PCI Compliance - Can anyone clarify this for the LITTLE GUY?

[*Brum6y*]

Who has any guidelines, experience or contacts on the Payment Card Industry Data Security Standard - PCI DSS?

I am particularly interested in the practical implications for small merchants (Level 4) running their own websites.

While the requirements are quite comprehensive in their nature, the degree of technical sophistication necessary to comply would appear to be rather basic - and I have come across comments that the PCI DSS is considered a minimum.  I have also come across comments that would indicate that if you have any card processing facility, then your merchant agreement would include PCI compliance.

Having come from an IT background with a few of the major institutions in the financial sector, all the requirements are little more than common sense - and most are already in hand as a matter of prudence.  For large organisations, as well as being rather obvious, this is a commercial necessity ... but the PCI DSS does not differentiate between a company like Telstra or your internet minnow - such as have been spawned from eBay. However, the means for achieving certification do differ - from Level 1 (like Telstra) to Level 4 (the minnow).

It seems that if you don't capture any card information, compliance is nowhere near as onerous as when you do - so passing off the payment process to services such as (dare I say it) PayPal makes life easier.  But capturing card data for later manual processing (even if stored encrypted) puts you right up there.

For the website owner using a hosting service, there are requirements for BOTH parties ... but what does this all mean in practical terms for the small businessperson?


Here is the summary of the 12 requirements and version 1.2 of the specification is attached (PDF)

Detailed PCI DSS Requirements and Security Assessment Procedures
Build and Maintain a Secure Network
 Requirement 1: Install and maintain a firewall configuration to protect cardholder data
 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
 Requirement 3: Protect stored cardholder data
 Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
 Requirement 5: Use and regularly update anti-virus software or programs
 Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
 Requirement 7: Restrict access to cardholder data by business need to know
 Requirement 8: Assign a unique ID to each person with computer access
 Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
 Requirement 10: Track and monitor all access to network resources and cardholder data
 Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
 Requirement 12: Maintain a policy that addresses information security for employees and contractors

[attachment deleted by admin]

[*wheels*]

Brumby, I have NO idea, that's why it's much easier to use a third-party payment processor like Paymate or PayPal.

[bnwt]

brumby

when getting a payment with credit card on your own website you don't actually process the transaction

it's done via payment gateway either with a bank or third party like eWay for example

the buyers credit card details never actually touch your site ..... while it way appear to the buyer they are paying for a purchase on your site they are in fact taken to the gateway to type in the numbers etc

[*Brum6y*]

Firstly, the PCI Compliance standard is not defined solely for internet payments alone. It is for any card payments. Special focus is given to the security of details stored on computer and even more is given when the internet is involved.

There are five card payment scenarios I have identified, which represent reasonable possibilities for a small merchant:

1. Internet payment via Gateway
2. Card swipe via bank supplied terminal (pick-up orders)
3. Telephone orders
4. Mail orders
5. Internet order with card data captured for later manual processing (eg after postage calculation which could not be automated)

(1) I would not expect to have any problems with, since the card details never come near you.  This is obvious - but is 'obvious' enough to clear yourself of any possible requirements under PCI Compliance?

(2) I would not expect to have any problems with, since the cardholder will be present. There is the possibility that the cardholder information could be captured by an unscrupulous merchant, however, since the card IS physically accessible to them, but since that would be a deliberate act with intent other than normal commerce, I don't feel it would be a problem .... UNLESS there are specific requirements within the PCI compliance that requires a merchant to have procedures in place to prevent that. (And I think there are.)

(3) Would need an assurance that any card information given was keyed directly into the terminal for processing while the client was on the line. Since the small merchant is likely to have a dial-up terminal, they will need to have a separate phone line to do this.  The possibility for the merchant to record the information is real.

(4) Would definitely need something ... Sending card details in the mail or via email becomes a matter of physical and electronic security (respectively)

(5) Is a clear concern for PCI compliance as it embraces ALL the fundamental risks.  Products such as Cube Cart list 'Manual card capture' with data stored 'encrypted'.  From what I've read, this MIGHT be adequate, so long as the decryption keys are kept separate from the databases holding the encrypted data.... but PCI compliance will be required.



Maybe I should ask the bank....

[*Brum6y*]

... and just to focus the discussion, in the 5 scenarios above, I am not asking for 'risk analysis'. This has already been done and the processes for mitigating risk have been identified.  The conditions under which certain options will and will not be made available have been defined.


The comment invited is in regard to 'PCI Compliance'.

[*CountessA*]

Brumby, the merchant responsibility lies with use (transmission and storage) of the data once it reaches him. If an online purchase is made, the merchant is expected to have the following:

  1. SSL for secure information on the website;
  2. an e-commerce solution that encrypts sensitive data (such as credit card information) between the site of purchase and the gateway site. For instance, let's say the merchant opts for Payflow as the gateway. Between the merchant's website (secure https address) and the gateway, there must be encrypted transmission fo the data. Any shopping cart or ecommerce solution worth its salt will have this enabled;
  3. If the merchant manually processes card information that is entered online, it is incumbent on him to ensure the card information is protected at all times. For instance, the page on which the card information is requested must be encrypted (https address). Furthermore, the merchant's responsibility includes not storing the c/c information once the payment is processed UNLESS EXPLICITLY REQUESTED TO BY THE CARDHOLDER. (Repeat customers who trust the seller may do this.) In all other cases, the card information must be securely removed. In any instance, the CCV must not be stored - not under any circumstances at all.

And if accepting c/c payment by other means...

  4. If the merchant accepts phone orders, the card payment can be done immediately or later - but again, it's incumbent on him to protect the data. If he writes down the card information on a scrap of paper and the scrap of paper is thrown out and then later retrieved by a rummaging thief, the merchant is at fault. Thus the merchant must exercise all due care with the information.
  5. if the merchant accepts orders sent by mail, with the cardholder having written down the card information, the merchant is responsible for the security of the information once he receives it. Again, he must destroy it securely once the transaction is complete.
  6. The merchant can ask for credit card details by fax.
  7. Under no circumstances should the merchant ask for or encourage transmission of credit card details by email. Email is NOT secure.

I hope that helps!