Yes, there is proof of this. While the article is loaded with "Scare text", the warning is real. PCI-DSS compliance is required by July 1st, 2010. PCI - DSS = Payment Card Industry Digital Security Standard.
Simply put, there are 12 areas that you need to pay close attention to, and I've pasted them below.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
For more information on PCI-DSS, go to https://www.pcisecuritystandards.org. Also, consider downloading the PCI-DSS, its a 60-70 page PDF with all of the information that you need on the PCI-DSS. It also contains a Self-Assessment Questionnaire that you can use to review your site or app.
As I work with ecommerce sites daily, I can assure you, PCI is not something that you want to ignore. At the same time, its not terribly difficult to adhere to the rules.
As a quick reminder, any site that is found to be non-compliant at the time of a breach could face fines into the hundreds of thousands of dollars ($ USD)
I take issue with Requirement 5, why on earth would my web server need an antivirus? Other then that everything else is pretty much a no brainier. Where my real issues lie are in the certification's of PCI compliance. Companies charge a lot of money to do "scans" of your website and claim that you're required to be "scanned" for compliance. According to https://www.pcisecuritystandards.org that doesn't seem to be the case.
Simply put, there are 12 areas that you need to pay close attention to, and I've pasted them below.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
For more information on PCI-DSS, go to https://www.pcisecuritystandards.org. Also, consider downloading the PCI-DSS, its a 60-70 page PDF with all of the information that you need on the PCI-DSS. It also contains a Self-Assessment Questionnaire that you can use to review your site or app.
As I work with ecommerce sites daily, I can assure you, PCI is not something that you want to ignore. At the same time, its not terribly difficult to adhere to the rules.
As a quick reminder, any site that is found to be non-compliant at the time of a breach could face fines into the hundreds of thousands of dollars ($ USD)