web analytics

PCI Compliance Part-1

What is PCI Compliance and why it matters for online merchants?

Visa, Master Card, JCB, Amex and other major CC (Credit Card) issuers introduced security standard called PCI (Payment Card Industry) standards to secure personal information and ensure security when online payments are processed using payment cards. If you are accepting credit cards payments online, you must comply with these PCI standards. If you electronically store card holder data post authorization or if your processing systems have any internet connectivity, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required. You may gain competitive advantage by reassuring customers that you are authorized to accept credit cards by placing a high visibility trust indicator on your website

It’s a set of 12 specific requirements that cover six different goals. It’s very prescriptive. It says not only that you need to be secure but it tells you how to become secure. It’s more about security than compliance. The goals are things like build and maintain a secure network, protect card holder data and regularly monitor and test the networks. That’s the main standard. We manage three different standards. The first one covers everything from the physical security to logical security.

Failure to meet compliance standards can result in fines from credit card companies and banks. The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.

I have already installed SSL certificate. Am I PCI compliant if I have an SSL certificate?

No. SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance.

• A secure connection between the customer’s browser and the web server
• Validation that the Website operators are a legitimate, legally accountable organization

Soon I ‘ll let you know detailed information about PCI standards. Till then you may directly ask me for server security tips.

Author: Gaurav Maniar – MCITP – Windows Server Specialist
Window Hosting Security, Exchange Messaging System, Server Security Audit, Domain (ADS) Infrastructure