Tuesday, February 9, 2010
The Technical Side of PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) describes 12 system and procedural requirements for securing customer credit card data that is transmitted, processed, or stored by an online merchant.
In order to accept credit cards as a form of online payment, merchants are expected to comply with the PCI DSS standard. In an effort to meet this requirement, online stores dutifully encrypt data transmissions with a secure socket layer (SSL) or even extended validation SSL, which is great, and implement a policy of not storing credit card data, which is also important. What is often overlooked, however, is that an online store is responsible for every credit card number that passes through (touches, if you will) its web servers.
So, some stores are failing to comply simply by not recognizing that some credit card data may be in log files or could have been hacked during the transaction, even if the merchant did not realize that his or her website was handling that number.
While you don't need to be a web developer to understand PCI DSS, it can help to be familiar with the technical side of PCI DSS to ensure that your business is doing all that it can and should do to protect customer credit card data. practicalecommerce