e-onlinedata
New member
Everybody's talking about Payment Card Industry (PCI) compliance and, if you're an e-commerce merchant, you probably know by now that you have to bring your online store into compliance with the PCI Data Security Standard (DSS). But what does that mean to you? There's a lot of confusion about what, exactly, you have to do to achieve full compliance.
One big myth that's spreading among merchants is that payment gateway, shopping cart or Web host compliance alone is all it takes. Get that established and you're all set. Wrong! That's a common misconception - and a potentially expensive one once PCI starts issuing fines and penalties against the noncompliant.
Think of it this way: if your house has four doors and only three of them are locked, is it secure against intruders? Of course not. Any one of those locks is a great start, but no more than that. Until all four doors are locked up tight, that house will never be secure. The same goes for your e-commerce site. A compliant payment gateway, shopping cart, or Web host by itself is good to have but - without compliance in all areas - you've got a virtual unlocked door. With a great big welcome mat for intruders just outside.
The good news is that there are companies out there that can help. Just as there are Web sites that can guide you through completing and filing your taxes, there are many - like those of qualified security assessors (QSAs) and approved scanning vendors (ASVs) - that can walk you through the necessary steps to certified PCI compliance. It's a complex but ultimately understandable process.
The Road to Compliance - All Gain, Little Pain
The PCI standards are pretty clear. Here's what they are and some actions you'll have to take to meet them:
* Build and maintain a secure network: take steps like installation and maintenance of firewalls, and ensure that vendor-supplied default passwords are changed.
* Protect cardholder data: be able to show that you're protecting stored cardholder data and properly encrypting it for any transmission through networks.
* Maintain a vulnerability management program: use and update anti-virus software and ensure that all systems and applications are secure.
* Implement strong access control measures: take steps to definitively restrict internal access to cardholder data to need-to-know areas/personnel, establishing unique passwords and other identifiers.
* Regularly monitor and test networks: establish a program for testing all security systems and processes; monitor and keep records of all tests run and all access to networks and cardholder data.
* Maintain an information security policy: develop a policy and keep it updated as business conditions change.
Easy, right? Okay, it may seem like anything but. No worries - just take a breath and do what it takes to assess where you stand.
Here's What You Have To Do
If you're what's called a Level 3 (20,000 to 1,000,000 annual transactions) or Level 4 (less than 20,000 annual transactions) merchant, you're not required to conduct an on-site remediation. You do, however, have to complete an annual online self-assessment questionnaire and quarterly full-network security scans (remember those approved scanning vendors or ASVs mentioned earlier? You'll need one for this).
The only Level 3 and 4 merchants not required to conduct external scans are those who enter data through virtual terminals directly into payment gateways that are certified as compliant. You'll want to verify both that this category fits you and that your gateway is compliant - a faulty assumption here will cost you money. Once you've confirmed those facts, be aware that you're still responsible for completing an annual online self-assessment.
For any of these requirements, consulting a qualified security assessor (QSA) or approved scanning vendor (ASV) will make the job a lot easier. You can find a list of ASVs here: https://www.pcisecuritystandards.org/pdfs/asv_report.html
Help - I'm One of the Little Guys!
If you're running a reasonably big operation with qualified IT people at your beck and call, this probably feels pretty manageable by now. But what if you're a very small, say low-end Level 4, merchant with no technician on-site to fix any vulnerabilities you discover? Fear not - just take a good, hard look at your vendors.
First, remind yourself of who they are, because there may be more than you commonly communicate with. Look at your hosting provider, shopping cart, payment gateway and any other providers. Are they all certified PCI compliant, ensuring that all your virtual doors are locked up tight? If not, it might be time to find yourself ones that are. For the smallest merchants, that's one way to keep this simple - and yourselves protected
The Pot of Gold at the End of the PCI Rainbow
If you find yourself getting frustrated on the road to PCI compliance, take a minute to remember the big picture. The Payment Card Industry is taking these dramatic steps to protect cardholders, yes, but also merchants. Can you afford the damage to your business a major security breach would cause? You might think you're a small target but - guess what? - those are hackers' favorite kind. After all, when you're planning a robbery, do you go after Fort Knox or that super-busy Mom and Pop store down the street? You know, the one with four doors ...but only three that are locked.
