PCI DSS compliance

If you operate an e-commerce Web site or perform online merchant transactions you may have heard of the phrase “PCI Compliance” or “PCI DSS Compliance” – but do you know why it’s important for your business or what it entails?

PCI Compliance is a set of standards developed by the Payment Card Industry (PCI) and managed by the PCI Security Standards Council, an organization founded by the major global credit card processors (Visa, Inc., American Express, Discover Financial Services, JCB International, and MasterCard Worldwide). The purpose of the PCI Security Standards Countil is to establish operating and security standards to protect merchants and processors alike from fraud.

There are many facets to PCI Compliance covering both online and brick-and-morter merchants. This page discusses PCI Compliance; the steps a merchant must take to become compliant; the potential problems of failing the tests; and questions you can ask yourself to find out how you can make your online business PCI Compliant safely and securely. Canvas Host can guide you through the complex world of PCI Compliance, beginning with PCI-Compliant Web hosting.

1. About PCI DSS Compliance

Though not Federally mandated as law in the United States, many components of PCI DSS Compliance are already in place at the State level, and planned legislation is in the works that will eventually making it compulsory for all merchants operating in the America.

Merchant service providers that process the major credit processors now abide by the standards. If you are a merchant and utilize merchant processing services, you are subject to the PCI compliance requirements placed on you by your merchant service provider. These requirements vary based on your transaction activity, how you handle transactions, and other components to how your business operates.

2. Becoming PCI DSS Compliant

For a merchant to be PCI Compliant, the business must pass 12 major PCI Data Security Standards (PCI DSS) requirements set forth by the PCI Security Standards Council, some of which involve periodic reviews, scans, and analysis by authorized third-party companies.

Analyses may include a review of the merchant’s physical card processing tools and data storage facilities, a code review of computer applications or e-commerce Web sites used by the merchant, or simply scans of the merchant’s Web site architecture and overall server environment.

The following list of 12 requirements is as noted on the Payment Card Industry Web site. We have added comments to help explain a point as it may or may not apply to an online merchant:

Requirement Explanation
1. Install and maintain a firewall configuration to protect cardholder data Is the hosting service for the e-commerce application secured against break-in attempts?
2. Do not use vendor-supplied defaults for system passwords and other security parameters Is the e-commerce application and administration area locked down for added security?
3. Protect stored cardholder data Is the credit card information encrypted so that if it is obtained, it cannot be used?
4. Encrypt transmission of cardholder data across open, public networks Is the credit card information passed between purchaser and e-commerce Web site secured using SSL encryption to prevent eavesdropping and theft while in transit?
5. Use and regularly update anti-virus software Are both the hosting environment and any merchant-operated computers at the place of business protected against viruses and keyloggers, which could otherwise enable theft of sensitive customer data?
6. Develop and maintain secure systems and applications Is the e-commerce application secured using encryption, stable-release software, etc., and operated in a secured Web hosting space?
7. Restrict access to cardholder data by business need-to-know Does the merchant prevent unauthorized access by its employees to customer data?
8. Assign a unique ID to each person with computer access Does the merchant separate logins for employees to prevent passwords from being freely or openly interchanged?
9. Restrict physical access to cardholder data Is the data stored in a secured hosting environment only accessible to authorized employees or technical staff?
10. Track and monitor all access to network resources and cardholder data Is the hosting environment secured against unauthorized login attempts through active/reactive firewalling and break-in/brute force detection?
11. Regularly test security systems and processes Is the hosting environment scanned regularly by a third-party ASV to ensure no new breaches exist?
12. Maintain a policy that addresses information security Does the merchant have a means to control how customer data is protected, stored, managed, and destroyed?

These steps are constructed to help provide end-to-end security for the merchant, the merchant’s consumers, and even the merchant’s processing provider. Depending on a merchant’s assessed compliance level (section 3, below) these 12 requirements may be formally enforced by a third-party assessor, or simply by the vendor themself through a voluntary, self-assessed annual survey.

3. Determining Your Level of Compliance

Compliance Level Description Requirements
Level 1 Visa U.S.A. and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who have experienced a data breach. Annual onsite review by an internal auditor or a Qualified Security Assessor. Also, a quarterly network security scan is required with an approved scanning vendor.
Level 2 Visa and MasterCard transactions totaling 1 million to 6 million per year. Annual onsite review by an internal auditor or a Qualified Security Assessor. Also, a quarterly network security scan is required with an approved scanning vendor.
Level 3 Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year. Quarterly network scan and yearly self-assessment questionnaire.
Level 4 Visa and MasterCard e-commerce transactions totaling up to 20,000 per year. Quarterly network scan and yearly self-assessment questionnaire.

Most small- to medium-sized online merchants fall into compliance levels 2 through 4. For these merchants, a simple self-assessment, and a quarterly scan conducted of the merchant’s Web site is all that is required to ensure the merchant is and remains compliant.

4. Third-Party Compliance Scans

The primary way an online merchant is determined to be PCI Compliant — or not — is by having an authorized third-party (Approved Scanning Vendor, or ASV) scan the merchant’s Web hosting environment and application. ASVs typically look for known issues with both the merchant’s Web site program code and, based on access granted by the merchant’s Web host, issues that may exist within the Web hosting environment itself that might present a security risk.

Every ASV has its own set of best-practice guidelines it applies to determine whether a merchant’s online business is PCI Compliant or not. There are literally hundreds of ASVs available on the market. Most merchant service providers have a preferred ASV they work with to enforce the desired security standards the merchant must meet.

Typically, an ASV will conduct a series of scans on the merchant’s Web site, looking for problems with the Web site’s security encryption (SSL), issues with customer logins not being secure, whether the site utilizes code that is known to be insecure (such as an older version of a shopping cart application), in addition to scanning the overall hosting environment to ensure the Web server is running the latest operating system or not; whether the control panel and overall management portion of the environment has any known issues; whether the server has certain ports open on it that may open up the server to unauthorized access, and so forth.

If a merchant fails to be PCI Compliant, they will typically be notified immediately by the ASV, as well as their merchant service provider. The merchant is normally provided a brief window of time in which to secure the Web site and/or change their hosting environment so it is compliant, after which the merchant may be assessed fees on the order of $20-50 per month. In certain cases, the merchant may even have their merchant account shut down by the merchant service provider.

Because of the endless variations in how an ASV may conduct a scan, the specific requirements they may have in place, the accuracy (or inaccuracy) of their scanning software — which may cause “false positives” to be reported as errors when in fact they do not exist, the process of ensuring a merchant’s Web site is PCI Compliant is one that often takes personal, direct interaction between the ASV and the merchant’s Web host.

To take the guess-work out of meeting PCI Compliance, Canvas Host offers PCI-Compliant Web hosting. We work directly with a merchant’s ASV to assist in the scanning process, and liaise on behalf of the merchant to communicate known issues (and point out false positives) that may otherwise cause a merchant’s site to fail compliance.

For more information, please contact us today to learn about our PCI Compliance services.