PCI Compliance and Customer Data Protection

PCI DSS requirements vary based on your merchant level — which is determined by the number of card transactions you process annually. Level 4 merchants (fewer than 20,000 Visa e-commerce transactions or up to 1 million total transactions) typically satisfy requirements through a Self-Assessment Questionnaire (SAQ) and quarterly network vulnerability scans. Larger merchants require assessments by a Qualified Security Assessor (QSA). Regardless of level, all merchants must protect cardholder data through network segmentation, access controls, encryption in transit, and patch management — and must maintain the evidence that demonstrates these controls are in place. Vigil Cyber helps merchants understand their specific SAQ type, implement required controls, and maintain the documentation their acquiring bank requires.

POS malware infections most commonly occur through three vectors. First, remote access exploitation: many POS systems are remotely managed by IT vendors or point-of-sale providers using tools like Remote Desktop Protocol (RDP), VNC, or proprietary remote access software. Weak or reused passwords on these connections allow attackers to log in directly and install malware. Second, phishing targeting management accounts: corporate email credentials or POS management portal passwords obtained through phishing give attackers the access they need to push malware to store systems. Third, compromised third-party vendors: a breach at a POS software vendor, payment processor, or IT service provider can cascade into customer environments through the same remote access channels vendors use for legitimate support. Vigil Cyber addresses all three vectors through credential monitoring, email security, and remote access hardening.

A Magecart attack involves injecting malicious JavaScript into your e-commerce checkout page that silently captures payment card data and sends it to attacker-controlled servers. These scripts are typically inserted through compromised third-party JavaScript libraries, vulnerable e-commerce plugins, or direct access to your site's codebase through compromised admin credentials. They are designed to be invisible to the customer and difficult to detect without specific monitoring tools. Signs that warrant investigation include unexplained changes to JavaScript files, new third-party script domains in your Content Security Policy violations, or reports from customers of fraudulent charges following purchases on your site. Vigil Cyber provides file integrity monitoring and Content Security Policy enforcement that detects unauthorized script changes before significant cardholder data exposure occurs.

GDPR applies based on where your customers are located, not where your business is located. If your e-commerce site accepts orders from customers in EU member states, you are processing EU personal data and GDPR obligations apply — regardless of whether you have any physical presence in Europe. This includes the requirement to have a lawful basis for processing, to honor data subject rights requests, and to notify supervisory authorities within 72 hours of discovering a personal data breach. The practical threshold for most retailers is whether you actively market to or accept orders from EU customers. If you do, a basic GDPR compliance posture — including privacy notices, a data processing register, and breach response procedures — is appropriate. Vigil Cyber helps retailers build a compliance program that addresses both U.S. state privacy laws and GDPR obligations.