CoreCommerce is PCI Compliant!
Our most recent annual PCI-DSS validation was completed by Trustwave March 11, 2013 and is valid until March 11, 2014, you can download the Corecommerce AOC.
The Long Road To PCI Compliance
Becoming PCI-DSS compliant is both time consuming and very expensive. It requires a third-party auditor that is certified by Visa/MasterCard to review both your physical security, as well as perform penetration testing on the software itself to ensure hackers can't exploit vulnerabilities to gain access to sensitive credit card information. Depending on the type of problems the auditor finds, it can take 3-9 months to pass the rigorous guidelines that are set forth by the PCI Security Standards Council.
Here are the basics:
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supported defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update antivirus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Huge fines for Non-Compliance
High-status cases concerning big corporations have hit the headlines in the last couple of years. The Payment Card Industry has threatened huge fines against some larger merchants of up to $25,000 per month until compliance is obtained. In the high-profile case of TJX (owner of T.J. Maxx, Marshalls, Home Goods and A.J. Wright retail chains), the company reported spending $202 million because of the PCI violation that compromised the cardholder account information of as many as 40 million customers. The money is being spent to handle more 20 lawsuits brought against it by banks and consumers in the U.S. and Canada and to pay settlements with credit-card associations. Currently only a few select shopping cart providers are PCI-DSS Compliant.
Merchants that are NOT PCI COMPLIANT can face:
- Up to $25,000 in monthly fines
- Up to $500,000 in fines if data is stolen
- Cancellation of their Visa/MasterCard accounts
- Inability to accept credit card payments from customers
The Good News?
CoreCommerce is PCI compliant, you can download the paperwork you need to submit to your credit card processor here.