The Payment Card Industry (PCI) Security Standards Council released new guidelines that serve as a supplement to the PCI Data Security Standard (PCI DSS). The PCI DSS E-Commerce Guidelines (Guidelines) are a reminder that merchants must comply with the PCI DSS requirements even when using ecommerce technology, such as online shopping websites that permit consumers to pay across the Internet.
The Guidelines also remind merchants that when payment card processing is outsourced to a third party, the merchant is still responsible for ensuring that the third party service provider adheres to PCI DSS. Ecommerce solutions should be tailored to the specific platform, which means that security measures should be in place to ensure that payments are securely processed regardless of how they are being processed. Appropriate security measures include firewalls, encryption, and intrusion-detection and prevention systems.
The guidelines also provide recommendations for merchants, including tips such as securing and keeping track of cardholder data, destroying data that is no longer needed, and evaluating and preparing for potential risks associated with ecommerce solutions.
All companies handling cardholder data should be aware of the PCI DSS requirements. Please see the attorneys listed to the right for additional information regarding the requirements and appropriate safeguards.