For more information on PCI compliance, these Web sites are great resources:
http://e-onlinedata.cmail1.com/l/570083/l/y http://e-onlinedata.cmail1.com/l/570083/l/6 http://e-onlinedata.cmail1.com/l/570083/l/6
One big myth that's spreading among merchants is that payment gateway, shopping cart or Web host compliance alone is all it takes. Get that established and you're all set. Wrong! That's a common misconception - and a potentially expensive one once PCI starts issuing fines and penalties against the noncompliant.
Think of it this way: if your house has four doors and only three of them are locked, is it secure against intruders? Of course not. Any one of those locks is a great start, but no more than that. Until all four doors are locked up tight, that house will never be secure. The same goes for your e-commerce site. A compliant payment gateway, shopping cart, or Web host by itself is good to have but - without compliance in all areas - you've got a virtual unlocked door. With a great big welcome mat for intruders just outside.
The good news is that there are companies out there that can help. Just as there are Web sites that can guide you through completing and filing your taxes, there are many - like those of qualified security assessors (QSAs) and approved scanning vendors (ASVs) - that can walk you through the necessary steps to certified PCI compliance. It's a complex but ultimately understandable process.
The Road to Compliance - All Gain, Little Pain
The PCI standards are pretty clear. Here's what they are and some actions you'll have to take to meet them:
* Build and maintain a secure network: take steps like installation and maintenance of firewalls, and ensure that vendor-supplied default passwords are changed.
* Protect cardholder data: be able to show that you're protecting stored cardholder data and properly encrypting it for any transmission through networks.
* Maintain a vulnerability management program: use and update anti-virus software and ensure that all systems and applications are secure.
* Implement strong access control measures: take steps to definitively restrict internal access to cardholder data to need-to-know areas/personnel, establishing unique passwords and other identifiers.
* Regularly monitor and test networks: establish a program for testing all security systems and processes; monitor and keep records of all tests run and all access to networks and cardholder data.
* Maintain an information security policy: develop a policy and keep it updated as business conditions change.
Easy, right? Okay, it may seem like anything but. No worries - just take a breath and do what it takes to assess where you stand.
Here's What You Have To Do
If you're what's called a Level 3 (20,000 to 1,000,000 annual transactions) or Level 4 (less than 20,000 annual transactions) merchant, you're not required to conduct an on-site remediation. You do, however, have to complete an annual online self-assessment questionnaire and quarterly full-network security scans (remember those approved scanning vendors or ASVs mentioned earlier? You'll need one for this).
The only Level 3 and 4 merchants not required to conduct external scans are those who enter data through virtual terminals directly into payment gateways that are certified as compliant. You'll want to verify both that this category fits you and that your gateway is compliant - a faulty assumption here will cost you money. Once you've confirmed those facts, be aware that you're still responsible for completing an annual online self-assessment.
For any of these requirements, consulting a qualified security assessor (QSA) or approved scanning vendor (ASV) will make the job a lot easier. You can find a list of ASVs here: https://www.pcisecuritystandards.org/pdfs/asv_report.html
Help - I'm One of the Little Guys!
If you're running a reasonably big operation with qualified IT people at your beck and call, this probably feels pretty manageable by now. But what if you're a very small, say low-end Level 4, merchant with no technician on-site to fix any vulnerabilities you discover? Fear not - just take a good, hard look at your vendors.
First, remind yourself of who they are, because there may be more than you commonly communicate with. Look at your hosting provider, shopping cart, payment gateway and any other providers. Are they all certified PCI compliant, ensuring that all your virtual doors are locked up tight? If not, it might be time to find yourself ones that are. For the smallest merchants, that's one way to keep this simple - and yourselves protected
The Pot of Gold at the End of the PCI Rainbow
If you find yourself getting frustrated on the road to PCI compliance, take a minute to remember the big picture. The Payment Card Industry is taking these dramatic steps to protect cardholders, yes, but also merchants. Can you afford the damage to your business a major security breach would cause? You might think you're a small target but - guess what? - those are hackers' favorite kind. After all, when you're planning a robbery, do you go after Fort Knox or that super-busy Mom and Pop store down the street? You know, the one with four doors ...but only three that are locked.
For more information on PCI compliance, these Web sites are great resources:
http://e-onlinedata.cmail1.com/l/570083/l/y http://e-onlinedata.cmail1.com/l/570083/l/6 http://e-onlinedata.cmail1.com/l/570083/l/6
