pci compliance

What's it all about?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit card and debit card information.

The standard was administered by the Payment Card Industry Security Standards Council and was created to increase controls around the cardholder data to reduce credit card fraud.

If you want to sell online and accept payments from VIsa, MasterCard, American Express or Discover credit cards, your software and hosting needs to be PCI compliant.

Card images

There are six control objects to PCI compliance

Network

Build and maintain a secure network

Data

Protect carholder data

Management

Maintain a vulnerability

Control

Implement strong access control measures

Testing

Regularly monitor and test networks

Security

Maintain an information security policy

Is Freewebstore PCI compliant?

Yes. Security is of paramount importance to us and we take PCI compliance very seriously. Freewebstore undergoes annual assessments to validate our compliance. Continuous evaluation and risk assessment ensures that PCI compliance is at the heart of what we do.

We've partnered up with Braintree to provide a secure environment that goes above and beyond industry standards and guidelines:

Braintree - https://www.braintreepayments.com/developers/security

Prohibited Data Storage

We never store raw magnetic stripe, card validation code (CAV2, CID, CVC2, CVV2), or PIN block data.

Data Encryption

Cardholder data is stored using one of the most advanced encryption methods available. Multiple encryption keys are stored on different physical servers. A data thief would not be able to make use of information stolen from a database without also having the key. The data store where cardholder data is kept cannot be connected to via the internet.

Authentication and Session Management

All users have to authenticate each time they use the application and inactive sessions time out after 2 hours. Passwords are never stored directly in the database. In addition, all communication between merchants and us is conducted in a secure fashion using TLS (Transport Layer Security).

Penetration Testing

At least quarterly, automated vulnerability scans are conducted on our Card Data Environment. In addition, at least once a year we have extended external penetration testing conducted by outside sources.

Securing Access

Our network has been set up in a secure fashion with minimal access to outside networks. Only VPN access is allowed to our servers from whitelisted IPS.