Every merchant is forcing all of their customers to be meet PCI Compliance. This does not just apply to those receiving funds online; however, additional steps do have to be made to your website if you are receiving money online.
What is PCI? The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). You can read more at https://www.pcisecuritystandards.org/index.shtml or in your merchant agreement.
While it may seem like a moving target as updated standards are regularly imposed and the 70 page document can get technical and be overwhelming, being PCI Compliant does not have to be costly. As long as you have good security practices in place for managing your data and a hosting provider and programmer who will support your online needs, being PCI Compliant can be simplified.
The largest part of being PCI Compliant is just having good data security and management practices, which is good to have when dealing with any customer data. You must protect your customer data, not store credit cards unnecessarily, secure your network connections, and make sure everyone who accesses this data has a unique ID and logs are stored to know who does what with the data, and of course, you have to have regular security checks. Small companies can often complete internal checks; while larger companies are required to have an approved third party perform the checks.
As for your website, the most common PCI mistakes I see are:
- Not utilizing an SSL for accepting credit cards or for administration sites where credit cards are retrieved.
- Storing credit card information in a database for an undetermined amount of time.
- Emailing Credit Card Information.
The easiest way to be PCI Compliant Online is to use a Gateway to handle all of your credit card transactions and be sure to use an SSL when sending the data to the Gateway. Your Gateway will be compliant.
As for your hosting provider, most quality hosting providers will take care of keeping your server PCI compliant. There are times that a port may be open on your site for other purposes and will not compromise your site, but can be turned off to meet the security guidelines.
Most merchants will provide free online security testing every quarter. They will give you all the information you need to take corrective action, and automatically perform the test for you. You can even fill out a check list for your internal checks. You are also given a grace period of 30 days to become compliant if you fail the security checks.
Therefore being PCI compliant can be easy with the right IT support to back you, and most merchants, developers and hosting companies offer free consulting to assist you in becoming compliant, as well as specialized paid consultants for more advanced needs.