PCI DSS Compliance and Your Pay Site
YNOT – PCI DSS is an acronym for Payment Card Industry Data Security Standard. PCI DSS is a compliance standard released in December 2004 by the main credit card companies as a method of preventing credit card fraud, hacking and security threats and vulnerabilities.
In September 2006, the PCI DSS standard was updated to version 1.1 from 1.0 to provide some minor revisions to the original version. The standard was revised again in late 2008. The most recent version, PCI DSS 2.0, was released in October 2010.
PCI DSS compliance is not an option — it is required of any site that accepts credit cards as a form of payment. Any site accepting credit cards must ensure certain security measures in order to comply. The most common reasons for non-compliance include open ports on a server, firewall holes, non-standard applications and the presence of applications that have not been upgraded to their latest and most secure versions.
If a owner of site that accepts credit cards cannot prove the site meets PCI DSS requirements, he may lose his merchant account, and therefore his ability to process credit cards as a form of payment.
Sites and payment service providers must validate their compliance periodically. The number of times a PCI DSS scan is required in order to remain compliant depends upon the total number of transactions completed each year by a single domain. This periodic validation is conducted by auditors who are certified Qualified Security Assessors (QSAs). Site owners who process fewer than 80,000 transactions per year are allowed to perform self-assessments via a standardized questionnaire. Sites that process larger numbers of transactions can be approved as compliant only by a qualified QSA on behalf of the PCI Security Standards Council.
Do I need to be compliant even if I don’t collect credit card data?
The short answer is “yes.” Whether you offer a shopping cart, membership or video-on-demand site, if your site charges fees for goods or services you probably need to be compliant. Gateway payment processors and third-party billers can help, but if any customer information is handed off between your site and theirs, you may be liable for huge fines if your site is insecure. Sites that process, store or even transmit payment card data must be PCI DSS compliant. PCI DSS fines can be as high as $500,000 per incident.
A prime example of what could happen if you fail to implement or adhere to the PCI DSS compliance occurred in March 2007, when a company called TJX Companies Inc., owner and of TJ Maxx and Marshall’s department stores, faced more than a dozen class action lawsuits in Alabama, California, Massachusetts, Puerto Rico and six Canadian provinces for what at that time was called the single largest data breach in U.S. history.
TJX revealed that hackers compromised at least 45.7 million credit and debit cards during the period from July 2005 until the breach was discovered in December 2006. In a regulatory filings with the U.S. Securities and Exchange Commission, TJX revealed that its computer systems were hacked in July 2005 by one or more intruders, but did the company did not discover the breach until December 2006. During that time, at least 45.7 million credit and debit cards were compromised, the company stated.
Initially, the cost of the breach was estimated to be about $118 million. After legal fees and regulatory fines, the costs amounted to more than $1.35 billion.
How can I make sure I’m PCI DSS compliant?
The simplest method to ensure your site meets the PCI DSS compliance requirements is to use a PCI DSS scanning company like McAfee Secure. McAfee Secure offers a program that costs $319 annually for four domains and will scan your servers to make sure they meet the PCI DSS standards. The program provides reports accepted by PCI DSS Council auditors.
Remember: Any server that plays any role in payment processing must be PCI DSS compliant. This may include:
- NATs or other backend servers that transmit information to a gateway processing service.
- Secure pages on which customers enter their card information.
- Any processes that transmit payment information to another server (as in the case of cross-selling).
How does PCI DSS scanning work?
PCI DSS compliance scans check to see whether there are any insecure points through which hackers might be able to enter a server. Services and software exist to perform this function, but be aware: PCI DSS scans can affect your website statistics, as scanners hit pages at random every day. You may notice an increase in 404 errors or other wacky stats. It’s a good idea to isolate scanning server hits within your stats program in order to eliminate confusion.
In order to be PCI DSS compliant, it is vital to maintain absolute control over your server. Be sure your server is either dedicated or co-located (owned and managed by you but located in someone else’s “server farm). Shared servers, by their very nature, are insecure.
Another item to keep in mind is that if you are running a program like NATS, which hosts a pre-payment form that requires customers to enter some personal information (like name, country and email), it may be prudent to secure that server, as well. Since your NATS server hosts the pre-payment form and this form passes information to a payment gateway, a hacker could use vulnerabilities in your server to attack a gateway, and both of you could be liable for any breach that occurred.
It is always best to protect yourself by making sure any server that accepts any information in the payment process is secure. If you are curious whether your payment gateway is PCI DSS compliant, you may download Visa’s list of compliant service providers (PDF).
PCI DSS compliance is a necessary part of processing credit cards online and cannot be taken lightly. Hackers always are looking for vulnerabilities to exploit. Make sure your payment process is PCI DSS compliant and protect your business.
Claudio Lai is the owner of [url=http://www.integrationmind.com/]Integration Mind, a provider of customized billing development and integration. The company has specialized in developing custom billing solutions for the web for more than 10 years.[/i]