PCI Compliance: What, When Why and How?

Feb 9, 2021 | Blog, Website Security

Introduction

Keeping your website secure is a crucial part of maintaining its overall health and reputation. Cybersecurity includes three things: Confidentiality, Integrity, and Availability. If your website cannot keep your visitors’ data safe, it isn’t secure (confidentiality). If the information gets changed on the website, it doesn’t have integrity. And if it is completely down, well… then it’s down.

In previous blog posts, we’ve written about things you can do to better secure your website. Here’s a couple articles:

All website owners should work to keep their websites secure. It’s just good business to do so. But websites that serve some industries must abide by policies and regulations to stay in business.

I always tell customers that simply abiding by a policy or regulation is not a good information security practice. Complying with a policy for compliance sake won’t keep your website secure. Security is much more than adhering to  certain rules for websites in a specific industry. Nevertheless, a wholistic approach to security may very well include one (ore more) regulations.

HIPAA (Health Insurance Portability and Accountability Act) is one such statute. Signed into federal law in 1996, it  regulates how websites handle people’s private health information.

But PCI compliance is what I’m going to write about for the rest of this blog post.

 

PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS, or PCI for short) is a set of standards that websites must adhere to when they accept credit card payments through their website. Many of the major credit card companies formed a nonprofit organization to help merchants and vendors implement these standards for better website security.

There are different levels of compliance that companies have to adhere to, depending on how, and where, they accept payments (the PCI standards also have rules that govern the cybersecurity inside a physical store, for example).

For websites, rules include things like:

  • The website must have a TLS (SSL) certificate.
  • The website must not store credit card numbers unless absolutely necessary.
  • The website must secure (encrypt) all traffic between itself and its credit card merchant.
  • If at all possible, SSH to the server that hosts the website must be behind a firewall. In otherwords, SSH must not be open to the whole wide world. 

The standards only apply to websites that accept credit card numbers directly. If your website redirects visitors to PayPal, Google Pay, or some other 3rd party payment processor, then your website does NOT have to conform to the PCI standards. 

The Security Standards Council has a lot of introductory material that can be accessed here

I hope this blog post was helpful. If you need help getting your website PCI compliant, check out our services. We’d be happy to discuss what it will take to migrate your website onto one of our fully managed Virtual Private Servers so that you can become fully compliant. 

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Why Choose Barred Owl Web?

The Barred Owl Web team is technically proficient, extremely responsive and provides a high level of customer satisfaction.  We highly recommend Barred Owl Web for web development, technical, and customer support.
– Enrique Fiallo, Director of Technology, NET Institute

Barred Owl Web is the hosting company to call first for nonprofits. Their solutions-oriented, customer – and client – focused approach to web hosting provides agencies the ability to consistently and reliably get their messages out to those who need to hear it. You can count on Barred Owl Web to be responsive to the unique needs of your agency. Barred Owl Web’s customer service is exceptional, and it is kind. Contact them and see for yourself!
Rebecca Whelchel, Executive Director, Metropolitan Ministries (MetMin)

Barred Owl Web has always been responsive to our needs as a small nonprofit. They have helped us immensely with issues like Web server security updates and PCI compliance.
Evan Donovan, Web Developer, Tech Mission

Contact Us

423.693.4234
info@barredowlweb.com

P.O. Box 21514
Chattanooga, TN 37424

3 + 1 =