707-794-9999 PST     Contact     Blog

2017 PCI compliance
By

website design santa rosa

PCI DSS compliance (or PCS DSS) has become quite complicated and demanding in 2017. You may have received a notification from your merchant account, your payment gateway, your hosting provider, your webmaster, or other party about. Today, we will review what it all means and the steps you need to take to stay in compliance and be legally protected. Understand that this post will focus on website compliance only and there is much more to it.

What is PCI compliance?

PCI DSS stands for Payment Card Industry Data Security Standard. It was established by the Payment Card Industry Security Standards Council. It is a set of specific procedures and policies meant to protect and safeguard your clients’ financial information (their credit card and billing information for instance) as well as your company or organization. Anyone accepting payments for products or services rendered has to adhere to these rules without exception.

The number of PCI compliance requirements has grown expediently in the past 24 months due to increased security concerns especially for websites selling online and accepting credit card payments. Hacking is at all time high and, in addition to website security measures, a company or organization accepting payments has to do more to protect its customers’ data. So you not only need to protect your website but also need to secure your clients’ data on and off line.

For additional details, we encourage you to visit the PCI compliance‘s official website.

What are the current requirements?

Below are the main requirements as noted by the Payment Card Industry Security Standards Council.

  • Your website needs a website firewall to protect credit cardholders’ information. At Business Website Center, we use SiteLock. The program is installed on your website’s server by either your webmaster, hosting provider, or firewall company. Your merchant should have its own firewall protection, that is the law. And finally, our office computer network should be protected with a firewall.
  • Once the data is stored in your system or a 3rd party vendor, it needs to be fully protected.
  • When someone buys something on your site, the transmission of the credit card data between your payment page and your payment gateway (like Authorize.net) must be encrypted. This is done by having a SSL certificate installed. Typically, you would purchase the SSL certificate directly from your hosting provider. Once installed, it will enable your clients to use https (with a S) instead of http. In addition, you would want your webmaster to force all website traffic to go through https. This means that if a visitor type in http://yourdomain… it will automatically switch the page to https. Make sure to confirm that your hosting provider has TLS 1.2 for security protocol enabled on their server. Large providers like GoDaddy already have it in place but not all providers do.
  • An anti-virus software needs to be installed on your site. Again, we use SiteLock which scans the website daily for malware and security weaknesses.
  • You must have a security policy in place for your website and train staff or whomever manages your website on the required procedures.
  • Applications on the website need to be kept updated with the latest most secured version. A good example is WordPress. To be in compliance, you need to have the newest version in place.
  • Access to online information needs to be fully secured with strong usernames and passwords. We also recommend a CAPTCHA system for the login page as well as a double login if available.

Check out SiteLock Products for PCI Compliance

What should you do next?

First check with your webmaster, your merchant account, and payment gateway (sometimes the gateway and merchant account are one and the same). Ask them if they handle the PCI compliance for your website and hold the responsibility.

There are also many websites now that can verify that you are in compliance. Simply search Google to find who does it and what the cost is. A good site is Qualys SSL Labs.

pci compliance 2017
PCI Compliance and Website Data Protection

Questions about this subject?


Never hesitate to contact our friendly team by phone at (707) 794-9999 (Pacific Standard Time) or by email here. Have a successful day!

© 2017
| Business Website Center, Inc. | All Rights Reserved