This is part 4 in our series about compliance requirements with the PCI Data Security Standards (PCI DSS).
We've taken the last 3 Daily Nuggets to explain items #1 and #2 shown below. We know this information is both boring and frightening at the same time. It's a necessary evil in understanding what you need to do for website security and jewelry store network security.
The Security Standards Council created PCI Standards to protect cardholder information from being stolen.
Here's our list of topics with links next to the previous day's Nuggets.
Introduction: You will hate PCI compliance too
1. Storing cardholder data on your website
2. Protecting internal and wireless networks in your store
3. Security used in payment card applications
4. Controlling which of your employees has access to cardholder data
5. Frequency of testing and reporting
3. Security used in payment card applications
Unless you are developing your own software you really won't have control over the security used in the payment card applications you use. These "applications" refer to the internal communication between your point-of-sale computer and your payment processing company, and the communication between your website and your online payment processing company.
To accept on-line customer payment card information you need to set up a secure certificate on your website. The secure certificate encrypts all communications so no one can eavesdrop and capture the credit card information as it's being sent to you.
Similarly, your website or POS needs to encrypt all communications to and from the payment processing company. As we said, this is usually out of your control, but there are steps to ensure you are protected.
The PCI Security Standards Council publishes a list of all certified software companies that have passed PCI Compliance testing. This full list of software companies is quite long, but you probably won't find any jewelry POS listed on it. You will find a few of the popular e-commerce gateway programs, but even that specific list is very short.
Don't worry though; just make sure your website company and your POS company state their PCI Compliance in their sales literature or contracts.
With regard to your website, even if your web development company or website software says it's PCI compliant, you will need to prove it. That proof is done through routine testing for security holes which we will explain on Wednesday this week.
We're not trying to frighten you with all these technical security worries; we just want to make sure you understand them. If you're serious about creating an e-commerce jewelry website, you need to have a basic understanding of this stuff.
