Payment Card Industry Data Security Standard (PCI DSS)

Protect your customers and your business

Protecting your customers and yourself from credit card fraud is a major consideration in e-commerce. Any business accepting online credit card payments needs to consider whether they need to be PCI DSS compliant. PCI DSS has been developed to combat online credit card fraud.

The risks

The risk to your business of credit card fraud is high. There has been a significant increase in online fraud. The impact of fraud is not only a loss of revenue but could mean that your business suffers:

• A fine imposed by your bank
• A forensic investigation that you will have to fund
• A reclassification of your merchant status
• A major loss of faith by your customers – which could fatally damage your business

Payment Card Industry Data Security Standard (PCI DSS) aims to protect the individual’s personal information through proper security when credit card transactions are processed. The PCI DSS was set up by the Payment Card Industry Security Standards Council. The founder members of the Council include American Express, MasterCard and Visa.

6 requirements of PCI DSS

Under PCI DSS, you as the merchant must:

Build and maintain a secure network

• Install and maintain a firewall configuration to protect cardholder data.
• Do not use vendor supplied defaults for system passwords and other security parameters.

Protect cardholder data

• Protect stored cardholder data.
• Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Programme

• Use and regularly update anti-virus software.
• Develop and maintain secure systems and applications.

Implement strong access control measures

• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data

Regularly monitor and test networks

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

Maintain an information security policy

• Maintain a policy that addresses information security.

PCI for e-commerce

The major elements of PCI compliance that affect e-commerce are:

Storing the Card Verification Value (CVV) number is prohibited. You are not allowed to store the three-digit CVV number under any circumstances.

Protecting the primary account number (PAN). PAN is the 14 or 16 digit code across the front of the credit card. This has to be available to those with a need to access it, otherwise it must be masked. The PAN must be encrypted when stored and when transmitted.

Compliance with the Payment Application Data Security Standard (PA DSS). This applies to all third party e-commerce software. It sets out the security requirements for processing credit card transactions. Your e-commerce software must be PA DSS compliant.

Helping you achieve PCI

Protecting your customers’ data is central to how Xanthos create and launch your e-commerce website. Xanthos only works with PA DSS certified e-commerce software to make sure that your store is safe and secure.

Be safe, be compliant!