Intro to E-Commerce and PCI Compliance – Part I
Have you ever heard of the term Payment Card Industry (PCI)? Specifically, PCI compliance? If you have an e-commerce website, you probably have already heard about it. But do you really understand what it means for you and your online business? In this series, we will try to explain the PCI standard and how it affects you and your website.
We will focus mostly on small and medium size e-commerce based solutions, which is the category that most of our clients fall into.
Part I – Introduction to E-Commerce and PCI Compliance
Part II – PCI and E-Commerce cloud-based SMB’s (coming soon)
Part III – PCI and your WordPress-based e-commerce (coming soon)
Part IV – PCI requirements in detail for cloud-based servers – Open source can help
What is PCI?
PCI is not a law or a government regulation. The right name is actually PCI DSS, which means Payment Card Industry – Data Security Standard. So PCI is a standard that contains a series of security requirements that every merchant, big or small, must follow, to be in compliance.
PCI was created and is mandated by the five major credit card companies: Visa, MasterCard, American Express, Discover, and JCB. The PCI council now administers and keeps it updated.
Every merchant falls under PCI, even if you do not handle a large volume of transactions or use external providers to outsource your credit card information.
For those merchants that outsource their payment process, the scope of PCI is smaller and the verification requirements are lower and can likely be achieved by completing the PCI Data Security Standard (DSS) Self Assessment Questionnaire (SAQ). However, they must still follow the requirements.
PCI and Small Businesses
Many of our clients think that PCI does not apply to them because they are small. This is a very common mis-conception. PCI applies to any business that processes, stores or transmits credit card data. I will quote the PCI website section for SMB’s to explain how seriously they take it:
Small Merchants – You must secure cardholder data to meet Payment Card Industry rules!
Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.
If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!
If you are not taking security seriously and you do get hacked and your customers information is stolen, you will face serious repercussions.
Why should you care about PCI?
PCI compliance is mandatory if you accept credit card payments. You can’t run away from it. If you do not follow their requirements, you may face penalties, fines and even be prohibited from accepting credit cards in the future.
But that’s not the real reason why you should care about PCI. The real reason is that PCI gives you a number of very good recommendations to secure your online business. They will minimize the risk of your site getting compromised and having information stolen. I assure you that your customers will be very grateful not to have their information stolen from your website.
The fines for not complying with PCI can be harsh, but won’t be worse than the brand impact and the lost of trust from your clients by not taking security seriously.
Now that you know what PCI is and what you should care about, let’s look at what it entails.
It is divided into 6 major categories, 12 requirements:
Build and Maintain a secure network
Requirement 1- Install and maintain a firewall.
Requirement 2- Do not use vendor-supplied defaults for system passwords or other security parameters.
Protect Cardholder data
Requirement 3- Protect stored cardholder data.
Requirement 4- Encrypt transmission or cardholder data across public networks.
Maintain a vulnerability management program
Requirement 5- Protect all systems against malware and regularly update anti-virus programs.
Requirement 6- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7- Restrict access to card holder data by business need-to know.
Requirement 8- Identify and authenticate access to system components.
Requirement 9- Restrict physical access to card holder data.
Regularly Test and Monitor Networks
Requirement 10- Track and monitor all access to network resources and card holder data.
Requirement 11- Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12- Maintain an information security policy.
These 12 requirements cover different business areas that break down into more than 200 sub-requirements.
Each sub requirement is a check box in the self-assessment questionnaire that you will have to to follow. They can be very simple, an example being 6.2 that requires that “all system components and software are protected from known vulnerabilities by installing patches” to some more complex requirements like 10.2 that requires “automated audit trails implemented on all system components”.
PCI and e-commerce sites
In the next article of this series, we will talk about PCI and E-Commerce-only businesses. What do you have to do if you have a small business that is all online? What if you do not have a real network and your site is in the cloud? What if your business is only you?