PCI 1.2文档刚刚发布。它给出了一个如何实现PCI合规性和需求的过程。你可以在这里找到完整的文档:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

长话短说，为专门存储CC信息的服务器(通常是DB服务器)创建一个单独的网段。尽可能地隔离数据，并确保只存在访问数据所需的最小访问权限。存储时加密。不要存储PAN。清除旧数据并旋转加密密钥。

不该做的事:

不要让可以在数据库中查找一般信息的同一个帐户查找CC信息。 不要把你的CC数据库和你的web服务器放在同一个物理服务器上。 不要允许外部(Internet)流量进入CC数据库网段。

Dos示例:

使用单独的数据库帐户查询CC信息。 禁止通过防火墙/access-lists访问CC数据库服务器 将CC服务器的访问限制为一组有限的授权用户。

As others have mentioned the easiest way into this area is with the use of Paypal, Google checkout or Nochex. However if you intend to to a significant amount of business you may wish to look up "upgrading" to higher level site integrations services such as WorldPay, NetBanx (UK) or Neteller (US). All of these services are reasonably easy to set up. And I know that Netbanx offers convenient integration into some of the off the shelf shopping cart solutions such as Intershop (because I wrote some of them). Beyond that you are looking at direct integration with the banking systems (and their APAX systems) but thats hard and at that point you also need to prove to the Credit card companies that you are handling the credit card numbers securely (probably not worth considering if you are not taking $100k's worth per month).

从第一个到最后一个的成本/好处是，早期的选择更容易(更快/更便宜)设置，让你为每笔交易支付相当高的手续费。后期的设置成本要高得多，但从长远来看你付出的更少。

大多数非专用解决方案的另一个优点是，您不需要保持加密的信用卡号码的安全。那是别人的问题:-)

Keep in mind that using SSL to send a card number from a browser to a server is like covering your credit card number with your thumb when you hand your card to a cashier in a restaurant: your thumb (SSL) prevents other customers in the restaurant (the Net) from seeing the card, but once the card is in the hands of the cashier (a web server) the card is no longer protected by the SSL exchange, and the cashier could be doing anything with that card. Access to a saved card number can only be stopped by the security on the web server. Ie, most card thefts on the net aren't done during transmission, they're done by breaking through poor server security and stealing databases.

一定要了解PCI所需的额外工作和预算。PCI可能需要巨额的外部审计费用和内部努力/支持。此外，要注意可能单方面对你征收的罚款/处罚，通常与“违法行为”的规模不成比例。

不久前，我在一家公司工作时经历了这个过程，我打算很快在自己的公司再经历一次。如果你有一些网络技术知识，它真的没有那么糟糕。否则，你最好使用Paypal或其他类型的服务。

The process starts by getting a merchant account setup and tied to your bank account. You may want to check with your bank, because a lot of major banks provide merchant services. You may be able to get deals, because you are already a customer of theirs, but if not, then you can shop around. If you plan on accepting Discover or American Express, those will be separate, because they provide the merchant services for their cards, no getting around this. There are other special cases also. This is an application process, be prepared.

接下来，您需要购买一个SSL证书，当信用卡信息通过公共网络传输时，您可以使用它来保护您的通信。有很多供应商，但我的经验法则是选择一个在某种程度上是品牌名称的供应商。你对他们的了解越深，你的客户对他们的了解就越深。

Next you will want to find a payment gateway to use with your site. Although this can be optional depending on how big you are, but majority of the time it won't be. You will need one. The payment gateway vendors provide a way to talk to the Internet Gateway API that you will communicate with. Most vendors provide HTTP or TCP/IP communication with their API. They will process the credit card information on your behalf. Two vendors are Authorize.Net and PayFlow Pro. The link I provide below has some more information on other vendors.

Now what? For starters there are guidelines on what your application has to adhere to for transmitting the transactions. During the process of getting everything setup, someone will look at your site or application and make sure you are adhering to the guidelines, like using SSL and that you have terms of use and policy documentation on what the information the user is giving you is used for. Don't steal this from another site. Come up with your own, hire a lawyer if you need to. Most of these things fall under the PCI Data Security link Michael provided in his question.

If you plan on storing the credit card numbers, then you better be prepared to put some security measures in place internally to protect the info. Make sure the server the information is stored on is only accessible to members who need to have access. Like any good security, you do things in layers. The more layers you put in place the better. If you want you can use key fob type security, like SecureID or eToken to protect the room the server is in. If you can't afford the key fob route, then use the two key method. Allow a person who has access to the room to sign out a key, which goes along with a key they already carry. They will need both keys to access the room. Next you protect the communication to the server with policies. My policy is that the only thing communicating to it over the network is the application and that information is encrypted. The server should not be accessible in any other form. For backups, I use truecrypt to encrypt the volumes the backups will be saved to. Anytime the data is removed or stored somewhere else, then again you use truecrypt to encrypt the volume the data is on. Basically where ever the data is, it needs to be encrypted. Make sure all processes for getting at the data carries auditing trails. use logs for access to the server room, use cameras if you can, etc... Another measure is to encrypt the credit card information in the database. This makes sure that the data can only be viewed in your application where you can enforce who sees the information.

我使用pfsense作为防火墙。我用一个小型闪存卡运行它，并设置了两个服务器。一个是冗余故障转移。

我发现了Rick Strahl的一篇博客文章，它极大地帮助我理解电子商务，以及通过web应用程序接受信用卡。

这是一个很长的答案。我希望这些建议能有所帮助。

PCI 1.2文档刚刚发布。它给出了一个如何实现PCI合规性和需求的过程。你可以在这里找到完整的文档:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

长话短说，为专门存储CC信息的服务器(通常是DB服务器)创建一个单独的网段。尽可能地隔离数据，并确保只存在访问数据所需的最小访问权限。存储时加密。不要存储PAN。清除旧数据并旋转加密密钥。

不该做的事:

不要让可以在数据库中查找一般信息的同一个帐户查找CC信息。 不要把你的CC数据库和你的web服务器放在同一个物理服务器上。 不要允许外部(Internet)流量进入CC数据库网段。

Dos示例:

使用单独的数据库帐户查询CC信息。 禁止通过防火墙/access-lists访问CC数据库服务器 将CC服务器的访问限制为一组有限的授权用户。