PCI -DSS Compliance
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.
CartThrob can easily complete all of its tasks in a manner that fulfils requirements of PCI-DSS. However, it is up to each individual store owner to meet the requirements of PCI-DSS, not just your software. CartThrob is a link in the chain, but you as the store owner must also do some work to maintain PCI-DSS compliance.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on 7 September 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI-DSS is administered and managed by the PCI SSC (http://www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI-DSS is available here.
Basically this means, if you take MasterCard, American Express, Discover and JCB you must be PCI compliant. There is a lot of scaremongering going on about PCI-DSS compliance, but it is a fairly straightforward process. Some of the key tenets of this process are:
- Build and maintain a secure network (don't use default user / pass, don't store data where others can see it).
- Protect cardholder data (encrypt transmission of card data, aka, use HTTPS connections).
- Maintain a vulnerability management program (use anti-virus software and use secure certificates for transactions).
- Implement strong access control measures (restrict info on a need-to-know basis, don't share passwords).
- Regularly monitor and test networks (regularly test your system).
- Maintain an information security policy (make a policy about who gets access to cardholder data).
Though it may sound daunting, most of these things are fairly easy to do in practice. My key advice: keep safety of customer data on your mind. You are the weakest link. Like most ecommerce systems, CartThrob was built with security in mind, and can be made secure simply and effectively. At a minimum, nowhere in CartThrob's system does it store any raw credit card data at any time. Numbers, magnetic stripe data, primary account numbers, and CVV2 numbers are not stored natively by CartThrob. Beyond that critical information, you should still protect customer names, addresses, and phone numbers from unauthorized access.
If you take MasterCard, Visa, American Express, Discover or JCB, you should, at a minimum do the following.
- Obtain and install a secure certificate. Dreamhost sells them for $15. You don't even need to host the website with them to obtain their inexpensive certificate.
- Once your secure certificate is installed, use an HTTPS connection. CartThrob makes this simple by providing the secure_action and secure_return parameters on all forms.
- Don't hand out control panel access to people you don't know, and limit the number of people that can view customer data.
- Most small businesses must fill out the PCI-DSS Guide and Self-Assessment form.
Here's a good place to get started: PCI At-A-Glance Guide
If you feel this is all over your head, please feel free to contact us and we can quickly get you on the right track. We can provide secure hosting services for you, facilitate the purchase of secure certificates, and help you meet all requirements set by PCI-DSS. PCI-DSS is fairly painless, but it always helps to have someone guiding you along. You can be sure that we'll be here to help you.