As of June 30, 2008, VISA requires mechants to comply with PCI (Payment Card Industry) standards to prevent security / data breaches.

 

Here is an excerpt from the PCI Data Security Standard... 

- To determine compliance, businesses need to complete the PCI Self - Assessment Survey. 

One of the requirements is that the merchant should not store any client credit card information of their own servers. I just spoke to the gateway tech support and learned that this is fairly easy to accomplish by using the gateway to store the client credit card information for future use. The gateway stores the information and the merchant's program accesses the data via a token.  We recommend our Cocard gateway with the Customer Vault feature.  

1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

Within these six categories are 12 requirements that address particular issues and that are directly related to web application security:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security