The Real Scoop on PCI DSS for Ecommerce

One topic that effects online sellers small and large is PCI compliance. We haven't covered the topic on Get Elastic before, so I teamed up with data security expert Gary Palgon, CISSP, to answer the most pressing questions about the Payment Card Industry’s Data Security Standard for eCommerce companies.

The Real Scoop on PCI DSS for Ecommerce

Linda: What is PCI DSS? What is PCI compliance?

Gary: The Payment Card Industry’s Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security by creating a strong, systematic way for merchants to secure cardholder data. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. This multifaceted security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to help organizations proactively protect customer account data.

Linda: Why is PCI compliance important to ecommerce businesses?

Gary: eCommerce companies mainly perform “card-not-present” electronic transactions. Because these transactions take place via the Internet through an online store, credit card numbers are especially vulnerable to theft by cyber criminals.

Linda: What are some common ways cardholder information security is compromised in an online commerce environment?

Gary: If credit card numbers are not encrypted or tokenized (a data security model whereby surrogate values or “tokens” are substituted for actual credit card numbers), they can be “sniffed” by computer programs remotely. Here’s how it works: A cyber criminal unleashes a “sniffer” program into cyberspace. When the program recognizes a credit card number format it “lifts” the number if it’s not encrypted or tokenized. Sniffer programs typically steal credit card numbers out of applications and databases. These stolen credit card numbers are then sold on the black market.

Linda: Who must comply with PCI standards?

Gary: Any company that accepts, processes or stores credit card numbers must comply with PCI DSS. This includes credit card processors and all merchants, from small Internet stores to the world’s largest retail corporations, who accept credit cards, online or offline. The number of credit card transactions a merchant performs annually determines the specific compliance requirements that must be met. The PCI Security Standards Council provides guidance to software vendors and others to help them develop secure payment applications and it maintains a list of Validated Payment Applications.

Linda: Are PCI standards the same for large enterprises as small and medium sized businesses?

Gary: PCI compliance requirements vary depending on annual transaction volume. Merchants fall into one of four classifications, called Levels.

For example, under Visa’s definitions:

• Level 1 merchants process over 6 million Visa transactions annually (all channels).
• Level 2 merchants process 1 million to 6 million Visa transactions annually (all channels).
• Level 3 merchants process 20,000 to 1 million Visa ecommerce transactions annually.
• Level 4 merchants process less than 20,000 Visa ecommerce transactions annually. In addition, all other merchants processing up to 1 million Visa transactions annually are classified as Level 4 merchants.

Linda: What is required of merchants to comply?

Gary: Specific compliance or “validation” requirements are set by the individual card brands. For example, Visa’s compliance requirements are slightly different for each level as follows:

• Level 1 merchants must complete an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA); complete a quarterly network scan by an Approved Scan Vendor (ASV); and file an Attestation of Compliance Form.
• Level 2 and Level 3 merchants must complete an Annual Self-Assessment Questionnaire (SAQ), complete a quarterly network scan by an ASV and file an Attestation of Compliance Form.
• Level 4 merchants are encouraged to complete an annual SAQ and have an ASV perform a quarterly network scan, if applicable. Compliance validation requirements are set by the acquirer.

In addition, under Visa’s requirements, any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

The PCI Security Standards Council maintains links to each of the six credit card companies’ — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc. and Visa Europe — requirements on its website.

Linda: What are the risks associated with non-compliance?

Gary: PCI DSS compliance is an important step for protecting cardholder information from theft, which, in turn, can help merchants preserve their reputations, protect their brand and avoid lawsuits stemming from a credit card breach. In addition, merchants who do not comply with PCI DSS set themselves up for a host of penalties imposed by the credit card companies, ranging from punitive fines to termination of the right to accept credit cards. Non-compliant merchants, who suffer a breach, also forfeit safe harbor protection.

About the expert

Gary Palgon is Lead Chair on the Tokenization Scoping Special Interest Group for the Payment Card Industry’s Security Standards Council (PCI SSC), and is Vice President of Product Management for nuBridges, where he directs the development of the Company’s data security solutions. He can be reached at gpalgon @ nubridges.com.