PCI Compliance: A Necessary Headache
By Richard Wain On February 27, 2018 - Ecommerce Website, Hosting, Startup website
If you run an e-commerce site, you will probably have come across PCI DSS. If not, you will need to get acquainted with how it applies to your business. Basically, if you take card payments from your clients, regardless of whether you actually store their card details (or ever set eyes on a payment card), you are required to be PCI DSS compliant.
PCI DSS stands for Payment Card Industry Data Security Standard and it came about when the big card brands (AMEX, MasterCard. Visa, etc.) brought their individual security programs together over a decade ago.
At the time of writing, the current version of PCI DSS is 3.2
What type of payment method does your site use?
Your auditing and reporting responsibilities depend upon the type of payment service you provide. You won’t be able to escape the headache of getting PCI DSS compliant but choosing an option near the top of the list will at least save you from the migraine of maximum compliance.
- Offsite payment. This is where your payment gateway provider (Authorize.net, PayPal, SagePay, etc.) provides the payment form on their server. You simply pass the customer through to their site and receive them back after the payment has been checked and processed.
- Offsite payment via iFrame. This is essentially the same as offsite payment but the offsite payment form is viewed through a frame. Customers feel as if everything has happened on your site but your compliance requirements are still relatively light.
- Onsite payment. In this set-up, you host the payment form on your web-host’s servers. After your customer has entered their details, they are forwarded to the payment gateway provider for checking and processing. The customer gets a professional onsite experience but you are entering serious headache territory when it comes to compliance. For a start, your hosting provider will also need to be PCI DSS compliant to the appropriate level.
- Onsite payment with card storage. You masochist, you. Not only are you willing to be responsible for securing your customers’ payment data en route, you want to store their details for future use too.
Payment gateways have their own terminology for offsite and onsite payment solutions. For example:
Authorize.net use SIM (Server Integration Method) for offsite payments and AIM (Advanced Integration Method) for onsite payments.
PayPal use Web Payments Standard (offsite) and Web Payments Pro (onsite)
SagePay use Hosted (offsite); Hosted InFrame (offsite via iFrame) and Self-Hosted (onsite).
Understanding levels of PCI DSS compliance
In addition to the type of payment processing you do, your compliance requirements will be related to the number of transactions you carry out per year. Most e-commerce store owners will need Level 4 compliance only, but here is the full list:
- Level 1. 6 million or more transactions per year
- Level 2. 1 to 6 million transactions per year
- Level 3. 20,000 to 1 million transactions per year
- Level 4. Fewer than 20,000 transactions per year
Of course, it would be nice and easy if all the card companies agreed on and used these levels but they each run their own parallel system too. Fortunately it makes little practical difference to what you have to do.
PCI DSS Compliance: The nuts and bolts
PCI DSS sets out 12 requirements split into six ‘control objectives.’ The control objectives are, as follows:
Build and maintain a secure network and systems. Your requirements are to install and maintain a firewall to protect cardholder data (CHD) and to avoid using vendor-supplied passwords and security parameters.
Protect cardholder data. Here you need to protect stored data and encrypt data you are transmitting across public networks,
Maintain a vulnerability management program. You should protect your systems with appropriate anti-malware software and apply regular updates. You need to develop and maintain secure systems and applications.
Implement strong access control measures. This covers identification and authentication when accessing all components of your system and restricting both physical and virtual access to CHD.
Regularly monitor and test networks. You will need to monitor all access to resources and CHD. You will also need to test systems and processes on a regular basis.
Maintain an information security policy. This should cover all personnel who come into contact with CHD.
PCI DSS compliance in practice
In practice, PCI DSS compliance is a continuous process following a repeating cycle of assessment, remediation and reporting.
All e-commerce providers will start by filling in an annual self-assessment questionnaire (SAQ) which will help them to assess compliance and uncover gaps requiring remediation.
How do you know which one to fill in?
You can find this information out from your payment gateway provider or, if you only use one card service, their documentation. Each card brand and payment gateway approaches compliance in a different way. For example, a payment gateway may specify which ASV to use for system scanning purposes. Merchant fees will also vary depending on the type and level of e-commerce involved.
As a rule, where no card is present and you are carrying out offsite processing only, SAQ A is normally sufficient. For onsite processing (without card storage), SAQ C is required.
In addition, some merchants may need to submit to a periodic business audit, which will be carried out by a qualified security assessor (QSA) and/or a website and server scan, carried out by an approved security vendor (ASV).
To help you to apply fixes, the PCI Security Standards Council (PCI SSC) provides a six milestone ‘Prioritized Approach.’
The final stage is to report your progress to your payment gateway or card services provider following the method they outline.
Yes, PCI compliance is not the most fun part of running an e-commerce store. Then again, neither is waking up one morning to find out that your customers’ details have been stolen and you are facing a non-compliance fine with several zeros on the end.
Now that really would cause you a severe headache!