Credit Cards and PCI-DSS Security Requirements
We were recently signed up with a third party security auditing company called Trustwave as part of the merchant agreement with our bank for credit card processing. Their job is to test for PCI-DSS compliance which is basically security regarding credit card processing.
Even though we don't store any credit card details, we still need to comply with these standards as part of our agreement with the bank which allows us to accept credit cards. This is because the card details are entered on our e-commerce site and transmitted to our processing gateway.
As well as a lengthy questionnaire about security practices, part of the process is a vulnerability scan on our website. Being the mostly technical group that our customers are, I thought that some of you may be interested in seeing the details of the report.
You can find the PDF Report on our site here.
There are a few information items (not errors or warnings, just informative) in the report regarding the website's SSL certificate. This appears to be because Trustwave's list of trusted certificate signing authorities isn't as complete as those in common browsers and operating systems.
Apart from the SSL information items, and a couple of other unimportant things the report is all clear which means the site responded well (as it should) to the security scan. This isn't a big surprise here as we already run security scans on the website ourselves as part of our general development practice. One useful thing that did come from the scan was we discovered that the 404 error page wasn't being cached as it should causing high load under an aggressive scan. This has now been taken care of and will make the site more responsive in these circumstances.
If anyone has any questions or comments please feel free to comment below or contact us directly.