SRO Hosting merchant web site PCI Compliance This is a statement of PCI compliance by SRO Hosting, a secure hosting services provider. Where SRO is the host and developer/maintainer of customer transaction processing code, SRO assures that order processing components meet or exceed the following standards: Merchant site customers enter card data only on SSL secure web pages utilizing minimum 1024-bit RSA encryption. Cardholder data is never saved unencrypted on the web server. Data is not stored prior to encryption in any database or temporary file and there is no persistent cache or session data associated with signup transactions. When stored in a database or transmitted electronically, cardholder data is first encrypted on-the-fly using 2048-bit GPG (or other industry standard) private key encryption. When transmitting encryted data via https or email, transmission utilizes minimum 1024-bit RSA encrypted SSL connections. Temporary storage of encrypted messages is restricted to locations accessible only to privilege isolated server components. Web servers are hosting in a locked cage with limited physical access and are firewall protected against unauthorized access. Authorized network access to merchant accounts is limited to secure connections from known administrative users at known, static IP addresses. SRO Hosting maintains a local and network security policy with regular audits to assure the security of server components, accounts and account data. SRO periocally audits commerce customer's site code to validate compliance of both SRO and third party software components. Network Security is a dynamic process. While the information presented here is accurate, it is by necessity generic and we ask that you please contact SRO Hosting for site or component specific compliance details.