Ok, so it's a bit of a dull subject, so i'll keep it brief, but it's a very serious one for anyone that's transacting online:

For those not aware, PCI DSS stands for the 'Payment Card Industry Security Standard'. It was set up by Visa and Mastercard and compliance ensures the security and protection of sensitive customer information (like credit cards).

The issue is not about having a secure website with an SSL certificate (you need one of those too), it's the availability of sensitive information that could be used for fraudulent activity. This includes anyone who has access to the data; from the web agency that maintains the website (that can access the database) to the customer service rep that's taken a telephone order! An example we sometimes cite is when ordering over the telephone, and the conversation is recorded 'for training purposes'. That tape contains your confidential information and can be accessed by your data can be used by an unauthorised person.

As you can imagine, when looked at in granular detail, it's a minefield. The key points of the PCI DSS require merchants and service providers to:

- build and maintain a secure network

- protect card holder data

- maintain a vulnerability management programme

- implement access control measures

- maintain an information security policy

The deadline has come and gone and merchants who are not compliant face hefty fines , but will also not be able to accept Visa or Mastercard (the two organisations behind this standard).

So if you run an ecommerce website (or indeed any retail operation), get yourself audited (http://pci.evolve-online.com) and make sure that your agency/ecommerce provider is also PCI compliant.