PCI DSS is a security standard for handling cardholder information. In general, if you are accepting cardholder information on your website, then you must be PCI compliant. You may contact your acquirer or merchant service provider in order to determine exactly what you need to do in order to become PCI compliant.
First, it is important to understand that the liveSite software is PCI compliant, however we do recommend following the steps below.
There are items outside of liveSite's control which must also be PCI compliant (e.g. secure hosting environment). Your acquirer/merchant service provider can guide you through the process of becoming PCI compliant. There are generally penalties if you fail to meet their requirements. They will probably recommend a Qualified Security Assessor (QSA) that can scan your website for compliance issues, and they might also require that you complete a questionnaire.
Once you have selected a QSA that your acquirer/merchant service provider recommends, the QSA will run a compliance scan on your website. The scan will look for SSL certificate issues, security vulnerabilities, and etc. that would result in your website being insecure. If the scan reports failing PCI issues and you are not hosted with us, then we recommend that you contact your hosting provider about the issues. Alternatively, if there are failing issues and you are hosted with us, then please see below.
First, it is important to understand our liveSite Cloud Hosting is fully PCI compliant already. Unfortunately, the QSA scan can sometimes result in false alerts. This is because the QSA scanner sometimes makes incorrect assumptions. For example, the scan will look at software version numbers in order to determine if there might be a security vulnerability. This is a poor way of detecting security vulnerabilities because automatic updates by the operating system backport security fixes and leave the version number unchanged.
In order to become compliant the QSA requires that we (i.e. the server administrator) appeal each false alert. Unfortunately, you cannot do this yourself, because the appeal process requires answering technical questions about the server. Fortunately, we are happy to help you with this. Please contact us and provide the QSA scan report that shows the false alerts, so we can prepare an estimate for you.
Once all of the false alerts are successfully appealed by us, the QSA will declare that your website is PCI compliant and they will pass this information on to your acquirer/merchant service provider, so that you are not penalized. Please be aware that your QSA might require that false alerts be appealed again (e.g. quarterly). Please feel free to contact us each time you need our help.
Below is a list of some of the things that we do on our servers in order to be PCI compliant or to minimize QSA false alerts.
You may have received information from your QSA about TLS 1.0 no longer being allowed at some point in the future. If you are hosting with us, we keep TLS 1.0 enabled on your website, for now, because many website visitors still require it, because they have older clients. Disabling TLS 1.0 would cause website visitors to no longer be able to visit your website and complete orders, which is obviously undesired. Fortunately, TLS 1.0 is still considered to be reasonably secure, and is PCI compliant. We plan on disabling TLS 1.0 by June 2018, as required by PCI DSS.
Your QSA might require a "Risk Mitigation and Migration Plan" concerning the use of TLS 1.0. If your QSA requires this, and you need our help to create that, then please feel free to contact us.