14 Feb 2014

PCI Compliance & Websites

What is Payment Card Industry Data Security Standard (PCI DSS)

  • PCI compliance is there to ensure that cardholder data is not stolen and shared around the internet. As a store holder, if you take card payments of any kind either via your website, over the phone or via a card machine, it is your responsibility to make sure your customers’ data is protected.
  • PCI DSS compliance is a standard set out by the PCI Security Standards Council (PCI SSC) https://www.pcisecuritystandards.org that is designed to help you comply with the laws that protect the storage of sensitive cardholder information. PCI compliance is not itself a law but compliance with this standard will help you avoid the risk of prosecution under the Data Protection Act - http://www.legislation.gov.uk/ukpga/1998/29/contents.
  • Account data consists of:
    • cardholder data
      • Primary Account Number (PAN) – the long number on the front of the card
      • Cardholder name
      • Expiration date
      • Service code – messages contained within a card’s magnetic strip or Chip that tells a terminal the process to follow when processing a transaction.
    • sensitive authentication data 
      • Full magnetic stripe data or equivalent on a chip
      • CAV2 (JCB) / CVC2 (Mastercard) / CVV2 (Visa) – the 3 digit card security code
      • CID (AMEX) - 4 digit security code printed on the front of the card
      • PINs/PIN blocks
  • Under no circumstances are you permitted to store sensitive authentication data. The PAN must always be stored in an unreadable form. The cardholder name, service code and expiration date can be stored in a readable form.

Do I need to be PCI DSS compliant?

When it comes to online payments you have broadly 2 options:
  1. You can take card payments and store account data on a 3rd party’s website known as a hosted payment gateway. The 3rd party will store, process and/or transmit account data, you will use their Merchant ID to collect the money and you will simplify your PCI DSS compliance. There are different types of hosted payment gateway:
    1. The redirect method takes the customer to another webpage and are returned back to you site once they complete payment.
    2. The iframe method puts a payment form that's fully hosted by your payment service provider inside a page on your website. The customer does not leave your website but your PCI DSS compliance is simplified, since you're still not storing, processing and/or transmitting account data on your server.
    3. The direct post method uses a form on your website but sends the data directly to the payment service provider thereby not storing any data on your server. The customer does not leave your website, so your PCI DSS compliance is still simplified.
  2. You can take payments directly on your website by storing, processing and/or transmitting account data on your server. You will need your own Merchant ID and will be required to comply with a higher level of the PCI DSS.
Option 2, Storing account data on your server comes with considerable additional costs due to the legal requirements for data protection. 
As such Easitill use only theoption 1a outlined abpve and integrate with 3rd party PCI compliant hosted payment gateways such as SagePay, Paypoint, WorldPay, Barclaycard. 

Costs for taking payments on your website using a hosted payment gateway

  • Cost of the payment service provider charged as either:
    • a fixed monthly cost plus a flat and/or percentage fees per transaction.
    • or no monthly cost with slightly higher flat and/or percentage fees per transaction.
  • Though an SSL certificate is often not required it does give customers an extra sense of security and so can be beneficial.

Additional costs incurred in order to take payments directly on your website thereby storing, processing and/or transmitting

  • Payment processor monthly fee.
  • Flat and/or percentage fees per transaction.
  • Merchant ID monthly fee.
  • Potentially paying a Qualified Security Assessor (QSA) to audit your systems.

Which Self-Assessment Questionnaires (SAQ) do you have to complete?

The minimum PCI DSS requirement is to fill out the PCI DSS New Self-Assessment Questionnaire (SAQ) and the PCI DSS Attestation of Compliance (AOC SAQ) A and retain a copies of the completed form for presentation if requested. This is all you have to do if you fulfil all of the following requirements:
  • Process less than 10,000 transactions a year.
  • Do not store any card payment details on your site.
  • Use only PCI compliant service providers.
  • Do not use offline payment methods such as a pdq machine or a merchant terminal.
  • Utilise no system components that are included in or connected to the cardholder data environment.
If you do not fit any one of the above criteria then you will have to fill out additional forms according to the following criteria.
AE-commerce, mail or telephone order merchants that do not store cardholder data (CHD). All cardholder data functions are outsourced. This does not include face-to-face merchants.
BMerchants that do not store electronic cardholder data. Instead, this applies to merchants that use an imprint machine to copy cardholder information. Also applies to standalone, dial-out terminal merchants.
C-VTWeb-based virtual terminal merchants that do not store electronic cardholder data.
CMerchants that use a payment application system connected to the Internet and do not store electronic cardholder data. If using a software vendor for the payment application system, they must take security measures to ensure the app meets PCI compliance.
DThis includes all of the other merchants that aren’t included in the above categories, including all service providers defined as eligible to complete an SAQ and approved by a payment brand.

