What are best practices for PCI?

  • Host any webpages receiving credit card information on TLS. Cardholder data should never be sent without TLS. Please note, your entire app does not have to be served via TLS. The credit card pages are the only pages required to be transmitted via TLS.

  • Never log any sensitive credit card data (full credit card number or verification value (CVV/CVC)). Most web apps expose credit card data via their log files and not the database.

  • Never store any sensitive credit card data (full credit card number or verification value (CVV/CVC)). You may store the first six and last four digits of the credit card number. If there's cardholder data you do not need, then we suggest not storing it (billing address, expiration date, number, etc).

  • Protect your customers by keeping your site safe from cross-site scripting attacks.