Skip to main content

What is PCI-DSS?

Critical Reading about E-Commerce & Credit Cards

Security Standards Background

PCI is an abbreviation for the Payment Card Industry Security Standards Council, an organization made up of payment card providers that sets the security standards and requirements for merchants and merchant account providers.
PCI-DSS refers to the PCI Data Security Standards which was created by the Council to reduce payment card fraud. These standards form part of the merchant agreement signed by every merchant who accepts any type of payment card (credit, debit, etc.) directly, by telephone, or online. Both the level of security required by the standards and the consistency of enforcement of those standards have increased in recent years. There are clear indications that the standards will continue to be tightened in the coming years.

As of December 31/07, all merchants must adhere to PCI Data Security Standards - or face substantial fees, fines, and penalties. These fees, fines, and penalties were originally created by Visa, MasterCard, American Express, etc. as a deterrent to large financial institutions like Banks.

The Banks, however, have amended their merchant agreements to pass these fees, fines, and penalties on to merchants. The amounts in question are very high, and can be especially damaging for smaller merchants.

If you have an online store (or are advising clients who do) you need to know what it takes to be PCI DSS compliant. Make sure you have (or advise your clients to have) the following:
  • The right website software configuration *
  • The right network configuration in your office, and
  • The right business processes in place.
Familiarize yourself with the PCI-DSS requirements and encourage your clients to do the same. The chart below is taken directly from the PCI Security Standard. To help you better understand what you need to focus on, in the top row we have indicated which areas of the standard are addressed by a PCI-DSS compliant software, and which are the responsibility of the merchant or website owner.

Note: using an e-commerce gateway (like BeanStream or Authorize.net), may reduce your risk; however, a number of the following requirements still apply. Similarly, the website software you use (like Bistro) can help you meet the requirements on the website side of things, but there are many requirements that only you (or your client) can meet.

Responsibility
Website Software
Bistro
Office
Network
YOU
Business Process
YOU
 Notes

Build and Maintain a Secure Network
Requirement 1:
 Install and maintain a firewall configuration to protect cardholder data
X
Required for all computers on the network where cardholder data is stored
Requirement 2:
 Do not use vendor-supplied defaults for system passwords and other security parameters
X


Protect Cardholder Data
Requirement 3:
 Protect stored cardholder data
 X
 X
 X
 Includes protecting all digital and printed copies of cardholder data
Requirement 4:
 Encrypt transmission of cardholder data across open, public networks
 X
 X
Critical if wireless networks are being used

Maintain a Vulnerability Management Program
Requirement 5:
 Use and regularly update anti-virus software
X
 X
 Required for all computers on the network where cardholder data is stored

Requirement 6:
Develop and maintain secure systems and applications
 X
 X
 X
Includes process for ensuring software is up-to-date

Implement Strong Access Control Measures
Requirement 7:
 Restrict access to cardholder data by business need-to-know
 X
 X
 X

Requirement 8:
Assign a unique ID to each person with computer access
 X
 X
 X
Requirement 9:
 Restrict physical access to cardholder data

X
Includes locks on cabinets, restricted access to backups, etc.

Regularly Monitor and Test Networks
Requirement 10:
 Track and monitor all access to network resources and cardholder data

 X
 X

Requirement 11:
 Regularly test security systems and processes

X
 Typically documented quarterly tests are required

Maintain an Information Security Policy
Requirement 12:
 Maintain a policy that addresses information security

X


Based on the terms of your merchant agreements, any organization that accepts credit card transactions by any means (online, telephone, or in person) must be in compliance with these standards. In practice, Visa and Mastercard are starting where their experience shows the highest risk level - putting e-commerce at the top of the list.

Example Scenario:

Bob's Widgets sells widgets in an online store, has a reasonably secure set of business procedures, and only sells about $15,000 worth of widgets each year.

A customer buys a product from Bob's online store using a credit card that was also used at another online store that sells dongles.

Unknown to Bob's, the credit card number was compromised at the previous online store (the dongle store)

At this point, Visa has to do a forensic audit of the merchants (Bob's widget store, and the dongle store) to figure out what went wrong. Visa charges the banks of both stores for the cost of the audit, and the banks pass those fines on to the store owners.

Bank audit charges generally start at about $50,000

A VISA-authorized auditor visits Bob and completes a review of Bob's network, and finds that although Bob's systems are good, he hasn't run a review and test in the last quarter, and the auditor finds him "non-compliant" with PCI DSS standards (see requirement 11 above). Bob is then fined and labeled a "High Risk" merchant.

Direct fines to merchants generally start at about $30,000, and "High Risk" merchants are subject to increased merchant fees on each transaction because of the "High Risk" status.

In this case, Bob is now faced with $80,000 in fines, and has been labeled "High Risk" even though his company didn't cause the issue.

Even if he had been 100% PCI DSS compliant, he would still be subject to the $50,000 fine passed on by the bank (in the fine print of the merchant agreement he signed), but he would have avoided the additional $30,000 fine and the High Risk status.

Since Bob is a small business owner, he likely signed a personal guarantee on his merchant agreement, and his home is likely on the line if he can't pay the fine.

Additional Resources

PCI Security Standards Council:
https://www.pcisecuritystandards.org

The full PCI Specification can be found here:
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

There is a self-assessment questionnaire that you can use to evaluate your business here:
https://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc

We highly recommend that you take the time to complete the questionnaire
Labels:

Comments

Post a Comment

Popular posts from this blog

Website Usability and Web Accessibility

Why are Usability and Accessibility Important? The web design and development industry has undergone a number of radical shifts over the last few years - in fact, many industry experts claim that it is the most rapidly changing industry in the world. What these changes have led to though, is increased potential - "anything is possible". The inevitable side effect of this is that software and web sites have become so feature-rich and complex that they are practically impossible to use.   This matters to individual website owners because, if they are not careful, their website project or website content management solution can easily suffer functional overkill. When launching a web design project, be sure to ask yourself and your web site vendor the following questions: How does your software meet accessibility standards? How do you implement usability best practices? Can users with disabilities use my website? How readable will my website be by visitors...
Post a Comment
Read more

Keeping Web Design Alive

Staying Competive in Changing Markets There are a lot of forces impacting the business of web design today: from do-it-yourself software packages that allow anyone to build a website, to the proliferation of Software as a Service (SaaS) models that offer template websites for a low monthly fee. In effect, what is now happening to the business of website design is the same thing that has occurred in the hosting industry over the past few years. The big players are becoming massive through consolidation, while the smaller players are being absorbed or gradually squeezed out of the marketplace entirely. And everyone is caught up in a mad dash for that last, rapidly shrinking dollar. Similar forces are being brought to bear on website design. It is no longer enough to have the best creative talent and a killer portfolio. You must offer a complete package of design and functionality...and do it faster and more economically than ever before, just to remain competitive. The...
Post a Comment
Read more

RFP Guidelines

An Introduction to Writing RFPs A Request for Proposal is a crucial stage of the client/supplier relationship. Guidelines for an RFP are only now starting to become standard in the relatively new industry of web-related technologies. However, an RFP can help establish a line of communication and clarify the needs and requirements of your development project. This document can help you create a RFP. The proposal that Lewis Media and other proponents will prepare in response will attempt to cover, in detail, the time line, scope, technical requirements, and budget of the project. Therefore, the initial RFP should be as detailed and clear as possible; any budget limitations and time constraints should be initially established. This will help us all be on the same playing field from Day 1. Often a client can be daunted by a perceived need to approach a RFP from a technical perspective. An RFP should define your needs - Lewis Media will then interpret these needs into te...
Post a Comment
Read more