Skip to main content

What is PCI-DSS?

Critical Reading about E-Commerce & Credit Cards

Security Standards Background

PCI is an abbreviation for the Payment Card Industry Security Standards Council, an organization made up of payment card providers that sets the security standards and requirements for merchants and merchant account providers.
PCI-DSS refers to the PCI Data Security Standards which was created by the Council to reduce payment card fraud. These standards form part of the merchant agreement signed by every merchant who accepts any type of payment card (credit, debit, etc.) directly, by telephone, or online. Both the level of security required by the standards and the consistency of enforcement of those standards have increased in recent years. There are clear indications that the standards will continue to be tightened in the coming years.

As of December 31/07, all merchants must adhere to PCI Data Security Standards - or face substantial fees, fines, and penalties. These fees, fines, and penalties were originally created by Visa, MasterCard, American Express, etc. as a deterrent to large financial institutions like Banks.

The Banks, however, have amended their merchant agreements to pass these fees, fines, and penalties on to merchants. The amounts in question are very high, and can be especially damaging for smaller merchants.

If you have an online store (or are advising clients who do) you need to know what it takes to be PCI DSS compliant. Make sure you have (or advise your clients to have) the following:
  • The right website software configuration *
  • The right network configuration in your office, and
  • The right business processes in place.
Familiarize yourself with the PCI-DSS requirements and encourage your clients to do the same. The chart below is taken directly from the PCI Security Standard. To help you better understand what you need to focus on, in the top row we have indicated which areas of the standard are addressed by a PCI-DSS compliant software, and which are the responsibility of the merchant or website owner.

Note: using an e-commerce gateway (like BeanStream or Authorize.net), may reduce your risk; however, a number of the following requirements still apply. Similarly, the website software you use (like Bistro) can help you meet the requirements on the website side of things, but there are many requirements that only you (or your client) can meet.

Responsibility
Website Software
Bistro
Office
Network
YOU
Business Process
YOU
 Notes

Build and Maintain a Secure Network
Requirement 1:
 Install and maintain a firewall configuration to protect cardholder data
X
Required for all computers on the network where cardholder data is stored
Requirement 2:
 Do not use vendor-supplied defaults for system passwords and other security parameters
X


Protect Cardholder Data
Requirement 3:
 Protect stored cardholder data
 X
 X
 X
 Includes protecting all digital and printed copies of cardholder data
Requirement 4:
 Encrypt transmission of cardholder data across open, public networks
 X
 X
Critical if wireless networks are being used

Maintain a Vulnerability Management Program
Requirement 5:
 Use and regularly update anti-virus software
X
 X
 Required for all computers on the network where cardholder data is stored

Requirement 6:
Develop and maintain secure systems and applications
 X
 X
 X
Includes process for ensuring software is up-to-date

Implement Strong Access Control Measures
Requirement 7:
 Restrict access to cardholder data by business need-to-know
 X
 X
 X

Requirement 8:
Assign a unique ID to each person with computer access
 X
 X
 X
Requirement 9:
 Restrict physical access to cardholder data

X
Includes locks on cabinets, restricted access to backups, etc.

Regularly Monitor and Test Networks
Requirement 10:
 Track and monitor all access to network resources and cardholder data

 X
 X

Requirement 11:
 Regularly test security systems and processes

X
 Typically documented quarterly tests are required

Maintain an Information Security Policy
Requirement 12:
 Maintain a policy that addresses information security

X


Based on the terms of your merchant agreements, any organization that accepts credit card transactions by any means (online, telephone, or in person) must be in compliance with these standards. In practice, Visa and Mastercard are starting where their experience shows the highest risk level - putting e-commerce at the top of the list.

Example Scenario:

Bob's Widgets sells widgets in an online store, has a reasonably secure set of business procedures, and only sells about $15,000 worth of widgets each year.

A customer buys a product from Bob's online store using a credit card that was also used at another online store that sells dongles.

