Skip to main content

What is PCI-DSS?

Critical Reading about E-Commerce & Credit Cards

Security Standards Background

PCI is an abbreviation for the Payment Card Industry Security Standards Council, an organization made up of payment card providers that sets the security standards and requirements for merchants and merchant account providers.
PCI-DSS refers to the PCI Data Security Standards which was created by the Council to reduce payment card fraud. These standards form part of the merchant agreement signed by every merchant who accepts any type of payment card (credit, debit, etc.) directly, by telephone, or online. Both the level of security required by the standards and the consistency of enforcement of those standards have increased in recent years. There are clear indications that the standards will continue to be tightened in the coming years.

As of December 31/07, all merchants must adhere to PCI Data Security Standards - or face substantial fees, fines, and penalties. These fees, fines, and penalties were originally created by Visa, MasterCard, American Express, etc. as a deterrent to large financial institutions like Banks.

The Banks, however, have amended their merchant agreements to pass these fees, fines, and penalties on to merchants. The amounts in question are very high, and can be especially damaging for smaller merchants.

If you have an online store (or are advising clients who do) you need to know what it takes to be PCI DSS compliant. Make sure you have (or advise your clients to have) the following:
  • The right website software configuration *
  • The right network configuration in your office, and
  • The right business processes in place.
Familiarize yourself with the PCI-DSS requirements and encourage your clients to do the same. The chart below is taken directly from the PCI Security Standard. To help you better understand what you need to focus on, in the top row we have indicated which areas of the standard are addressed by a PCI-DSS compliant software, and which are the responsibility of the merchant or website owner.

Note: using an e-commerce gateway (like BeanStream or Authorize.net), may reduce your risk; however, a number of the following requirements still apply. Similarly, the website software you use (like Bistro) can help you meet the requirements on the website side of things, but there are many requirements that only you (or your client) can meet.

Responsibility
Website Software
Bistro
Office
Network
YOU
Business Process
YOU
 Notes

Build and Maintain a Secure Network
Requirement 1:
 Install and maintain a firewall configuration to protect cardholder data
X
Required for all computers on the network where cardholder data is stored
Requirement 2:
 Do not use vendor-supplied defaults for system passwords and other security parameters
X


Protect Cardholder Data
Requirement 3:
 Protect stored cardholder data
 X
 X
 X
 Includes protecting all digital and printed copies of cardholder data
Requirement 4:
 Encrypt transmission of cardholder data across open, public networks
 X
 X
Critical if wireless networks are being used

Maintain a Vulnerability Management Program
Requirement 5:
 Use and regularly update anti-virus software
X
 X
 Required for all computers on the network where cardholder data is stored

Requirement 6:
Develop and maintain secure systems and applications
 X
 X
 X
Includes process for ensuring software is up-to-date

Implement Strong Access Control Measures
Requirement 7:
 Restrict access to cardholder data by business need-to-know
 X
 X
 X

Requirement 8:
Assign a unique ID to each person with computer access
 X
 X
 X
Requirement 9:
 Restrict physical access to cardholder data

X
Includes locks on cabinets, restricted access to backups, etc.

Regularly Monitor and Test Networks
Requirement 10:
 Track and monitor all access to network resources and cardholder data

 X
 X

Requirement 11:
 Regularly test security systems and processes

X
 Typically documented quarterly tests are required

Maintain an Information Security Policy
Requirement 12:
 Maintain a policy that addresses information security

X


Based on the terms of your merchant agreements, any organization that accepts credit card transactions by any means (online, telephone, or in person) must be in compliance with these standards. In practice, Visa and Mastercard are starting where their experience shows the highest risk level - putting e-commerce at the top of the list.

Example Scenario:

Bob's Widgets sells widgets in an online store, has a reasonably secure set of business procedures, and only sells about $15,000 worth of widgets each year.

A customer buys a product from Bob's online store using a credit card that was also used at another online store that sells dongles.

Unknown to Bob's, the credit card number was compromised at the previous online store (the dongle store)

At this point, Visa has to do a forensic audit of the merchants (Bob's widget store, and the dongle store) to figure out what went wrong. Visa charges the banks of both stores for the cost of the audit, and the banks pass those fines on to the store owners.

Bank audit charges generally start at about $50,000

A VISA-authorized auditor visits Bob and completes a review of Bob's network, and finds that although Bob's systems are good, he hasn't run a review and test in the last quarter, and the auditor finds him "non-compliant" with PCI DSS standards (see requirement 11 above). Bob is then fined and labeled a "High Risk" merchant.

Direct fines to merchants generally start at about $30,000, and "High Risk" merchants are subject to increased merchant fees on each transaction because of the "High Risk" status.

In this case, Bob is now faced with $80,000 in fines, and has been labeled "High Risk" even though his company didn't cause the issue.

Even if he had been 100% PCI DSS compliant, he would still be subject to the $50,000 fine passed on by the bank (in the fine print of the merchant agreement he signed), but he would have avoided the additional $30,000 fine and the High Risk status.

Since Bob is a small business owner, he likely signed a personal guarantee on his merchant agreement, and his home is likely on the line if he can't pay the fine.

Additional Resources

PCI Security Standards Council:
https://www.pcisecuritystandards.org

The full PCI Specification can be found here:
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

There is a self-assessment questionnaire that you can use to evaluate your business here:
https://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc

We highly recommend that you take the time to complete the questionnaire
Labels:

Comments

Post a Comment

Popular posts from this blog

Who Needs a CMS?

What makes a web design prospect a good candidate for a Content Management System? Imagine that you are in front of your prospect. They love your portfolio and the previous work you've done and they recognize the value that a web site can provide their business. How do you determine whether a CMS is a good option for their organization? Showing a prospect an online demo of how easily they can take control of their web site content can be a powerful "oh, wow" factor. For some prospects, they can connect the dots and immediately see the value that a CMS can bring to their business. For most though, you'll need to build a business case and demonstrate the "What's in it for me?". Here are a few quick questions you can ask your client to see if a CMS is an applicable tool for your prospect: What makes you different from your competition? If the answer to this question is the quality of work they do, then wouldn't their web site visitors w
Post a Comment
Read more

Content Management Systems

What is a Website CMS? In short, a CMS is a Content Management System. In more detail, a CMS is a system that separates the publicly viewable content of a web site (the text, images, etc.) from the administrative tasks of linking pages together and controlling how the pages appear. In most cases, this is done to make a site easier to maintain than it would be if it was built exclusively out of hard-coded html pages.   The value to the owner of a website is that, because a content managed website can be updated more easily and more frequently, the website owner is better able to communicate with the target audience. More frequent and timely communication improves the level of service and helps generate customer loyalty.   Furthermore, because the owner of the website has control over the content, there is no longer a need to contact the website developer or designer for every update. In short, the website owner can stop sinking money into the site on an on-going ba
Post a Comment
Read more