eTrust Pro & PCI Compliance
Credit card companies are pushing really hard for websites to become PCI compliant and for good reason. You must secure cardholder data to protect your customers information and to meet Payment Card Industry rules.
What is PCI Compliant?
PCI Compliant scanning and Certification is a process to make sure your website is going by the credit card industry requirments in keeping your customers data safe and secure. Making sure your website is PCI compliant could save you from losing thousands of dollars in fines and penalties should your server get hacked into.
Basic PCI Terminology:
- PCI : Acronym for "Payment Card Industry."
- PCI SSC : Acronym for "PCI Security Standards Council."
- DSS : Acronym for "Data Security Standard" and also referred to as "PCI DSS."
- DNS : Acronym for "Domain Name System" or "domain name server." System that stores information associated with domain names in a distributed database on networks such as the Internet.
- Encryption : Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
- Encryption Algorithm : A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data, and back again.
- Entity : Term used to represent the corporation, organization or business which is undergoing a PCI DSS review
For the full PCI glossary of terms go here.
Small merchants are prime targets for data thieves. It's your job to protect cardholder data once they submit it to your website.
If cardholder data is stolen - and it's your fault - you could incur fines, penalties, even termination of the right to accept credit cards!
According to PCI SSC More than 340 million computer records containing sensitive personal information have been involved in security breaches in the U.S. since 2005.1 Now criminals are shifting sights to small merchants because many have lax security for cardholder data. More than 80% of attacks target small merchants. If you are at fault for a security breach, business fallout can be severe :
- Fines and penalties
- Termination of ability to merchant account
- Lost income, because you can't accept credit cards
- Blacklisted so you will never be able to accept credit cards
- Legal costs, settlements and judgments
- Going out of business
What sensitive cardholder data do I protect?
Everything at the end of a red arrow is sensitive cardholder data. Anything on the back side and CID must never be stored. Everything else you store must be for a good business reason, and that data must be protected. PCI DSS explains how. Read more.
You can sleep better at night knowing eTrust Pro scans your website for over 28,000 known vulnerabilities which helps to protect your site from hackers.
We also add hundreds of new vulnerabilities every month to ensure that your site is always up-to date with the latest protective measures.
Do I need to be PCI Compliant?
If you do not have your own merchant account and use only PayPal, Yahoo Shopping, Google Checkout, or any other third party payment system chances are you do not have to worry about PCI scanning or compliance. Those payment processors are already PCI compliant.
The only time you need to worry about PCI compliance is if you have a merchant account and are storing sensitive customer data on your servers, such as credit card information.
If you are a merchant that accepts credit/debit cards, you are required to be compliant with the PCI Data Security Standard. You can find out your exact compliance requirements from your merchant account provider.
Specific compliance requirements
- American Express : www.americanexpress.com/datasecurity
- Discover Financial Services : www.discovernetwork.com/fraudsecurity/disc.html
- MasterCard Worldwide : www.mastercard.com/sdp
- Visa Inc : www.visa.com/cisp
- Visa Europe : www.visaeurope.com/ais
- JCB International : www.jcb-global.com/english/pci/index.html
To learn more about PCI compliance visit the official PCI SSC website.