Unknown to Bob's, the credit card number was compromised at the previous online store (the dongle store)

At this point, Visa has to do a forensic audit of the merchants (Bob's widget store, and the dongle store) to figure out what went wrong. Visa charges the banks of both stores for the cost of the audit, and the banks pass those fines on to the store owners.

Bank audit charges generally start at about $50,000

A VISA-authorized auditor visits Bob and completes a review of Bob's network, and finds that although Bob's systems are good, he hasn't run a review and test in the last quarter, and the auditor finds him "non-compliant" with PCI DSS standards (see requirement 11 above). Bob is then fined and labeled a "High Risk" merchant.

Direct fines to merchants generally start at about $30,000, and "High Risk" merchants are subject to increased merchant fees on each transaction because of the "High Risk" status.

In this case, Bob is now faced with $80,000 in fines, and has been labeled "High Risk" even though his company didn't cause the issue.

Even if he had been 100% PCI DSS compliant, he would still be subject to the $50,000 fine passed on by the bank (in the fine print of the merchant agreement he signed), but he would have avoided the additional $30,000 fine and the High Risk status.

Since Bob is a small business owner, he likely signed a personal guarantee on his merchant agreement, and his home is likely on the line if he can't pay the fine.

Additional Resources

PCI Security Standards Council:
https://www.pcisecuritystandards.org

The full PCI Specification can be found here:
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

There is a self-assessment questionnaire that you can use to evaluate your business here:
https://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc

We highly recommend that you take the time to complete the questionnaire
Labels:

Comments

Post a Comment

Popular posts from this blog

Keeping Web Design Alive

Staying Competive in Changing Markets There are a lot of forces impacting the business of web design today: from do-it-yourself software packages that allow anyone to build a website, to the proliferation of Software as a Service (SaaS) models that offer template websites for a low monthly fee. In effect, what is now happening to the business of website design is the same thing that has occurred in the hosting industry over the past few years. The big players are becoming massive through consolidation, while the smaller players are being absorbed or gradually squeezed out of the marketplace entirely. And everyone is caught up in a mad dash for that last, rapidly shrinking dollar. Similar forces are being brought to bear on website design. It is no longer enough to have the best creative talent and a killer portfolio. You must offer a complete package of design and functionality...and do it faster and more economically than ever before, just to remain competitive. The...
Post a Comment
Read more

Website Usability and Web Accessibility

Why are Usability and Accessibility Important? The web design and development industry has undergone a number of radical shifts over the last few years - in fact, many industry experts claim that it is the most rapidly changing industry in the world. What these changes have led to though, is increased potential - "anything is possible". The inevitable side effect of this is that software and web sites have become so feature-rich and complex that they are practically impossible to use.   This matters to individual website owners because, if they are not careful, their website project or website content management solution can easily suffer functional overkill. When launching a web design project, be sure to ask yourself and your web site vendor the following questions: How does your software meet accessibility standards? How do you implement usability best practices? Can users with disabilities use my website? How readable will my website be by visitors...
Post a Comment
Read more

Search Engine Marketing Terms

The Meaning of Common SEM Terms Aggregator An aggregator or news aggregator is a type of software that retrieves syndicated Web content that is supplied in the form of a web feed (RSS, Atom and other XML formats), and that is published by weblogs, podcasts, vlogs, and mainstream mass media websites Anchor Text This is the actual text part of a link that you click on to follow a hyperlink. Used by search engines as a ranking factor in their hypertext algorithm. For example, in the following link, the words " Anchor Text " are the anchor text. Blacklist Lists compiled by either search engines or vigilante users of search engine spammers. These lists may be used to ban spammers from search engines or to enforce boycotts of them. Bid Management Tool Software or an ASP service used to manage bids on pay-per-click search engines such as Overture. Bidding Placing a bid price that you are willing to pay as an advertiser on a pay-per-click search engine. The hi...
Post a Comment
Read more