PCI Compliance

Security of your customer’s personal information and credit card data is our number one priority at Smith Consulting and our products are built to be fully PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. The standard applies to anyone who accepts credit or debit card transactions and requires for you to successfully complete and file an annual assessment of your ability to safeguard card data.  The PCI DSS is administered and managed by the PCI SSC www.pcisecuritystandards.org an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

Most software vendors and processors take a hands-off approach to the whole assessment process sending you to a third party provider.  Smith Consulting has modified every application that processes, stores, transmits credit card numbers to become PCI compliant. We have implemented PCI standards regarding secure storage of data, strong access control, and other requirements.

The following are the 4 levels of PCI compliance:

Level 1: Merchants processing over 6 million card transactions per year.
Level 2: Merchants processing 1 to 6 million transactions per year.
Level 3: Merchants handling 20,000 to 1 million transactions per year.
Level 4: Merchants handling fewer than 20,000 transactions per year.

How can SC help me with PCI compliance
  • Our licensed PCI compliant technology gives you peace of mind that you are protecting your customers personal information.
  • Credit Card Encryption – All our eCommerce modules have the option to not save credit cards in the database.  If you choose to save credit cards in the database, our software uses RSA 256 bit encryption which is an approved encryption by PCI.
  • Card Security Code – CVV/CID on the back of a credit card is collected from the user and sent to the payment gateway for authorization but is never stored in the database.
  • SSL – All our products fully support SSL
  • Hack Proof - Our products have undergone rigourous testing validation for SQL injection and cross site scripting to prevent unauthorized access to the database.
  • Sensitive customer data like passwords are encrypted using 256 bit encryption.
  • Our applications are programmed to prevent cross site scripting and sql injection attacks.

What additional steps do I need to take?
  • In your web.config file connection string use integrated sql security instead of mixed. SQL server integrated security is more secure
  • Make sure permissions are locked down on sql server to the minimum required by your application
  • Never use the sql server sa password
  • The rest of the PCI requirements are related to network, Windows and SQL Server configuration and lockdown and other physical security requirements.

PCI Password Requirements 
  • Must be at least 7 characters in length
  • Must contain at least one upper case character
  • Must contain at least one lower case character
  • Must contain at least 1 numeric character

PCI compliance doesn’t have to be difficult, especially if you are dealing with a software company with a combined 25 years of credit card processing experience and that is 100% focused on PCI security compliance and safeguarding your data.

 

Request a Free Consultation