Amgraf meets the standard requirements of the Payment Card Industry Data Security Standard (PCI DSS) for safe online shopping. These requirements are meant to guarantee that secure environments are being maintained by any company that is processing, storing or transmitting credit card information. Amgraf is tested and certified as credit card safe on a quarterly basis by Security Metrics.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of demonstrating compliance via a Self-Assessment Questionnaire (SAQ).
Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers such as hosting companies who have business relationships with in-scope organizations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer, risk losing their ability to process credit card payments and being audited and/or fined.
Secure Sockets Layer (SSL) Server Data Encryption
Amgraf ensures safe Internet shopping by employing Netscape's technology called SSL or Secured Sockets Layer. SSL works by encrypting your order information so that it is not easily read by unauthorized persons.
What is an SSL Certificate?
At its most basic, an SSL Certificate is a piece of software that encrypts all information moving to and
from the Certificate holderís website. This means no exchange between the website and its visitors can
be intentionally or accidentally ďoverheardĒ by a third party, regardless of whether the visitor is placing
an order or just signing up for a newsletter.
Once a website visitor enters a secure area of an SSL-protected website, the following takes place:
- The visitorís browser requests a secure session from the server on which the website is stored.
- The server responds by sending the visitorís browser a digital copy of its server certificate.
- The visitorís browser verifies that the serverís certificate is valid, is being used by the website
for which it was issued, and has been issued by a Certificate Authority that the browser trusts.
- If the certificate is validated, the browser generates a one-time ďsessionĒ key and encrypts it
with the serverís public key.
- The visitorís browser sends the encrypted session key to the server so that both server and
browser have a copy.
- The server decrypts the session key using its private key.
- The SSL handshake process is complete, and a secure connection has been established.
- A padlock icon and https:// prefix appear in the visitorís browser bar, indicating that a
secure session is under way.
- Called the SSL handshake, this entire process takes place behind the scenes, providing an
uninterrupted experience for the site visitor.