If you have a transactional website, operate infrastructure that processes payments, or if you’re a financial institution, chances are you’ll have heard about the recent changes to PCI DSS compliance. These best practice, payment security requirements are in place for good reason, so if you’re not up to speed, it’s important to do a bit of investigating.
PCI standards help you protect your payment systems from theft and security breaches. They also help vendors create fit for purpose secure payment solutions.
Ultimately, the onus is very much on e-commerce companies and institutions to comply with the latest PCI standards and failure to do so can result in financial penalties. So if you’re a business that holds card information, or processes and transmits cardholder data, you’ll need to be hot on PCI DSS compliance.
Depending on the way you process card payments and the card information you hold, the requirements set by the Security Standards Council varies. To keep things as straightforward as possible, we’ve pulled together a quick guide for each type of merchant.
This is however, easier said than done and the nuances and the language within the PCI DSS compliance guidance is not always clear, and very much open to interpretation. This article is written to provide a spring-board to your own PCI research and its contents should not be relied upon in any specific situation without taking relevant advice.
1. You use an e-commerce platform
This one’s for companies that use an ‘all in one’ e-commerce platform to host their website and process payments. Shopify, is a great example of a service that fits into this category. If you have an e-commerce website using a company like Shopify, and use their own in-built payment functions, it will mean they are responsible for PCI DSS compliance.
Shopify for example, state that their solution is Level 1 PCI DSS certified. Again, this will depend on how you decide to take payments, so check with your provider that your setup is covered.
So you don’t need to do anything, right? Wrong, unfortunately! In fact, in this instance you’ll need to complete Self-Assessment Questionnaire A (SAQ A).
This form has been specially designed to fit your circumstances as a card-not-present merchant, with all cardholder data functions fully outsourced (The PCI Security Council’s words exactly).
In your case, you may only keep hold of paper reports or receipts of transactions with cardholder data. But even if you don’t download or store these records, you’ll still need to ensure you’re compliant, understanding and acknowledging the way that you need to securely handle this kind of data.
2. You use an outsourced payment page on your website
Outsourced payment pages are a very common way of working, and tend to be popular with smaller businesses.
If this is you, when your customers have added products to their cart and are ready to pay, they will be re-directed to a third party payment gateway like PayPal or Worldpay (or they are loaded in an i-frame), where they complete their details and make payment.
This setup can work on an e-commerce website you are responsible for managing and hosting or on an e-commerce framework (like Shopify or BigCommerce) that we’ve just discussed.
Although the third party payment gateway provider will handle the more rigorous aspects of PCI standards, you still need to ensure you’re compliant with PCI.
At this point, there is some debate about which questionnaire you should be completing in this situation. At a minimum you will need to fill out the SAQ A questionnaire, just like our first example above.
But following changes to PCI in version 3.0, to ensure you’re completely covered, completing the SAQ A-EP questionnaire may be the safest option.
The new wording for SAQ A-EP refers to an applicable website that ‘does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor’, which does, to many people, mean either an i-frame loaded on the site or a re-direct to a payment gateway.
Along with the questionnaire, you’ll need to submit your website and infrastructure to a quarterly security scan by a PCI ASV (or Approved Scanning Vendor.) Your ASV will scan your site to test for any potential issues, and also run a more in-depth annual penetration test to identify any weak spots in the site and hosting.
Whether you choose the same ASV for quarterly and annual testing is entirely up to you as long as they are approved.
3. You use an outsourced payment page on your website, with your branding or tracking
In this scenario, similar to the outsourced payment page, the user is directed to a third party payment gateway provider to make their purchases.
The difference is that some information is passed from your website to that payment provider. This data could be branding or styling information in a CSS file, or even tracking and analytics in a JavaScript file for example. Although this doesn’t sound too risky on the face of it, this can ramp up your compliance requirements, as it opens up a route that a hacker could potentially exploit.
In this scenario, there is no debate about whether you’ll need to complete the SAQ A-EP. You’ll also need to have quarterly scans and an annual penetration test.
4. Direct post of payment information from your website
If you operate this way, you’ll be asking your customers to enter their payment information into your e-commerce site directly, before passing that data onto a payment provider for processing. Understandably, this increases the risks even further.
In short, you’ll have to work in line with all the same compliance measures as the partially outsourced way of working; fill out the SAQ A-EP questionnaire, submit to a quarterly ASV scan, and conduct annual penetration testing.
5. You take payment directly on your website
Last, but certainly not least, is the fully hosted payment page, where you accept card details through your website. If you run your e-commerce business like this, you’ll need to do the most work to make sure you’re compliant.
Essentially, you should complete the much more rigorous SAQ D-Merchant questionnaire, along with ensuring you have quarterly scans and yearly penetration testing.
In April 2016, an updated PCI DSS came into play, changing the face of e-commerce. SSL, the protocol that encrypts a channel between two endpoints (like a web browser and a web server) to ensure that sensitive data cannot be intercepted by a third party, is being updated.
The problem is, vulnerabilities have been discovered within SSL. These weak points have given attackers an opportunity to extract data from these supposedly secure connections. The solution is to move away from SSL, to TLS.
Moving to TLS is a big job, and although the deadline for upgrading was originally set for June 2016, it’s been recognised that companies need more time. So, in the latest version of PCI standards released in April 2016, the Security Standards Council have extended the deadline to June 2018. But, companies are still being urged to move as quickly as possible to make sure customer data is as secure as possible.
It may seem like these measures are a lot of unnecessary hoops to jump through, however, there are penalties for non-compliance and these can be hefty, so it’s certainly worth taking the time to get your business completely PCI compliant, not to mention incurring the displeasure of customers whose details are compromised via your site.
If you’re found to be in breach of these requirements, the Security Standards Council have the power to fine an acquiring bank from $5,000 to $100,000 per month. These charges can then be passed down from the bank to the merchant. Not only this, they could increase the transaction fees they charge or even terminate your relationship if this happens. Not a pretty picture for any business.
First, make sure you do your homework, and find out what your company needs to do to meet current PCI standards. This article will hopefully point you in the right direction and kick-start your research, but is not intended to be the foundation upon which you base your entire approach to PCI DSS compliance.
The PCI Security Council encourage you to start by asking your merchant bank (acquirer) or the applicable payment brand(s) about which SAQ questionnaire you are eligible for.
The PCI Security Standard Council website: www.pcisecuritystandards.org
A great blog focusing on issues around PCI DSS Compliance: www.pcicomplianceguide.org
As Secura's CTO, Dan is responsible for the team that design, build and maintain our cutting edge cloud hosting infrastructure. He is also the dishwasher police - stack it or else.
Tweet me at:
@securacloud