What do you need to know most about PCI compliance as a website owner?

  • PCI DSS only applies if the long number on the front of the card is stored, processed and/or transmitted.
  • The long number on the front of the card (PAN) must always be stored in an unreadable form.
  • PCI DSS only applies if PANs are stored, processed and/or transmitted (PCI DSS v2, page 8). For small merchants it is easy to minimise your PCI DSS compliance by isolating (segmenting) the cardholder data environment from the remainder of your network (PCI DSS v2, page 10). One way of achieving this is by using a hosted payment gateway that stores, processes and/or transmits account data on your behalf. In this case it is important to ensure that the service provider fully complies with PCI DSS since it is your responsibility to do so.
  • Any merchant or service provider with annual transactions totalling 10,000 or more is required to have a quarterly network system scan.
  • PCI DSS compliance applies to four types of organisation;
    • Merchants are businesses who take card payments for goods or services e.g. a retailer.
    • Service providers e.g payment gateways like PayPal , SagePay, WorldPay or Authorize.net.
    • Acquirers (merchant banks) e.g. a bank such as HSBC which interacts with all the issuers on behalf of the merchant and/or service provider.
    • Issuers e.g. the various credit card schemes such as Visa or Mastercard. 
  • The job of payment service providers is to collect the requested money and pay it into your merchant account. You can either have your own merchant account or you can use the merchant account of your payment service provider, but either way the money will then have to be transferred into your business bank account.
  • It’s your responsibility to ensure that your service providers are fully PCI DSS compliant to the appropriate level.
  • If you do store, process and/or transmit account data, PCI DSS compliance requires that the financial transactions carried out on your website or offline are carried out securely and your customers’ cardholder data is stored securely during and after transactions.
  • The consequences of a business’ failure to protect their customers’ account data are usually a one off fine followed by a monthly fine for every subsequent month that the merchant or service provider remain non-compliant and restriction on the business’ future ability to take card payments. A breach of cardholder security will also drastically compromise your organisation’s credibility in the eyes of your customers and can lead to lawsuits, insurance claims and loss of earnings as a result - https://www.pcisecuritystandards.org/security_standards/why_comply.php 
  • This excellent article details a case study of the breach of security of the Lush website and the response http://www.out-law.com/page-12147 
  • PCI compliance does not just apply to your website, it applies to any scenario where you handle and store card payment details including any offline payment solutions that you use such as PDQ machines and remote payment terminals.
  • If you do use a virtual terminal, the processes you go through surrounding its use must be PCI DSS compliant. To ensure that this is done in a compliant manner the sensitive authentication data should never be written down and stored anywhere and the PAN should never be written down and stored anywhere in a readable form. Instead type the account data directly into the virtual terminal and keep the card holder on the line until payment has been fully accepted.
  • You should also think about the technology that you use to take a payment. If you are using a virtual terminal, do you keep the anti-virus software on the computer you are using up-to-date? Also do you also install all the software security updates?
  • Sometimes technology that you don’t directly use to take payments might compromise your PCI DSS compliance. The computer that you use to take virtual terminal payments may be connected to the internet using a wire, yet the router will probably also have wireless. Is your wireless network secure? TJX, owners of TJ Maxx had credit card numbers stolen from its system when a hacker broke into its wireless network - http://www.out-law.com/page-11732 
  • PCI compliance applies to all system components that are included in or connected to thecardholder data environment. The cardholder data environment is comprised of people, processes and technology that store, process and/or transmit cardholder data or sensitive authentication data. System components in the context of PCI DSS are defined as any:
    • network component (including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances),
    • server (including but are not limited to web, application, database, authentication, mail, proxy, network time protocol, and domain name server), 
    • application (including all purchased and custom applications, including internal and external (e.g. Internet) applications),
    • or virtualization components (such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors).

The 12 steps to PCI DSS compliance (taken from PCI DSS v2)

These 12 steps to PCI DSS compliance are actually just good security practice for you internal systems and you will benefit from following them anyway in order to protect your business data in addition to that of your customers.
Build and maintain a secure network1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameter.
Protect cardholder data3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program5. Use and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.
Implementing strong access control measures7. Restrict access to cardholder data by business need to know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.
Regularly monitor and test networks10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.
Maintain an information security policy12. Maintain a policy that addresses information security for all personnel.

Resources and further reading