3. Becoming ‘PCI Compliant’ If You Accept Credit Cards


All businesses that accept credit and debit cards using an integrated payment application and/or e-commerce website should follow these general guidelines.


See Chapter 1 — Securing Sensitive Data, Additional Resources — for specific guidance

  • Do regularly monitor and test networks/systems that have payment card data.
  • Do implement and enforce a company Information Security Policy.
  • Do install and keep up-to-date, a firewall that protects cardholder data stored within company systems.
  • Do assign every employee with computer access a unique ID and use a robust password (e.g., mix of letters, numbers, and symbols), which is changed frequently (every 45-60 days).
  • Do restrict physical access to company systems and records with cardholder data to only those employees with a business “need-to-know.”
  • Do encrypt cardholder data if transmitting it over wireless or open, public networks.
  • Do use and regularly update anti-virus software.
  • Do have secure company systems and applications (e.g., good and frequent process to update all computers with necessary patches, process for identifying system/application vulnerabilities, etc.).
  • Do ensure any e-commerce payment solutions are tested to prevent programming vulnerabilities like SQL injection.
  • Do use a Payment Application Data Security Standard (PA-DSS) compliant payment application listed on the PCI Security Standards Council website at https://www.pcisecuritystandards.org/security_standards/vpa/.
  • Do verify that any third party service provider you use who handles cardholder data has validated PCI DSS compliance by visiting the PCI Security Standards Council website at www.pcisecuritystandards.org.


  • Don't store magnetic stripe cardholder data or the CVV or CVC code (the additional security number on the back of credit cards) after authorization.
  • Don't use vendor-supplied or default system passwords or common/weak passwords.
  • Don't store cardholder data in any systems in clear text (i.e., unencrypted).
  • Don't leave remote access applications in an "always on" mode.

In This Chapter

Only 10% of US small businesses have a formal Internet security policy.

Source: 2012 National Small Business Study, National Cyber Security Alliance, Symantec, & JZ Analytics.