We've been asked abour the new PCI DSS from a few customers. You may have to comply shortly, so to answer the main points laid out in the new standard, we've addressed them below. You can visit the PCI DSS website here: https://www.pcisecuritystandards.org/tech/
The PCI DSS comprises 12 key requirements. I'll outline them below, and follow each point with what we have in place:
1. Install and maintain a firewall configuration to protect data - our server is held within a datacentre, on a network with a leading IT service provider. They have firewall and anti-virus in place.
2. Do not use vendor-supplied defaults for passwords or other security parameters - your username and password were chosen by you - the password is held, encrypted - to reset your password, you need to know the answer to the security question you chose
3. Protect stored data - our data is stored on dedicated servers, which are shared with no other company or individual
4. Encrypt the transmission of cardholder data and sensitive information - we use 128bit SSL encryption in both your control panel, and on the customer booking screen. The SSL Certificate is provided by COMODO - an excerpt from the information they hold, if you hover over their logo on the control panel login screen is:
Fixit Knowledge Solutions holds a website identity assurance warranty of $10,000. This means that you are insured for up to $10,000 when relying on the information provided by IdAuthority on this site.
Fixit Knowledge Solutions is the company which wrote the Easy Bookings software - this is clearly stated on our website, and on the Easy Bookings pages.
In addition, the card details are stored, encrypted on our server - you only see the credit card details when you are logged in to the control panel, where they are again, transmitted via the 128bit SSL encrypted connection with your browser.
5. Use and regularly update anti-virus software - anti-virus software is installed
6. Develop and maintain secure systems and applications - As with 4, we treat this very seriously, and encrypt card number details - you are also given the option of cancelling out the card information, or deleting the customer information entirely, once you have processed the booking
7. Restrict access to data by business need-to-know - we have no interest in looking at your customers details, although we can access it if required - only us, you, and anyone you have shared your login/password details with, can access your customers information
8. Assign a unique ID to each person with computer access - we provide 1 username/password for each control panel, which as in 2 above, were chosen by you - you may also have a local security policy in place, which restricts what each user of your computer(s) may be able to do.
9. Restrict physical access to cardholder data - our servers are held in secure datacentres - please see the following for information on that setup:
Servers have the following attributes:
-Secure London based, with fully redundant Gigabit connections to LINX. Founded in 1994, LINX (The London Internet Exchange Ltd.), is the largest and most successful Internet exchange point in Europe with a world-class reputation for quality, performance and technical excellence.
-Environmentally controlled and monitored premises
-Fire detection and suppression systems
-Capable of delivering uninterrupted service indefinitely in the event of a complete power failure
Data Center Security:
-24x7 monitoring by on-site personnel
-Video Camera Surveillance
-Security Breach Alarm
-Secure PAC key access to Server Equipment, which is logged centrally by date and time
10. Track and monitor all access to network resources and cardholder data - every attempt to login using your username, is tracked - whether it is the correct authenticated password which is used, or an incorrect one - this information is available upon request - anyone with your username and password, can access your bookings, and therefore your customer data (unless you have changed it, or deleted it)
11. Regularly test security systems and processes - if you attempt to log into Easy Bookings more than 3 times, with the incorrect password, your account will be locked - in addition, we have just, in June, renewed our SSL certificate with COMODO (as in 4 above)
12. Maintain a policy that addresses information security - we only hold details for as long as you require them - you can overwrite them, or delete them at any point, once you have dealt with your customers booking. I am certain you will have your own local security policy in place, restricting access to who can logon to your Easy Bookings control panel, and documenting those that can.