Some security questions (payment processor requirements)

Hi all
I have been asked for some requirments for security, I have a webpage that collects personal information and then goes to a page using a SSL certificate and https that connects to a payment processor. What do these questions mean, are they my problem and how can I implement the requirements?

  1. To protect the information the WEB page must be a secure page protected against viruses, and have firewall or similar cut off systems. Antivirus must be updated regularly(McAfee is suggested). (is this talking about my server?)
    2)The card holder info must travel via a VPN or virtual private network
    3)The information must be encrypted with high level software. AES (American Encryption Standard) is recommended.
  1. Yes - it is about your server. “Secure page” is very abstract and theoretical thing - basically they are saying that you are liable for any security breach that happens due to your server/script.
  2. Depending on setup it means that you will have set up special channel (VPN) to payment processing gateway (if I understand circumstances correctly)
  3. It means that any client data (or at least any client data that has to do with payment processing) has to be encrypted with approved algorithm.

P.S. (“A” in AES stands for Advanced, not American :wink: )