PCI Compliance

If I may rant just a bit....for all of the organizations out there that don't know if you fall under the PCI guidelines, FIND OUT. Don't rely on your credit card processor to tell you. I talk with companies on a weekly basis who haven't yet heard of PCI and those that are told really crazy things by people they pay to process their credit cards. The rule is very simple, if you:

1) Process
2) Store
3) Transmit

cardholder data you fall under PCI. All of PCI. It's not an ala carte menu that you get to pick and choose from. If you are a level 1 or 2 merchant, you're already behind. Way behind. The rest of you better get moving. And yes, if you take cardholder data on your web site you were supposed to have an application layer firewall in front of every web server. And NO, that doesn't mean you simply slap a cheap ASA firewall in front and call that an application layer firewall. If you don't know the difference, ask someone.