Securing your website, no matter what kind of website, can be a big job. Most of things you need to do are common sense and awareness. We don’t expect you to know how to sanitize database queries, but rather that you know and realize that there are resources and standards to to use and follow. This most, designed to be very simple will help you get on board with PCI DSS compliance. Remember, June 30th 2012 is D-Day, all merchants accepting credit cards will be required to to PCI compliant.
I suggest that you first start with our first post in this series, PCI, Passwords & Aggravation.
Welcome back. Now lets get on with securing your website.
If you accept credit cards on your website (people enter a credit card number on your website) you are required to be PCI/DSS compliant as of June, 30th 2012. There are no excuses, exclusions, nor, get out of jail free cards. Man up and get to work.
- The very first thing you need to do is limit and control access to your website and web hosting. Whenever possible limit access to a task level access. So don’t give the order processor access to your whole admin & don’t give the guy uploading images in FTP access to the root. Each person must have their own individual and unique access, so all 10 employees cannot use the same login credentials.
- Use strong 8 characters or more passwords with upper & lower case, number and symbols when possible. Do not use names or real words in them. Do not use the same password for more than one application. Do not store them unsecured or send them electronically.
- Change ALL passwords associated with your website every 60-90 days. Log the changes with a date, per person…. But NOT the passwords. This means PayPal, gateways, admin, hosting, email etc.
- Contact your merchant bank and find out what they wish you to do to provide your compliance credentials. They may have a specific PCI scanner they want you to use (which is really BS, you should be allowed to use whomever you want as long as they are an Approved PCI Compliance Scanning Vendor). Fill out your SAQ (help with SAQ), get your scans done at least quarterly and submit them to your merchant bank. We use Trust Guard because we like the seals, they use a approved scanning vendor and the price is very reasonable (not the cheapest, but excellent service and less than average price).
- Keep server software, website software and computer software of any kind up to date. For example, if you use Zen Cart, when you click on version