“What the heck is PCI compliance? Does my site have it? What does PCI compliance do for me? Why do I need it?”
These are all good questions that I hear from clients all the time—and ones that you need to know the answers to if you plan to launch an ecommerce site.
PCI Compliance, or Payment Card Industry Compliance, is a complicated subject with a lot of nuances. So, instead of trying to answer every possible PCI Compliance question, I will try to give a big picture overview of the key concepts involved in PCI compliance, how they affect you, and what you need to know.
PCI Compliance encompasses a comprehensive set of standards developed by the Payment Card Industry Security Standards Council (PCI SSC) to help keep sensitive data secure. The theft of credit card numbers, bank account numbers, and social security numbers account for billions of dollars a year in losses – which are ultimately borne by consumers. Therefore, it is in all of our best interests to ensure we are doing what we can to protect this valuable information by ensuring that the websites we do business with or host are PCI Compliant.
PCI Compliance covers three major groups involved at some stage of the ecommerce transaction:
PCI DSS, or Payment Card Industry Data Security Standards, is a core set of data security standards that apply to ecommerce merchants and card processors. PCI DSS involves how data is stored and secured along with ensuring that data vulnerabilities are minimized. This is a standard that would apply to you if you are running an ecommerce web site.
PA DSS, or Payment Application Data Security Standards, apply to software companies that write software programs that accept payment information such as credit cards. Typically, PCI DSS is only satisfied by using PA DSS certified products.
PED, or PIN Entry Device, is a set of standards for physical devices that read cards and allow users to enter a PIN number.
Overall, the security and PCI Compliance of your ecommerce site falls into one of four key action areas:
- Making sure that sensitive data is protected through encryption
- Storing data in a secured location with strong access control in place
- Operating a secured network
- Regularly testing for vulnerabilities
While the PCI Council has specific standards, the overall goal of the entire initiative is to minimize data theft and exploitation. If you keep this goal in mind and look at all of the various layers of vulnerability within your system, you will start to get a handle on this problem. PCI Compliance is not a law; rather, it is a security standard that is intended to help foster confidence, raise the awareness of the issue and to hold merchants accountable for the security of the data they acquire.
Questions to Consider
As you start to assess your ecommerce site’s exposure, you will want to ask yourself and your vendor(s) some of the following questions:
- Is the hosting center SAS70 level 2 certified? This is a separate audit for security procedures and access at the data center level. For additional information, there are a number of links at http://sas70.com/sas70_links.html
- Is the software we use PA DSS certified? You can go to www.pcisecuritystandards.org to find approved providers. Keep in mind that the PCI is quite backlogged with applications and is many months behind finalizing certifications. There are additional vendors who are in the final stages of approval that are not listed.
- Do you have a tool or service to run PCI compliance and penetration tests? There are several providers available. I suggest you Google “PCI Penetration Test” for a variety of sponsored and unsponsored links.
As with everything, the higher the bar for your vendors, the more expensive compliance is likely to be. There will always be some tradeoffs between cost and security and you must use your own judgment as to where this line is drawn. The more transactions you process with a knowledgeable group of consumers, the more important it will be to ensure you have the best possible security measures in place. To assess the security of your ecommerce site and data storage practices, check out the free security assessment questionnaire offered by the PCI Council.
In short: If you take credit cards on your ecommerce site, it will be expected from the credit card companies—and soon from consumers—that you are compliant. Make sure you clearly understand the rules and how you and your site can maintain compliance. In the end, this helps us all.