What's it all about?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit card and debit card information.
The standard was administered by the Payment Card Industry Security Standards Council and was created to increase controls around the cardholder data to reduce credit card fraud.
As we sell online and accept payments from VIsa, MasterCard, American Express or Discover credit cards, our software and hosting needs to be PCI compliant.
There are six control objects to PCI compliance:
Build and maintain a secure network
Protect carholder data
Maintain a vulnerability
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
Security is of paramount importance to us and we take PCI compliance very seriously. Georgina Dee Online undergoes annual assessments to validate our compliance. Continuous evaluation and risk assessment ensures that PCI compliance is at the heart of what we do.
We've partnered up with Braintree to provide a secure environment that goes above and beyond industry standards and guidelines:
Prohibited Data Storage
We never store raw magnetic stripe, card validation code (CAV2, CID, CVC2, CVV2), or PIN block data.
Cardholder data is stored using one of the most advanced encryption methods available. Multiple encryption keys are stored on different physical servers. A data thief would not be able to make use of information stolen from a database without also having the key. The data store where cardholder data is kept cannot be connected to via the internet.
Authentication and Session Management
All users have to authenticate each time they use the application and inactive sessions time out after 2 hours. Passwords are never stored directly in the database. In addition, all communication between merchants and us is conducted in a secure fashion using TLS (Transport Layer Security).
At least quarterly, automated vulnerability scans are conducted on our Card Data Environment. In addition, at least once a year we have extended external penetration testing conducted by outside sources.
Our network has been set up in a secure fashion with minimal access to outside networks. Only VPN access is allowed to our servers from whitelisted IPS.