Massive losses are made each year due to credit card fraud and so to combat it, the Payment Card Industry (PCI) have created stringent data security standards (DSS) for online retailers to adhere to.
Any WHMCS user that uses a merchant account such as Authorize.net, BluePay, SagePay, etc… or offline credit card processing and therefore has credit card details passing through their website must comply with the PCI DSS controls and processes. Anyone who doesn’t risks costly fines should a breach occur.
There are 12 core requirements for meeting the PCI DSS, divided up into 6 key groups:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
It is important to note that while WHMCS is an integral part of the chain in obtaining PCI Compliance, the majority of the above rules relate to your hosting environment, network, and staff procedures.
To help our customers achieve PCI Compliance, we have teamed up with Comodo to offer WHMCS users their Web Inspector service. Click here to find out more.
The information shown here on PCI Compliance should be used as a guide only and WHMCS Ltd. makes no warranty of any kind for the correctness or accuracy of this information. Additional advice should sought as appropriate.