If your business accepts credit card payments it must be compliant with Payment Card Industry (PCI) and the way you handle that data is now governed by Payment Card Industry Data Security Storage Standards (PCI DSS), not as a matter of law, but as part of your contract with the credit card companies whose cards you accept. Inc.com’s Minda Zetlin outlines the latest requirements in "What New PCI Standards Mean to You.
- WEP is disallowed.
- All systems "commonly affected" by malware must run anti-malware software.
- Application firewalls are mandatory for Web applications.
- Logs must be saved for a year.
- New-user passwords must be changed.