If you're thinking about setting up a system to take payments for an online store, there's a good chance that the subject of PCI compliance has come up. The Payment Card Industry standards are rules that are in place for determining whether a bank can afford the risk accompanied by dealing with a specific customer who has an online shopping presence. These standards are put in place to reduce the costs associated with the possibility that websites might be hacked. In complying with them, website operators are able to gain access to the banking system. They also help make shopping on the internet a little bit safer.
It's best to bring up the subject of PCI compliance to your bank before you move ahead with building an online site that accepts credit card payments. If your site is not directly taking card information, there's a good chance you won't be asked to undergo an audit. If you're taking any information that can be tied to a specific account, such as credit card numbers, you'll likely have to prove that your system is secure.
Websites that have been operating without going through the process will almost always eventually receive notices from their banks. In order to continue to have the right to deposit payments from credit cards into their bank accounts, these organizations will be required to go through audits.
A PCI compliance audit covers a wide range of issues that are common in the cybersecurity world. An automated system will scan the server hosting the website's payment card processing code to see that it doesn't have any obvious holes that might be exploited by hackers. This means checking to see that the site is operating with an SSL certificate that's up-to-date. The scan will also try to verify that the server is not running any software that's unpatched against potential vulnerabilities. Ports will be scanned to see whether any software is unnecessarily responding to queries. A number of basic attacks, such as SQL injection and privilege escalation, will then be conducted automatically against the server to see if anything is exposed.
A report of the findings will be made available to the subject of the audit. The website operator will then be given a fair amount of time to go through the various items in the audit to see that they've been properly addressed. Once the items have been addressed, the operators of the site can request that a new automated scan will be conducted.
PCI audits are performed for the safety of your customers. It's a good idea to ensure you'll be dealing with developers who are familiar with the process before moving forward on a project. Once the audit has been conducted, it'll be attempted from time to time again in the future to verify ongoing compliance. The process ensures that your site will be reliable and secure, and that's a fact you'll want to advertise to customers.