PCI Compliance: What, When Why and How?

Feb 9, 2021 | Blog, Website Security

Introduction

Keeping your website secure is a crucial part of maintaining its overall health and reputation. Cybersecurity includes three things: Confidentiality, Integrity, and Availability. If your website cannot keep your visitors’ data safe, it isn’t secure (confidentiality). If the information gets changed on the website, it doesn’t have integrity. And if it is completely down, well… then it’s down.

In previous blog posts, we’ve written about things you can do to better secure your website. Here’s a couple articles:

All website owners should work to keep their websites secure. It’s just good business to do so. But websites that serve some industries must abide by policies and regulations to stay in business.

I always tell customers that simply abiding by a policy or regulation is not a good information security practice. Complying with a policy for compliance sake won’t keep your website secure. Security is much more than adhering to  certain rules for websites in a specific industry. Nevertheless, a wholistic approach to security may very well include one (ore more) regulations.

HIPAA (Health Insurance Portability and Accountability Act) is one such statute. Signed into federal law in 1996, it  regulates how websites handle people’s private health information.

But PCI compliance is what I’m going to write about for the rest of this blog post.

 

PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS, or PCI for short) is a set of standards that websites must adhere to when they accept credit card payments through their website. Many of the major credit card companies formed a nonprofit organization to help merchants and vendors implement these standards for better website security.

There are different levels of compliance that companies have to adhere to, depending on how, and where, they accept payments (the PCI standards also have rules that govern the cybersecurity inside a physical store, for example).

For websites, rules include things like:

  • The website must have a TLS (SSL) certificate.
  • The website must not store credit card numbers unless absolutely necessary.
  • The website must secure (encrypt) all traffic between itself and its credit card merchant.
  • If at all possible, SSH to the server that hosts the website must be behind a firewall. In otherwords, SSH must not be open to the whole wide world. 

The standards only apply to websites that accept credit card numbers directly. If your website redirects visitors to PayPal, Google Pay, or some other 3rd party payment processor, then your website does NOT have to conform to the PCI standards. 

The Security Standards Council has a lot of introductory material that can be accessed here

I hope this blog post was helpful. If you need help getting your website PCI compliant, check out our services. We’d be happy to discuss what it will take to migrate your website onto one of our fully managed Virtual Private Servers so that you can become fully compliant. 

Why Choose Barred Owl Web?

We have worked with David at Barred Owl for several years. The experience has been great. He is very knowledgeable and serves us well with prompt help and utmost professionalism. The price we pay is very competitive and a great value for the products we receive. I would recommend without reservation that you explore Barred Owl as a solution for your server and managed web-hosting needs.
Mark Morgenstern, Senior Director, Grow2Serve

Barred Owl has hosted our websites for many years with consistently great uptime. David & his team have always been responsive when the sites experience high traffic issues. They have been creative in thinking about ways to improve server performance and proactive about security updates. They have always been a great value, and we will continue to use them for all our hosting needs.
Evan Donovan, City Vision University

Top-notch service from start to finish! Friendly, responsive, and completed my website migration and hosting project with little to no input on my part - which was exactly what I was looking for. I imagined a months-long headache of problems and they nailed it in just one business day. Very reasonable priced as well so my small budget could afford them. My professional advice: Do Not Hesitate to hire Barred Owl Web!
Fern Bertch, Great Favors

A Few of Our Clients:

Bakke Graduate University (BGU)
Bethel Bible Village
Chattanooga Room in the Inn
Great Favors
Grow2Serve
International Peace Initiatives
Law Office of Daniel J. White
Metropolitan Ministries (MetMin)

Midwest Tread
Mission Data International
NET Institute
Rogue River Counseling
City Vision University
Tranco Logistics
Yoko Consulting

Contact Us

P.O. Box 21514
Chattanooga, TN 37424