GO
What is PCI-DSS?
"Building websites with WebAdmin is easier, faster, and more profitable than how I used to build websites!"

~ Kelly Baker, Designer
 

What is PCI-DSS?

Critical Reading about E-Commerce & Credit Cards

For more detailed coverage of this topic - view the slide presentation

Security Standards Background

PCI is an abbreviation for the Payment Card Industry Security Standards Council, an organization made up of payment card providers that sets the security standards and requirements for merchants and merchant account providers.

PCI-DSS refers to the PCI Data Security Standards which was created by the Council to reduce payment card fraud. These standards form part of the merchant agreement signed by every merchant who accepts any type of payment card (credit, debit, etc.) directly, by telephone, or online. Both the level of security required by the standards and the consistency of enforcement of those standards have increased in recent years. There are clear indications that the standards will continue to be tightened in the coming years.

As of December 31/07, all merchants must adhere to PCI Data Security Standards – or face substantial fees, fines, and penalties. These fees, fines, and penalties were originally created by Visa, MasterCard, American Express, etc. as a deterrent to large financial institutions like Banks.

The Banks, however, have amended their merchant agreements to pass these fees, fines, and penalties on to merchants. The amounts in question are very high, and can be especially damaging for smaller merchants.

If you have an online store (or are advising clients who do) you need to know what it takes to be PCI DSS compliant. Make sure you have (or advise your clients to have) the following:
  • The right website software configuration *
  • The right network configuration in your office, and
  • The right business processes in place.
Familiarize yourself with the PCI-DSS requirements and encourage you clients to do the same. The chart below is taken directly from the PCI Security Standard. To help you better understand what you need to focus on, in the top row we have indicated which areas of the standard are addressed by a PCI-DSS compliant software, and which are the responsibility of the merchant or website owner.

Note: using an e-commerce gateway (like BeanStream or Authorize.net), may reduce your risk; however, a number of the following requirements still apply. Similarly, the website software you use (like WebAdmin) can help you meet the requirements on the website side of things, but there are many requirements that only you (or your client) can meet.


Responsibility

Website Software

WebAdmin

Office Network

YOU

Business Process

YOU

Notes

Build and Maintain a Secure Network

Requirement 1:

Install and maintain a firewall configuration to protect cardholder data

 

X

 

Required for all computers on the network where cardholder data is stored

Requirement 2:

Do not use vendor-supplied defaults for system passwords and other security parameters

 

X

 

 


Protect Cardholder Data

Requirement 3:

Protect stored cardholder data

X

X

X

Includes protecting all digital and printed copies of cardholder data

Requirement 4:

Encrypt transmission of cardholder data across open, public networks

X

X

 

Critical if wireless networks are being used


Maintain a Vulnerability Management Program

Requirement 5:

Use and regularly update anti-virus software

 

X

X

Required for all computers on the network where cardholder data is stored


Requirement 6:


Develop and maintain secure systems and applications

X

X

X


Includes process for ensuring software is up-to-date


Implement Strong Access Control Measures

Requirement 7:

Restrict access to cardholder data by business need-to-know

X

X

X

 


Requirement 8:


Assign a unique ID to each person with computer access

X

X

X

 

Requirement 9:

Restrict physical access to cardholder data

 

 

X


Includes locks on cabinets, restricted access to backups, etc.


Regularly Monitor and Test Networks

Requirement 10:

Track and monitor all access to network resources and cardholder data

X

X

 

 

Requirement 11:

Regularly test security systems and processes

 

 

X

Typically documented quarterly tests are required


Maintain an Information Security Policy

Requirement 12:

Maintain a policy that addresses information security

 

 

X

 



Based on the terms of your merchant agreements, any organization that accepts credit card transactions by any means (online, telephone, or in person) must be in compliance with these standards. In practice, Visa and Mastercard are starting where their experience shows the highest risk level – putting e-commerce at the top of the list.

Example Scenario:

Bob’s Widgets sells widgets in an online store, has a reasonably secure set of business procedures, and only sells about $15,000 worth of widgets each year.

A customer buys a product from Bob’s online store using a credit card that was also used at another online store that sells dongles.

Unknown to Bob’s, the credit card number was compromised at the previous online store (the dongle store)

At this point, Visa has to do a forensic audit of the merchants (Bob’s widget store, and the dongle store) to figure out what went wrong. Visa charges the banks of both stores for the cost of the audit, and the banks pass those fines on to the store owners.

Bank audit charges generally start at about $50,000

A VISA-authorized auditor visits Bob and completes a review of Bob’s network, and finds that although Bob’s systems are good, he hasn’t run a review and test in the last quarter, and the auditor finds him “non-compliant” with PCI DSS standards (see requirement 11 above). Bob is then fined and labeled a “High Risk” merchant.

Direct fines to merchants generally start at about $30,000, and “High Risk” merchants are subject to increased merchant fees on each transaction because of the “High Risk” status.

In this case, Bob is now faced with $80,000 in fines, and has been labeled “High Risk” even though his company didn’t cause the issue.

Even if he had been 100% PCI DSS compliant, he would still be subject to the $50,000 fine passed on by the bank (in the fine print of the merchant agreement he signed), but he would have avoided the additional $30,000 fine and the High Risk status.

Since Bob is a small business owner, he likely signed a personal guarantee on his merchant agreement, and his home is likely on the line if he can’t pay the fine.

Additional Resources

PCI Security Standards Council:
https://www.pcisecuritystandards.org

The full PCI Specification can be found here:
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

There is a self-assessment questionnaire that you can use to evaluate your business here:
https://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc

We highly recommend that you take the time to complete the questionnaire



This article forms part of the Website Producer Learning Series™ provided by Lewis Media Inc., the manufacturer of WebAdmin CMS™. For more information about WebAdmin, the Web CMS that makes it incredibly easy for designers and marketers to offer content managed websites, register for a free online information session or contact us today.