1. The merchant is always responsible for security of the Internet-connected PC where customer details are handled. Virus protection and a firewall are the minimum requirement. To be absolutely safe, store sensitive information and customer details on zip-disks, a physically separate PC or with a commercial file storage service. Always keep multiple back-ups of essential information, and ensure they are stored safely off-site.

2. Where customers order by email, information should be encrypted with PGP or similar software. Or payment should be made by specially encrypted checks and ordering software.

3. Where credit cards are taken online and processed later, it’s the merchant’s responsibility to check the security of the hosting company’s webserver. Use a reputable company and demand detailed replies to your queries.

4. Where credit cards are taken online and processed in real time, four situations arise:

You use a service bureau. Sensitive information is handled entirely by the service bureau, which is responsible for its security. Other customer and order details are your responsibility as in 3. above.
You possess an ecommerce merchant account but use the digital certificate supplied by the hosting company. A cheap option acceptable for smallish transactions with SMEs. Check out the hosting company, and the terms and conditions applying to the digital certificate.
You possess an ecommerce merchant account and obtain your own digital certificate (costing some hundreds of dollars). Check out the hosting company, and enter into a dialogue with the certification authority: they will certainly probe your credentials.
You possess a merchant account, and run the business from your own server. You need trained IT staff to maintain all aspects of security — firewalls, Kerberos, SSL, and a digital certificate for the server (costing thousands or tens of thousands of dollars).

Security is a vexing, costly and complicated business, but a single lapse can be expensive in lost funds, records and reputation. Don’t wait for disaster to strike, but stay proactive, employing a security expert where necessary.