One topic that effects online sellers small and large is PCI compliance. We haven’t covered the topic on Get Elastic before, so I teamed up with data security expert Gary Palgon, CISSP, to answer the most pressing questions about the Payment Card Industry’s Data Security Standard for eCommerce companies.
The Real Scoop on PCI DSS for Ecommerce
Linda: What is PCI DSS? What is PCI compliance?
Gary: The Payment Card Industry’s Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security by creating a strong, systematic way for merchants to secure cardholder data. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. This multifaceted security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to help organizations proactively protect customer account data.
Linda: Why is PCI compliance important to ecommerce businesses?
Gary: eCommerce companies mainly perform “card-not-present” electronic transactions. Because these transactions take place via the Internet through an online store, credit card numbers are especially vulnerable to theft by cyber criminals.
Linda: What are some common ways cardholder information security is compromised in an online commerce environment?
Gary: If credit card numbers are not encrypted or tokenized (a data security model whereby surrogate values or “tokens” are substituted for actual credit card numbers), they can be “sniffed” by computer programs remotely. Here’s how it works: A cyber criminal unleashes a “sniffer” program into cyberspace. When the program recognizes a credit card number format it “lifts” the number if it’s not encrypted or tokenized. Sniffer programs typically steal credit card numbers out of applications and databases. These stolen credit card numbers are then sold on the black market.
Linda: Who must comply with PCI standards?
Gary: Any company that accepts, processes or stores credit card numbers must comply with PCI DSS. This includes credit card processors and all merchants, from small Internet stores to the world’s largest retail corporations, who accept credit cards, online or offline. The number of credit card transactions a merchant performs annually determines the specific compliance requirements that must be met. The PCI Security Standards Council provides guidance to software vendors and others to help them develop secure payment applications and it maintains a list of Validated Payment Applications.
Linda: Are PCI standards the same for large enterprises as small and medium sized businesses?
Gary: PCI compliance requirements vary depending on annual transaction volume. Merchants fall into one of four classifications, called Levels.
For example, under Visa’s definitions:
- Level 1 merchants process over 6 million Visa transactions annually (all channels).
- Level 2 merchants process 1 million to 6 million Visa transactions annually (all channels).
- Level 3 merchants process 20,000 to 1 million Visa ecommerce transactions annually.
- Level 4 merchants process less than 20,000 Visa ecommerce transactions annually. In addition, all other merchants processing up to 1 million Visa transactions annually are classified as Level 4 merchants.
Linda: What is required of merchants to comply?
Gary: Specific compliance or “validation” requirements are set by the individual card brands. For example, Visa’s compliance requirements are slightly different for each level as follows:
- Level 1 merchants must complete an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA); complete a quarterly network scan by an Approved Scan Vendor (ASV); and file an Attestation of Compliance Form.
- Level 2 and Level 3 merchants must complete an Annual Self-Assessment Questionnaire (SAQ), complete a quarterly network scan by an ASV and file an Attestation of Compliance Form.
- Level 4 merchants are encouraged to complete an annual SAQ and have an ASV perform a quarterly network scan, if applicable. Compliance validation requirements are set by the acquirer.
In addition, under Visa’s requirements, any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.
The PCI Security Standards Council maintains links to each of the six credit card companies’ — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc. and Visa Europe — requirements on its website.
Linda: What are the risks associated with non-compliance?
Gary: PCI DSS compliance is an important step for protecting cardholder information from theft, which, in turn, can help merchants preserve their reputations, protect their brand and avoid lawsuits stemming from a credit card breach. In addition, merchants who do not comply with PCI DSS set themselves up for a host of penalties imposed by the credit card companies, ranging from punitive fines to termination of the right to accept credit cards. Non-compliant merchants, who suffer a breach, also forfeit safe harbor protection.
About the expert
Gary Palgon is Lead Chair on the Tokenization Scoping Special Interest Group for the Payment Card Industry’s Security Standards Council (PCI SSC), and is Vice President of Product Management for nuBridges, where he directs the development of the Company’s data security solutions. He can be reached at gpalgon @ nubridges.com.
Subscribe by RSS
Thank you for the informative post. I operate an ecommerce office furniture business and your tips and info on PCI are invaluable. It’s so important to not only make online visitors feel safe, but to actually provide top notch security when so many credit card transactions are occurring.
PCI Complience is very expensive on the technical side. The server configuration required to achieve this is very powerful. I just disagree in one thing “Who must comply with PCI standards?” I would say that ONLY the merchants that SAVE credit card information must be compliant.
But online shops that only transmit the data to a payment processor doesnt require this because they will not save the info, they will just send it and receive the result of the transaction. A SSL certificate with strong encryption should be more than enough. This merchants only have to protect the info when the SEND it (SSL). After sending it, the payment info is not stored, so there is nothing to protect on the server side.
Does using paypal payments pro pass the requirements onto paypal then since paypal is the actual company processing the payment?
Thanks, this is a great post. Recently we had some clients asking if the merchant accounts we use are PCI DSS compliant. I had to research to understand their question. Your post really makes it easy to understand the importance of being compliant for ecommerce websites.
With that specific solution “paypal payments pro” you will at least need a SSL Certificate, casuse you send Paypal servers the payment information. But as you dont store that info you wont need PCI.
@Phil – thanks for the compliments about the interview
@Marcos – If you don’t ever have access to the credit card, then you would be “compliant”. If you take the cardholder data in, but never see it again, then depending upon your environment the POS and/or Pin Transaction System (PTS) and network may or may not be considered in-scope.
@Aaron – It will depend upon how you’re using PayPal, but here’s their PCI policy – https://www.paypal.com/pcicompliance
I’m going to have to echo the same question as Aaron. I’ve been using PayPal Pro, I don’t store credit cards myself, and I’ve passed McAfee’s quarterly PCI scan online, though I haven’t gone through the questionnaire. Is that enough for Level 4 compliance?
@ NK Smith – visit the PCI SSC’s website to see which assessment you need to take at https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs. My guess is you can do the self assessment since you’re a Level 4 and probably only using the ecommerce site. See page 12 of https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf to tell you which SAQ you need. Then you can fill it out from the first link – should be pretty easy and you should be either able to pass and/or able to pass with few changes.
Great info as always, Gary. We’ll have to team up on a webinar again. Regarding Paypal (or other payment processing services of the same nature), you’re organization is still contractually required to be PCI compliant, it’s just a different “flavor”. This type of scenario falls under Self Assessment Questionnaire (SAQ) A, which is intended for card-not-present merchants that fully outsource their credit card payment processing. You’ll be happy to know that you only have to satisfy PCI DSS requirements in two categories: (1) Req. 9 – Restrict Physical Access to CHD, and (2) Req. 12 – Maintain an InfoSec policy… Mercifully, most of the 200+ requirements are out of scope.
Gary, thanks for the info.