If you are a company that will be (or currently is) accepting credit cards online I hope you are aware of the security requirements that your company is required by law to implement. All Internet merchants – not just large companies – are required to be compliant with the Payment Card Industry (PCI) cardholder data security requirements. A company that is not compliant can have large fines imposed against them or worse – lose the ability to process any credit cards.

For the small business owner, it does take some work to ensure PCI compliance and it should be noted that unless specifically stated, shared hosting accounts are NOT PCI compliant. Typically shared hosting sites offer a way to be compliant, such as GoDaddy, whose shared hosting sites are not PCI compliant unless you add on their E-Commerce and Shopping Cart Software. As of this post, their service agreements state that their hosting is NOT PCI compliant: The Services are not intended to provide a PCI (Payment Card Industry) compliant environment and therefore should not be considered as one.. Even their dedicated hosting servers are the same way: The Dedicated Services are not intended to provide a PCI (Payment Card Industry) compliant environment and therefore should not be considered as one.

The basic qualifications of PCI compliance are detailed here, and as follows:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

There is a self assessment questionnaire available at the PCI website. All internet merchants will most likely qualify as option D. Take a read through the requirements. The form gives you step by step instructions on what needs to be done to ensure compliance.

It may also help to have a third party verify your PCI compliance status. This not only gives your visitors peace of mind, it can give you peace of mind as well, ensuring your site is always compliant. For as little as $79 a year C-O-M-O-D-O offers PCI compliance testing. Two other well known services available are Control Scan and McAfee (previously Scan Alert).

Depending on your volume of business, these scans can be required by the major credit card companies.