.net, etc.
If you have any further questions on PCI compliance you may refer to the following sites.