What is the level of security needed to accept card payments over the Internet?

Our minimum security requirements are as follows:

All transactions containing card information should be transmitted over the Internet in an encrypted form either using SSL (Secure Socket Layer) protocol, currently with a minimum effective symmetric key length of 128 bits, or a protocol employing similar encryption algorithms and key length which provide similar or greater strength to SSL. This measure should be adopted not only when the transaction details are being passed from the cardholder to the web server, but also from the web server to the merchant if this takes place directly over the Internet.

Any servers involved in processing transactions containing card information and originating from the Internet should not be exposed directly to the Internet. These servers should be placed in a secure domain by means of internal network partitioning with connectivity to the Internet protected by firewall technology. Additional internal network partitioning should be provided between the server(s) involved in processing transactions containing card information and connectivity to the Barclaycard host where automated settlement and/or authorisation transactions are to be generated.

It is recognised that differing network protocols provide effective barriers between domains which should be considered either as alternatives or complementary to physical barriers. You are responsible for protecting card data and may be liable for card scheme fines or penalties which result from breach of your security.

For further information on scheme requirements for protecting card data please visit our Payment Card Industry Data Security Standard (PCI DSS) web page.