| |
|
|
|
|
|
|
|
Our shopping carts are hosted on servers that are 100% secure; utilizing SSL 128 bit encryption.
|
|
| Shopping Cart Hosting
|
|
PCI Compliant
Elbowspace adheres to international PCI (payment card industry) compliance standards for data security.
|
Elbowspace shopping cart handles the payment card information for you. By using our shopping cart with one of the
available payment gateways or runnning cards manually (without storing your own payment card info),
you don’t have to worry about your buyers’ payment card information and the rigorous mandatory process (PCI DSS)
to keep it secure.
What is PCI compliance? Payment Card Industry Data Security Standards (PCI DSS) are network security and
business practice guidelines adopted by Visa, MasterCard, American Express, Discover Card, and JCB to establish
a “minimum security standard” to protect customer’s payment card information. It’s a requirement for all
merchants that store, transmit, or process payment card information.
Anyone that currently process credit cards is bound by the PCI regulations. Fines of up to $250,000 are possible
for non-compliance.
How does my business become PCI compliant? You can either use:
1) Elbowspace forms or shopping cart along with a payemnt gateway; or
2) Elbowspace forms or shopping cart manual card options
(without storing payment card info); or
3) Build and maintain a secure network to protect payment
card information; Maintain a vulnerability management
program; Implement strong access control measures; Regularly
monitor and test networks; Pass quarterly remove vulnerability
scans And more …
Plain English: As long as you DO NOT store cardmember information
(like card number, card security code, expriration date etc...), Elbowspace will handle it.
|
Below are listed some of the controls, that we have implemented, necessary to become PCI compliant:
We have implemnted these controls so you won't have to.
1) Pass an external quarterly vulnerability scan from a PCI approved vendor.
2) Perform an internal quarterly vulnerability scan.
3) Perform an external yearly network/application layer penetration test.
4) Perform an internal yearly network/application layer penetration test.
5) Install intrusion detection & prevention systems.
6) Install file-integrity monitoirng software.
7) Maintain audit-trail history logs for at least one year.
8) Maintain security badge entry, video surveillance & access logs at the
web server physical location.
9) Implement the following USERID & PASSWORD standards for all user accounts:
a) User must re-authenticate password if the session is idle for 15 minutes or more.
b) Lockout the user for 1 hour after 5 or more consecutive failed login attempts.
c) Force the user to change passwords at least every 90 days.
d) New passwords must be different than the last five.
e) New passwords must contain at least 7 character with both alpha &
numeric characters.
f) If an account has been inactive for 90 days or more, th user must
call in to re-activate his/her account.
10) Review all application programs for common vulnerabilities.
Implement changes to prevent vulnerabilities like XSS, CSRF & SQL injection.
11) Install the latest vendor-supplied patches to all software especially the
operating system & web server.
12) All application programs written & re-written using
OWASP & PCI DSS programming standards.
13) Install anti-virus software.
14) Remove all unecessary programs, scripts, drivers, file-systems, DBMs & web
servers from each physical server and change all vendor supplied defaults.
15) Implement strong 128 bit encryption for the tranfer of sensitive data.
16) Encrypt all card member information before storing.
17) Firewalls are as restrictive as possible while still allowing server functions.
|
| |
|
|
