I recently read an article which suggested that 60% of businesses in the U.S. that process credit card details online in order to accept payment for goods or services were not Payment Card Industry security standards (PCI) compliant. This statement may not be entirely accurate but what I do know is that the vast majority of companies I have spoken with over the last year that process card details online are not PCI compliant. Some companies simply did not know what PCI compliance was, some thought they didn’t need it, or worst of all, some thought they were compliant and were not.
So what’s the big deal, what is PCI compliance anyway?
If you consider the major credit card companies like American Express, Visa and MasterCard and how they operate, it is very important to them that people, very bad people, don’t get their hands on your credit card information. How do these people get such details? Well, they could simply ask you for them. They could also target online eCommerce sites that collect card details and go on a hacking spree. The latter is what PCI compliance is all about.
Credit card companies want to promote the use of their cards online so they must come up with a way to ensure that anybody processing such details do so in a secure manner. Hence, the Payment Card Industry security standards. These standards are rigorous and not simple to achieve, and most importantly, expensive as it involves lots of processes and consultants.
There are serious misconceptions out there around PCI compliance that could land Merchants (people selling online) in serious trouble with Visa/MasterCard. Consider what would happen to your business if Visa or MasterCard decided to not allow transactions through your business website. In addition, heavy fines can be dished out for allowing your servers to be compromised.
Here are some of the main misconceptions about PCI compliance:
If I don’t store card details then I don’t need to worry about PCI compliance.
This is quite simply wrong. If you process card details in any way irrespective of whether you store them in a database or on disk, you must be PCI compliant. The idea here is sound, if you process card details you could store them; the fact that you don’t – or claim you don’t – means absolutely nothing. What I mean by processing is very simple: You have a page on your servers that asks people to enter card details. If this page is on somebody else's server then they are the ones that need to be PCI compliant, it’s that simple.
If I encrypt the transmission of the card details to my servers then I don’t need to worry about PCI compliance.
This one is also wrong. Yes encryption is one of over 200 conditions that must be satisfied to become PCI compliant but it is most certainly not the only one. The reason is very simple, PCI compliance relates to the software collecting the details and the infrastructure it is hosted on as well as how the data is transmitted. Irrespective of how the card details get to your servers, they can still be collected by a hacker if your application and servers are not secure, so yes, you do need to be PCI compliant.
My merchant bank has said nothing about this, surely they know best.
Well, if they haven’t yet they will soon. Anyway the banks are only enforcers, if they don’t do a good job it doesn’t mean you don’t need to be compliant. I have worked with a number of banks on this issue, some very stringent and some very lax. One bank that told me I didn’t need to worry about PCI, just put an SSL on your site. I won’t name the bank.
I am very conscientious about security and have dedicated consultants that keep my servers secure so I am PCI compliant.
First of all, well done. Secondly, becoming PCI compliant requires jumping through some hoops. If you haven’t jumped through these hoops then it doesn’t matter how secure your system is, you are not compliant. The hoops depend on the number of transactions you will be doing, but will at a minimum require you to complete quarterly vulnerability scans (from an approved scanning vendor), fill out a horrible self assessment questionnaire and may also require a yearly audit by a qualified security assessor (QSA). I have worked with one QSA in particular that I owe all of my knowledge on the topic to, but I won’t mention them as I am sure their competitors are just as good.
The misconceptions above relate mainly to IT professionals and the information that is being relayed about this topic. But, what about from a business perspective, what should I watch out for if I don’t want a fine? Or even worse, my business not being able to trade online.
Here are some of the pitfalls for businesses
Trusting your software developers.
I am sorry guys, I am developer with over 15 years experience but this is the biggest pitfall for businesses. So you have decided you want to trade online and you go to one of the many capable software houses to get your website built. You tell them to collect card details (as you have never heard of PCI) and, of course, they do what they are told. Now you can’t blame them for this as it is not their job to make sure you are secure, that’s your job as an owner of a business. But I have spoken to some web developers that have alluded to the misconceptions above and given their clients bad advise. So, be careful.
Trusting your security advisors.
Now this might seem like a strange one. Your security company should know a thing or two about PCI but some security companies are not qualified security assessors so they cannot complete your PCI audit. They can complete your security testing and hardening but you must go to a Qualified Security Assessors (QSA) to have your PCI assessment. https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
Trusting your payment providers.
Where do I go next?
There are payment providers out there that will not tell you the truth about PCI compliance. I am not saying they do this intentionally, they may not know the correct information. Worse, they may not realize they have an obligation to ensure the merchant’s PCI compliance when they are dealing with a merchant that collects card details. I work with a payment provider that is stringent in this regard and simply would not deal with us until they saw our PCI cert. And they won't deal with our customers (if they are collecting card details) unless they show a PCI cert. This company is a Dutch company who we moved to from an Irish pay provider that simply gave me the wrong information.
If your website or application is processing card details and you think you need to become PCI compliant then you have a number of options.
Become PCI compliant.
If you absolutely need to take card details on your website and process payments directly using a payment gateway then you must become PCI compliant. The process of becoming PCI compliant depends on your organization and how many transactions you process. But at a minimum you will need to do quarterly vulnerability scans and submit a self-assessment questionnaire annually. This process in itself is not very costly and there are companies that will do most of it for you (even for free), but implementing all of the processes that you must adhere to is the costly bit. Also hardening your servers to pass the vulnerability scans can cost time and money. If you process more than a certain amount of transactions annually, (around 2 million, depending on whether they are Visa, MasterCard etc.) then you will need an onsite audit by a qualified assessor. These audits will asses your eligibility and essentially verify that everything you put in your self-assessment questionnaire is correct. This is when things get very expensive, maybe up to 100k a year depending on your existing resources and processes, but you will at least need to pay a consultant and update some processes (every year)!
Engineer your application so that being PCI compliant is not a requirement.
The only way you can do this is by using a hosted payment page solution. This means your customers are redirected from your site to a page hosted on a site that is PCI compliant. Hence, you never see the card details and don’t have to worry about being PCI compliant. Note: this does not mean you don’t have to secure your site. You don’t want your site hacked irrespective.