One of the most misunderstood requirements as a merchant offering any type of credit or debit card services are the new security standards released by the Payment Card Industry.

Essentially, the PCI DSS (Payment Card Industry Data Security Standard) must be met by all organizations (merchants and service providers) that transmit, process or store credit card data. The PCI DSS (sometimes referred to as a compliance standard) is not a law, rather a contractual obligation applied and enforced (by means of fines or other restrictions) directly by the payment providers (e.g., Visa & MasterCard) themselves. See a list of validated service providers here.

PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Compliance requirements are dependent on a merchant’s activity level.

There are four activity levels, based on the annual number of credit/debit card transactions.

In general:

Level 1 Criteria
Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
Level 1 Validation Requirements
Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan

Level 2 Criteria
Merchants with 1,000,000 to 6 million transactions a year
Level 2 Validation Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 Criteria
Merchants with 20,000 to 1,000,000 transactions a year
Level 3 Validation Requirements
Quarterly Scan by an Approved Scanning Vendor (ASV)
Annual Self Assessment Questionnaire

Level 4 Criteria
Merchants with less than 20,000 transactions
Level 4 Validation Requirements
Annual Self Assessment Questionnaire

Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)

For further information

For comprehensive information about eCommerce and PCI DSS requirements, please visit the PCI Security Standards Council website.

Extended Validation (EV) SSL Certificates meet the highest standard in the Internet security industry for Web site authentication. EV SSL Certificates give high-security Web browsers information to clearly display a Web site’s organizational identity. The high-security Web browser’s address bar turns GREEN and reveals the name of the organization that owns the SSL Certificate and the SSL Certificate Authority that issued it. Why is this important? It gives Web site visitors an easy and reliable way to establish trust online.

I’ve started noticing more and more green EV SSL certificates lately, but I was on a local Credit Union’s site yesterday afternoon and noticed their SSL didn’t even show that the site was encrypted. I was stunned. I’ve been in that Credit Union a number of times and know their IT security to be first rate.  Their site was recently revamped, so I suspect their new host cut costs by installing a cheap SSL certificate, as they can be found online for less than ten dollars.

Secure Sockets Layer (SSL) technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:

• 1. An SSL Certificate enables encryption of sensitive information during online transactions.
• 2. Each SSL Certificate contains unique, authenticated information about the certificate owner.
• 3. A Certificate Authority verifies the identity of the certificate owner when it is issued.

You need SSL if…

• You have an online store or accept online orders and credit cards
• You offer a login or sign in on your site
• You process sensitive data such as address, birth date, license or ID numbers
• You need to comply with privacy and security requirements
• You value privacy and expect others to trust you.

Extended Validation SSL Certificates give high-security Web browsers information to clearly identify a Web site’s organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox 3 also supports Extended Validation SSL.

There seems to be a great deal of confusion about PCI compliance, on the part of merchants and hosting providers. Who’s responsible for what?

First, the merchant (web host) always remains responsible for compliance – to be certified. Their hosting provider (data center) is responsible within the scope of the infrastructure and services they provide to the merchant – for example, real estate (floor, electricity and controlled physical access). If a hosting provider also manages the merchant’s network, then they’re responsible for that specific scope of compliance.

Having said that, the merchant is required to monitor compliance of their service providers and manage any non-compliant risks, but a hosting provider’s PCI compliance isn’t mandatory for merchants to use that provider.  As a merchant who accepts card payments for products or services, you are obligated to be PCI compliant – but not for the environment in it’s entirety, rather limited to the processing of the credit cards, storage of that data and their respective transmission gateways. To that end, PCI is technology neutral, meaning you don’t have to build out with specific infrastructure.

So what are the minimum requirements? A couple of servers. a firewall, logging, monitoring and IDS / IPS (intrusion detection and intrusion prevention systems) capabilities.

There is a CISP list of providers that have been validated as PCI compliant. That list doesn’t include all providers that have been validated though. To be listed, those providers must also pay VISA an additional fee every year to remain on that list – sort of an advertising fee. That fee can run into the thousands of dollars.  

On the Self Assessment Questionnaire that providers must submit, there are countless items of concern. Just a brief scan of this PDF from the PCI Security Standards Council validates the concerns many vendors face concerning their liability.  

PCI compliance is requires so much more than servers and a firewall.

Following is a brief list of requirements:  

• Establish firewall configuration standards that include the following:
• A formal process for approving and testing all external network connections and changes to the firewall configuration
• A current network diagram with all connections to cardholder data, including any wireless networks
• Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

The list of requirements goes on and on addressing intrusion detection, internal and external penetration testing, etc.

 I read an interesting thread this morning about PCI compliance. As a merchant, I have some knowledge of PCI regulations, but not as much as I should. I leave that to more knowledgeable members of our staff (COO, legal and accounting departments). It seems the rules are constantly changing, so much so that I wonder how many small hosts keep up with all these changes and new requirements. In the posts that followed this thread, misconceptions ran rampid. One member even posted he was proud to be non-compliant. OUCH! I don’t think I’ll go there.  The fines for being non-compliant are astronomical!

With so many breaches of credit card security lately, it was inevitable change was forthcoming. I’m certainly not an expert on the topic, so I leave you with some links to sites that clarify PCI compliance. Enjoy!

Industry Links:

• pcisecuritystandards.org
• pcisecuritystandards.org/saq/instructions.shtml
• pcisecuritystandards.org/security_standards/ped/index.shtml
• pcisecuritystandards.org/security_standards/pa_dss.shtml
• usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
• mastercard.com/us/sdp/index.htmlPayment Card Industry Data Security Standard – Wikipedia, the free encyclopedia
• Approved Scanning Vendorsamericanexpress.com/merchant
• Society of Payment Security Professionals – Payment Security Blog wikipedia.org/wiki/PCI_DSSTreasury Institute PCI/DSS Blog Redirect
• pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
• pcisecuritystandards.org/pdfs/asv_report.html