Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion

forgot password?


  Post #1 (permalink)   02-19-2009, 10:45 AM
HD Newbie
Join Date: Feb 2009
Location: Maine
Posts: 2

Status: e-onlinedata is offline
Everybody's talking about Payment Card Industry (PCI) compliance and, if you're an e-commerce merchant, you probably know by now that you have to bring your online store into compliance with the PCI Data Security Standard (DSS). But what does that mean to you? There's a lot of confusion about what, exactly, you have to do to achieve full compliance.

One big myth that's spreading among merchants is that payment gateway, shopping cart or Web host compliance alone is all it takes. Get that established and you're all set. Wrong! That's a common misconception - and a potentially expensive one once PCI starts issuing fines and penalties against the noncompliant.

Think of it this way: if your house has four doors and only three of them are locked, is it secure against intruders? Of course not. Any one of those locks is a great start, but no more than that. Until all four doors are locked up tight, that house will never be secure. The same goes for your e-commerce site. A compliant payment gateway, shopping cart, or Web host by itself is good to have but - without compliance in all areas - you've got a virtual unlocked door. With a great big welcome mat for intruders just outside.

The good news is that there are companies out there that can help. Just as there are Web sites that can guide you through completing and filing your taxes, there are many - like those of qualified security assessors (QSAs) and approved scanning vendors (ASVs) - that can walk you through the necessary steps to certified PCI compliance. It's a complex but ultimately understandable process.

The Road to Compliance - All Gain, Little Pain

The PCI standards are pretty clear. Here's what they are and some actions you'll have to take to meet them:

* Build and maintain a secure network: take steps like installation and maintenance of firewalls, and ensure that vendor-supplied default passwords are changed.

* Protect cardholder data: be able to show that you're protecting stored cardholder data and properly encrypting it for any transmission through networks.

* Maintain a vulnerability management program: use and update anti-virus software and ensure that all systems and applications are secure.

* Implement strong access control measures: take steps to definitively restrict internal access to cardholder data to need-to-know areas/personnel, establishing unique passwords and other identifiers.

* Regularly monitor and test networks: establish a program for testing all security systems and processes; monitor and keep records of all tests run and all access to networks and cardholder data.

* Maintain an information security policy: develop a policy and keep it updated as business conditions change.

Easy, right? Okay, it may seem like anything but. No worries - just take a breath and do what it takes to assess where you stand.

Here's What You Have To Do

If you're what's called a Level 3 (20,000 to 1,000,000 annual transactions) or Level 4 (less than 20,000 annual transactions) merchant, you're not required to conduct an on-site remediation. You do, however, have to complete an annual online self-assessment questionnaire and quarterly full-network security scans (remember those approved scanning vendors or ASVs mentioned earlier? You'll need one for this).

The only Level 3 and 4 merchants not required to conduct external scans are those who enter data through virtual terminals directly into payment gateways that are certified as compliant. You'll want to verify both that this category fits you and that your gateway is compliant - a faulty assumption here will cost you money. Once you've confirmed those facts, be aware that you're still responsible for completing an annual online self-assessment.

For any of these requirements, consulting a qualified security assessor (QSA) or approved scanning vendor (ASV) will make the job a lot easier. You can find a list of ASVs here:

Help - I'm One of the Little Guys!

If you're running a reasonably big operation with qualified IT people at your beck and call, this probably feels pretty manageable by now. But what if you're a very small, say low-end Level 4, merchant with no technician on-site to fix any vulnerabilities you discover? Fear not - just take a good, hard look at your vendors.

First, remind yourself of who they are, because there may be more than you commonly communicate with. Look at your hosting provider, shopping cart, payment gateway and any other providers. Are they all certified PCI compliant, ensuring that all your virtual doors are locked up tight? If not, it might be time to find yourself ones that are. For the smallest merchants, that's one way to keep this simple - and yourselves protected

The Pot of Gold at the End of the PCI Rainbow

If you find yourself getting frustrated on the road to PCI compliance, take a minute to remember the big picture. The Payment Card Industry is taking these dramatic steps to protect cardholders, yes, but also merchants. Can you afford the damage to your business a major security breach would cause? You might think you're a small target but - guess what? - those are hackers' favorite kind. After all, when you're planning a robbery, do you go after Fort Knox or that super-busy Mom and Pop store down the street? You know, the one with four doors ...but only three that are locked.

For more information on PCI compliance, these Web sites are great resources:
e-onlinedata is the nationís fastest-growing and most trusted provider of online payment solutions and the largest reseller for payment gateway. We offer multiple Value Added Reseller Programs for Web Hosts. If your customers need to accept credit cards, become a reseller today.

  Post #2 (permalink)   02-19-2009, 11:34 AM
HD Wizard
Join Date: Mar 2005
Location: Atlanta, GA
Posts: 2,264

Status: handsonhosting is offline
Great article. One thing to add on here, and I know it was mentioned, but it's the REPEATED SCANNING. We've seen many customers run a scan ONCE or get the email saying "secure" and then never run it again. Just like the windows and locks scenario, you have to constantly make sure that things are locked when you leave the house.

Software is constantly changing. Almost DAILY there is an OS update to patch potential exploits. Software is the same way.

PCI Scanning companies can help you keep on top of what may be a potential exploit. When you get the report, forward it to the hosting company to resolve.

When a hosting company says they are compliant, they usually only comply on their own site (not ALL servers in their network). So remember, just because they say they're compliant, that doesn't mean that YOUR SERVER is compliant.
Emerson Nogueira
cPanel Web Hosting, Domain Registration, Managed VPS Servers

  Post #3 (permalink)   02-19-2009, 09:21 PM
HD Wizard
romes's Avatar
Join Date: Feb 2007
Location: IL
Posts: 1,651
Send a message via Skype™ to romes

Status: romes is offline
Great article man. Thanks for the share.
__________________ | New Sci Fi Novel! - Aliens, Wars, Backgrounds, Settings and more!
Vanguard Project | Stay up-to-date on the latest news about my sci fi novel!

  Post #4 (permalink)   02-20-2009, 07:52 AM
HD Newbie
Join Date: Feb 2009
Location: Maine
Posts: 2

Status: e-onlinedata is offline
You're welcome!
e-onlinedata is the nationís fastest-growing and most trusted provider of online payment solutions and the largest reseller for payment gateway. We offer multiple Value Added Reseller Programs for Web Hosts. If your customers need to accept credit cards, become a reseller today.

Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: