PCI compliance requirementsIf you have a website where you will be taking credit card numbers directly from your visitors, it’s typically required to pass PCI scans before your site can be given a seal of approval for adhering to the PCI DSS. A PCI vendor will do a series of PCI scans on your website and provide you with a PCI scan report usually in PDF format that should include an actionable list of failures, and possible solutions. Passing a PCI compliant scan attempt will genereally require changing some default settings on your server to be more secure before they proceed with the scan. Some of the most common things that will need to be done will be closing ports at the firewall, and ensuring that you’re using up to date software.
Staying PCI compliantPCI compliance is an on-going commitment, and most PCI vendors will require doing a new scan about once every 90 days or so to ensure that your website is staying compliant. Ensuring that your website stays PCI compliant can help keep your customers trusting you, as it shows them you’re committed to maintain orders without the risk of a security breach and theft of their vital data. If you’ve already had a scan run on your website and the test failed, you can e-mail a copy to us at firstname.lastname@example.org to have our system administration department review the scan for you. Below are some of the common things that can cause a PCI scan to fail initially. Over time each of these should also link for how to handle that type of failure on your own.
- Close open ports for PCI compliance
- Outdated system software (Apache, BIND, Exim, OpenSSL, PHP)
- SSL/TLS vulnerability
- FTP clear/plain text authentication
- cPanel guestbook.cgi is present
- Directory Indexes are on
- /scgi-bin directory accessible
You should now understand about PCI compliance and why it might be important to have for your website if you’re accepting credit cards.