Payment Card Industry standards now "govern" your minimum requirements for security when it comes to accepting credit cards- online or offline. Most, if not all, major credit cards require certification. Your merchant account company will, if they haven't already, inform you of this.
To get compliant, a PCI Scanning vendor is hired (by you or your merchant account company) to scan your website and web server for vulerabilities such as SQL Injection and Cross-Site Scripting. If you pass, you are issued a certificate you will need to send to your merchant account company. Annual, Quarterly and possibly daily scanning may be required depending on the voume of transactions you process. A self-assesment questionaire is used to determine if you are required (almost for sure you will be required if you do business online).
Often times, your merchant account provider will pre-negotiate the fee with their "preferred vendor" and automatically charge you for this. Thus, you may have already paid for the service. If you are not compliant you will pay a fee. Contact you merchant account support desk or sale representative for more details.
At EPhost, we are already taking steps to ensure our dedicated server customers have SSL security which is often flagged as a vulnerability when a PCI Scan is run against the website and server. However, it is up to you to make sure your website becomes certified. This MAY mean that additional programming ($$$) is needed to close any vulnerabilities before you will pass. We do not warrenty our servers for any particular use.
Please keep in mind that a PCI scan doesn't necessary cover the entire gammut of vulnerabilities. Additional, high-level scanning may be warrented if you have concerns about your data and/or liabilities. Also keep in mind that a higher-level scan product doesn't mean that it is valid for PCI Certification.
