Taming THE PCI Beast – 7 Steps For Easier Compliance

beastPayment Card Industry (PCI) security compliance requirements are quite thorough, and can be very confusing for merchants. Although there is a centralized resource for PCI matters (The PCI Security Standards Council website), the actual rules to follow when trying to achieve compliance are often misunderstood. We’ll take a look at some simple steps to help you achieve PCI compliance without too much pain.

Use PCI Compliant Ecommerce software

PCI security standards have set a preliminary deadline of July 1, 2010 for all merchants to be using PCI compliant payment applications such as ecommerce software. You can make life simpler (and not have to worry about this aspect) by using software that is PCI compliant. Currently, there are two lists of software that are certified PCI and/or PABP/PA DSS compliant:

Validated Payment Applications

Do not store the actual credit card numbers

The best thing to do is limit your exposure as a merchant to the actual credit card numbers. There are a few scenarios to consider:

  • Use a third party off-site payment processor
    If you are using a payment option such as PayPal or Google Checkout, the customer is sent to an outside website to enter their payment details. This removes your website from being responsible (technical term “does not fall under the scope of PCI”) for PCI compliance since you never handle any credit cards.
  • Use a traditional payment gateway
    If you use a gateway such as Authorize.net or PayPal Website Payments Pro to handle credit cards, your site is passing the card numbers to these applications. This means your website and the software it uses must adhere to PCI rules and pass a PCI scan. You also have to complete a shortened form of the PCI questionnaire. This assumes you are not storing the actual card numbers.
  • Turn off credit card storage
    If you do not need the actual card numbers (which you shouldn’t), then set your ecommerce software to not store any credit card data. This makes compliance much simpler, and limits your risk in terms of being breached by a hacker.

Choose a web host that understands PCI

This one cannot be emphasized enough. Make sure your web host is familiar with PCI issues, and understands the rules as they apply to your website and ecommerce software. Having a host that can help you get PCI issues resolved quickly is a necessity these days. We have helped many clients move to our hosting service solely because their previous host was unable to help them pass a PCI scan, or meet a PCI requirement.

Your web host is your partner in achieving (and maintaining) PCI compliance. Make sure they are competent when it comes to PCI.

Choose an Approved Scanning Vendor (ASV) that’s easy to work with

An ASV is the company that provides the PCI scanning service that is required to be completed quarterly. There are a number of companies to choose from, and some are easier to work with than others. Make sure you are comfortable with them, and make sure your host can work with them without any issues. Ask your web host which ASV they recommend.

For our clients, we recommend McAfee Secure, as we are partnered with them. This partnership allows us to easily resolve issues that come up, and we’re quite familiar with their scanning methods and avenues for resolving false positives. Other ASVs have widely differing levels of service when it comes to getting issues resolved (I won’t name names here).

If you must store card numbers…

If you have to view and store the actual credit card numbers (and you should re-examine whether you really *need* to do this), there are number of additional rules you must follow. The PCI Security Standards Council website has all the gory details, but a few highlights are:

  • Limit the storage of credit card data to one computer/server (device).
  • That storage device must be firewalled off, and only accessible via a private (internal) network.
  • That device’s sole purpose should be for credit card storage.
  • Card data must be double encrypted, with one encryption method being a public/private key that is safeguarded (named asymmetric encryption in ShopSite).
  • Logs must be kept of all accesses to the card data, and that log data must be backed up and retained for 12 months.

Send certification to your merchant account provider each year

Most merchant account providers require that merchants send them proof / certification that they are PCI compliant. This can be mandatory, and/or a monthly fee is assessed if you are not PCI compliant. Make sure you print out and download your certification from the company that does your PCI scans, and send this to your merchant account provider.

Put the quarterly scan date on your calendar

Don’t wait for your site to lapse in its PCI compliance status. Don’t rely on your scanning company to remind you to fill out the questionnaire (yearly) or conduct a scan of your site (quarterly). Mark these dates down in your calendar (Google calendar is great for reminders) and give yourself enough lead time to deal with vulnerabilities that may come up, delays in filling out the forms, etc…

Once done, print out your certification and know where you can find it at all times. If there is a breach or suspected issue with your credit card security, proving PCI compliance is the first step to avoid any heavy fines from the credit card companies.

Don’t let the PCI process overwhelm you. Don’t ignore it because it seems too daunting. Simplify your credit card handling, avoid storing or handling the actual card numbers, partner with a web host and ASV that understand the process and can help you navigate the land mines, and you’ll find PCI to be a manageable and somewhat painless process.

What other things can merchants do to help with PCI compliance?

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

4 Comments

  1. Contrarian View says:

    Good article, but I seemed to read “recommended” rather than “required.” To be PCI Compliant, a merchant using a third party vendor with access to card information (such as an internet gateway) MUST be PCI Compliant. If the merchant has validated PCI Compliance for itself, but is then using a Noncompliant third party (with access to card info), then the merchant is defacto Noncompliant.

    Did not notice that mentioned in the article.

    Thanks.

  2. PCI compliance “requirements” are a ridiculous and expensive burden on small business owners. It’s another example of banks ripping off the public and over-regulation. I suspect many small business owners fudge the responses to make compliance easier or just pay the extra fees for non-compliance. In the long run, the PCI process is doomed to failure and will be abandoned as unworkable. UGH

Leave a Reply to Joseph Jeffrey