The Payment Card Industry (PCI) Data Security Standard is an information security standard for the handling of credit card information.
The PCI requirements have six objectives:
Your organization and website can be PCI compliant without ever paying for a compliance validation service to perform testing and reporting. Additionally, smaller merchants and service providers are not required to explicitly validate compliance.
ServerPilot configures your server securely, manages updates, and installs a firewall; however, this is not enough to make you PCI compliant. PCI compliance is fundamentally about the practices of your organization.
To be PCI compliant, your internal practices and your apps must be PCI compliant. Some factors to consider when determining whether you need to be and are PCI compliant include the following:
Some PCI compliance scanning companies and tools may report false positives when performing PCI compliance scans of your server or apps. Scans can report false positives for many reasons.
For example, a common approach to releasing package security updates that is used by Ubuntu and other Linux distributions is to apply a patch to a package rather than update the software to the latest version. This is called "backporting" and is done to maintain stability while keeping your server secure. Many PCI compliance scans will look only at the software version and will not take into account the particular distribution and package release number. In many of these cases, informing the scanning agency of the specific package version and Ubuntu version is sufficient to address false positives.