Your Members and PCI Compliance
The Payment Card Industry is a standards body which provides guidelines on handing data security especially data revolving around finances and card data. This standard is international and is monitored by PCI Security Standards Council, in addition local countries and provinces may have their owns rules and regulations.
What is PCI-DSS
Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements that all businesses who handle credit or debit card payments must comply with. Every business that handles payments of any sorts should regular review their business practice to make sure they are compliant and if they required to take steps under PCI-DSS it is also good practice to always have an established written “Minimum Security Standard”.
Is Your Members Software PCI-DSS Compliant?
A piece of software can not be “compliant” it can have vulnerabilities or perform an action that would make a site to be non compliant. However it is the site and business that needs to be compliant not the software, however Your Members helps compliance.
Your Members Software ships with “Hosted” payment gateways these gateways collect Credit Card data on the payment gateways site, meaning the business has no direct access to the payment data this significantly lowers the overall risk in terms of PCI-DSS compliance. For most businesses this method of payment will mean that they will not need to under go any form of auditing and may not be required to do a self assessment though doing so is still good practice. It is worth noting you are still responsible for your payments security, but it will be your gateways responsibility to maintain its PCI-DSS compliance.
Your Members does not ship with any “Direct” processing gateways this method involves sending credit card details to the payment gateway via the server. Businesses that do “Direct” card processing are at a high risk and most meet the PCI-DSS standards for processing themselves as well as their payment gateway also meeting the standards.
What do I have to do?
If you are using one of the default gateways then barring general security (Including Hardening of WordPress) and maintaining your minimum security standard and having a data security policy you will not have to do anything, barring annual self assessment. Your payment gateway should be able to provide you with answers to virtually all the questions on the assessment as the emphasis is on their security.
If you are using a custom build direct gateway then you will need to undergo full PCI-DSS compliance and depending on transaction value and volume will be expected to do as a minimum, quarterly scans and annual self assessment (Which you and your host will need to provide the majority of answers). Failure to do so could result in your payment provider revoking your access, blocking by major card companies such as VISA and MasterCard as well as litigation.
It is important to note simply having an SSL certificate does not make you compliant on it’s own!
Can Coding Futures help me with PCI Compliance
If you have any questions we would be happy to answer them we can help discuss what your minimum requirements are, discuss where you need to go. We can also help with things like security scans, setting up SSL certificates and general security guidelines. For more information please contact firstname.lastname@example.org