trends

PCI DSS Compliance for Paysites

PCI DSS stands for Payment Card Industry Data Security Standard. PCI DSS is a Compliance standard developed in late 2004 by the main credit card companies as a method of preventing credit card fraud, hacking and security threats and vulnerabilities.

In September, 2006, the PCI DSS standard was updated to version 1.1 from 1.0 to provide some minor revisions to the original version. The next revision of PCI DSS compliance is scheduled for late 2008.

PCI DSS Compliance is not an option and is required on any site which accepts credit cards as a form of payment. Any site accepting credit cards must comply with particular standards which are based primarily on the way in which a domain is secured. Non PCI DSS compliant issues may include; open ports on a server, firewall holes, non-standard applications or applications which have not been upgraded to their latest and most secure versions.

In order for a site to be PCI DSS compliant, it must provide a report if audited by a Qualified Security Assessor (QSA) whenever requested. If the owner of site which accepts credit cards cannot prove that it meets the PCI DSS requirements, they may lose their ability to process credit cards on their sites and thereby their ability to process credit card transactions.

The amount of times a PCI DSS scan is required in order to be PCI DSS compliant depends upon the total number of transactions completed each year by that domain.

Sites and payment card service providers must validate their compliance periodically. This periodic validation is conducted by auditors who are the PCI DSS Qualified Security Assessors (QSAs). Site owners who are processing less than 80,000 transactions per year are allowed to perform a self-assessment questionnaire. Sites that process larger amounts of transactions can only be approved as compliant by a qualified QSA on behalf of the PCI DSS council.

It does not matter if you use a shopping cart, membership or VOD site, and it does not matter if you host the payment pages where the customer puts in their credit card information or if you use a gateway processor like Netbilling or DHDmedia who hosts those pages for you. You must still conform to keeping all data that is collected safe and meets the guidelines of the PCI Security Standards Council; otherwise you may be liable for huge fines. Sites that process, store or even transmit payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and risk being audited or fined. PCI DSS fines can be as high as $500,000 per incident.

A prime example of what could happen if you fail to implement or adhere to the PCI DSS compliance can be found in the March, 2007, case of a company called TJX Companies, Inc., — the owner of T.J Maxx and Marshall's department stores, which faced more than a dozen class action lawsuits in Alabama, California, Massachusetts, Puerto Rico and six Canadian provinces, for what has been called the single largest data breach in U.S history.

TJX revealed in 2007 that hackers compromised at least 45.7 million credit and debit cards from the period of July, 2005, until the discovery was made in December, 2006. In a regulatory filing made with the Securities and Exchange Commission (SEC) after the violation, TJX stated that its computer systems were first hacked in July, 2005, by one or more intruders, but did not find out about the breach until much later. TJX recently estimated that the breach will cost them about $118 million. The estimate after legal fees and regulatory fines put the costs at over $1.35 billion.

So how can you keep yourself PCI DSS Compliant? The simplest method of making sure your site meets the PCI DSS compliance requirements is to use a PCI DSS scanning company like McAfee Secure. McAfee Secure has a program which costs around $319 a year for four devices and can scan your servers to make sure they meet the PCI DSS requirements and provide the report you need in case your site ever gets audited by the PCI DSS council.

Remember, that any server which has anything to do with your payment process must be PCI DSS compliant. This may include your NATs server if you are sending information to a gateway; your payment pages (where customers put in their card information on a secure page); your server if it sends out payment information to another server (in the case of cross selling).

When you have your domains scanned for PCI DSS compliance, they are scanning the servers, checking to see what kind of information they can obtain from that server similar to what a hacker might do. (One of the things worth mentioning here is that when you employ a PCI DSS scanning company to scan your server, it may cause your website statistics to become erratic and inaccurate as the PCI DSS scanner will hit pages randomly, every day. It may also increase the amount of 404's or 'page not found' errors in your reports. If you can find a way to purge their scanning servers from your statistics it will eliminate possible stat confusion.)

Another item of note is to make sure that you have total control over your servers. I would never recommend putting your pay pages or any part of your payment process on any server which you do not have root access to. In order words, any server which is either co-located (owned by you) or dedicated would be fine. I have seen many instances where servers have been comprised by scripts (such as CGI scripts or mail forms) running on an unsecured shared server.

Another item to keep in mind is that if you are running a program like NATS, which hosts a pre-payment form asking the client to put in their name, country and email, it may be prudent to secure that server as well. Since your NATS server hosts the this pre-payment form and this form passes over this information to a payment gateway, a hacker could use vulnerabilities in your server to get this information and get the rest from a gateway which is not secure and both of you could be liable.

