Keeping your website secure is a crucial part of maintaining its overall health and reputation. Cybersecurity includes three things: Confidentiality, Integrity, and Availability. If your website cannot keep your visitors’ data safe, it isn’t secure (confidentiality). If the information gets changed on the website, it doesn’t have integrity. And if it is completely down, well… then it’s down.
In previous blog posts, we’ve written about things you can do to better secure your website. Here’s a couple articles:
All website owners should work to keep their websites secure. It’s just good business to do so. But websites that serve some industries must abide by policies and regulations to stay in business.
I always tell customers that simply abiding by a policy or regulation is not a good information security practice. Complying with a policy for compliance sake won’t keep your website secure. Security is much more than adhering to certain rules for websites in a specific industry. Nevertheless, a wholistic approach to security may very well include one (ore more) regulations.
HIPAA (Health Insurance Portability and Accountability Act) is one such statute. Signed into federal law in 1996, it regulates how websites handle people’s private health information.
But PCI compliance is what I’m going to write about for the rest of this blog post.
The Payment Card Industry Data Security Standard (PCI DSS, or PCI for short) is a set of standards that websites must adhere to when they accept credit card payments through their website. Many of the major credit card companies formed a nonprofit organization to help merchants and vendors implement these standards for better website security.
There are different levels of compliance that companies have to adhere to, depending on how, and where, they accept payments (the PCI standards also have rules that govern the cybersecurity inside a physical store, for example).
For websites, rules include things like:
- The website must have a TLS (SSL) certificate.
- The website must not store credit card numbers unless absolutely necessary.
- The website must secure (encrypt) all traffic between itself and its credit card merchant.
- If at all possible, SSH to the server that hosts the website must be behind a firewall. In otherwords, SSH must not be open to the whole wide world.
The standards only apply to websites that accept credit card numbers directly. If your website redirects visitors to PayPal, Google Pay, or some other 3rd party payment processor, then your website does NOT have to conform to the PCI standards.
The Security Standards Council has a lot of introductory material that can be accessed here.
I hope this blog post was helpful. If you need help getting your website PCI compliant, check out our services. We’d be happy to discuss what it will take to migrate your website onto one of our fully managed Virtual Private Servers so that you can become fully compliant.