As a merchant, you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS); requirements compiled by the major credit/debit card brands for consistent data security measures. This regulation applies to all who process credit and debit cards whether your organization is online or a physical storefront. The size of your organization doesn’t change the main requirements. This is put in place to protect the sensitive information of your customers.
If you accept less than 20,000 e-commerce transactions per year, or less than 1 million transactions per year, you don’t have to hire an outside evaluation. If you accept more than 1 million transactions or 20,000 e-commerce transactions per year, you must have an annual self-assessment questionnaire and quarterly network scans.
To be PCI Compliant, you must:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters. Create your own secure password for every device on your network.
- Encrypt stored cardholder data (not all data can be legally stored on your network).
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to your cardholder data to employees that “need to know”.
- Assign a unique ID to each person with computer access to customer data.
- Restrict physical access to cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
- Encrypt transmission of cardholder data across open/public networks.
SSL and early TLS are completely outdated and cannot be used to send any cardholder data after June 30 2016. It is highly recommended to use the newest version of TLS (1.2 at the time of writing). SSL should not be used under any circumstance.
To find the necessary paperwork, approved providers, and more information go to https://www.pcisecuritystandards.org/index.php.