In my opinion is always best to protect yourself by making sure that any server which accepts any information in the payment process be secured. Adding a Hacker Safe logo can also help customers feel more at ease with your payment process and thereby may be more willing to fill in your pre-payment page or self-hosted payment pages.

If you are curious if your payment gateway is PCI DSS compliant, you can go to Visa's compliant list of service providers. Some of the processors which are PCI DSS compliant include Linkpoint; CCBill; DHD Media; Epoch; eProcessing Network; Jettis; Netbilling; and Rocketgate.

PCI DSS compliance is a necessary part of processing credit cards online and cannot be taken likely. Hackers are always looking for vulnerabilities to exploit. I recently spoke to someone on the VISA council which estimated that only about 40 percent of all sites are currently PCI DSS compliant.

Make sure your payment process is PCI DSS compliant and protect your business. If you have any questions on how to get your site PCI DSS compliant, please don't hesitate to contact me at cs@integrationmind.com.

Related:  

Copyright © 2025 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

What France's New Law Means for Age Verification Worldwide

When France implemented its Security and Regulation of the Digital Space (SREN) law on April 11, it marked a pivotal moment in the ongoing global debate surrounding online safety and access to adult content.

Corey D. Silverstein ·
opinion

From Tariffs to Trends: Staying Resilient in a Shaky Online Adult Market

Whenever I check in with clients these days, I encounter the same concerns. For many, business never quite bounced back after the typical post-holiday-season slowdown. Instead, consumers have been holding back due to the economic uncertainty around the Trump administration’s new tariffs and their impact on prices.

Cathy Beardsley ·
opinion

Optimizing Payment Strategies for High Ticket Sales

Payment processing for more expensive items, such as those exceeding $1,000 per order, can create unique challenges. For adult businesses, those challenges are magnified. Increased fraud risk, elevated chargeback ratios and heavier scrutiny from banks and processors are only the beginning.

Jonathan Corona ·
profile

WIA Profile: Lexi Morin

Lexi Morin’s journey into the adult industry began with a Craigslist ad and a leap of faith. In 2011, fresh-faced and ambitious, she was scrolling through job ads on Craigslist when she stumbled upon a listing for an assistant makeup artist.

Women In Adult ·
profile

Still Rocking: The Hun Celebrates 30 Years in the Game

In the ever-changing landscape of adult entertainment, The Hun’s Yellow Pages stands out for its endurance. As one of the internet’s original fixtures, literally nearly as old as the web itself, The Hun has functioned as a living archive for online adult content, quietly maintaining its relevance with an interface that feels more nostalgic than flashy.

Jackie Backman ·
opinion

Digital Desires: AI's Emerging Role in Adult Entertainment

The adult industry has always been ahead of the curve when it comes to embracing new technology. From the early days of dial-up internet and grainy video clips to today’s polished social media platforms and streaming services, our industry has never been afraid to innovate. But now, artificial intelligence (AI) is shaking things up in ways that are exciting but also daunting.

Steve Lightspeed ·
opinion

More Than Money: Why Donating Time Matters for Nonprofits

The adult industry faces constant legal battles, societal stigma and workplace challenges. Fortunately, a number of nonprofit organizations work tirelessly to protect the rights and well-being of adult performers, producers and industry workers. When folks in the industry think about supporting these groups, donating money is naturally the first solution that comes to mind.

Corey D. Silverstein ·
opinion

Consent Guardrails: How to Protect Your Content Platform

The adult industry takes a strong and definite stance against the creation or publication of nonconsensual materials. Adult industry creators, producers, processors, banks and hosts all share a vested interest in ensuring that the recording and publication of sexually explicit content is supported by informed consent.

Lawrence G. Walters ·
opinion

Payment Systems: Facilitator vs. Gateway Explained

Understanding and selecting the right payment platform can be confusing for anyone. Recently, Segpay launched its payment gateway. Since then, we’ve received numerous questions about the difference between a payment facilitator and a payment gateway. Most merchants want to know which type of platform best meets their business needs.

Cathy Beardsley ·
opinion

Reinventing Intimacy: A Look at AI's Implications for Adult Platforms

The adult industry has long revolved around delivering pleasure and entertainment, but now it’s moving into new territory: intimacy, connection and emotional fulfillment. And AI companions are at the forefront of that shift.

Daniel Keating ·
Show More