Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an ecommerce website you probably have already heard about it, but do you really understand what it means for you and your online business? In this series we will try to explain the PCI standard and how it affects you and your website.
We will focus mostly on small and medium sized ecommerce businesses, which is the category that most of our clients fall into.
What is PCI Compliance?
PCI is not a law or a government regulation. The correct name is actually PCI DSS, which means Payment Card Industry – Data Security Standard. So PCI is a standard that contains a series of security requirements that every merchant, big or small, must follow, to be in compliance.
PCI was created and is mandated by the five major credit card companies: Visa, MasterCard, American Express, Discover, and JCB. The PCI council now administers and keeps the standards updated.
Every merchant falls under PCI, even if you do not handle a large volume of transactions or use external providers to outsource your credit card information.
For those merchants that outsource their payment process, the scope of PCI is smaller and the verification requirements are lower and can likely be achieved by completing the PCI Data Security Standard (DSS) Self Assessment Questionnaire (SAQ). However, they must still follow the requirements.
PCI and Small Businesses
Many of our clients think that PCI does not apply to them because they are too small. This is a very common misconception. PCI applies to any business that processes, stores or transmits credit card data. I will quote the PCI website section for SMB’s to explain how seriously they take it:
Small Merchants – You must secure cardholder data to meet Payment Card Industry rules!
Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.
If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!
If you are not taking security seriously and you do get hacked, and customer information is stolen, you will face serious repercussions.
Why Should You Care About PCI?
PCI compliance is mandatory if you accept credit card payments. You can’t run away from it. If you do not follow their requirements, you may face penalties, fines and even be prohibited from accepting credit cards in the future.
But that’s not the real reason why you should care about PCI. The real reason is that PCI gives you a number of very good recommendations to secure your online business. They will minimize the risk of your site getting compromised and having information stolen. I assure you that your customers will be very grateful not to have their information stolen from your website.
The fines for not complying with PCI can be harsh, but won’t be worse than the brand impact and the lost of trust from your clients by not taking security seriously.
Now that you know what PCI is and what you should care about, let’s look at what it entails. The standards are divided into 6 major categories with 12 requirements in total:
Build and Maintain a Secure Network
- Requirement 1- Install and maintain a firewall.
- Requirement 2- Do not use vendor-supplied defaults for system passwords or other security parameters.
Protect Cardholder Data
- Requirement 3- Protect stored cardholder data.
- Requirement 4- Encrypt transmission or cardholder data across public networks.
Maintain a Vulnerability Management Program
- Requirement 5- Protect all systems against malware and regularly update anti-virus programs.
- Requirement 6- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Requirement 7- Restrict access to card holder data by business need-to know.
- Requirement 8- Identify and authenticate access to system components.
- Requirement 9- Restrict physical access to card holder data.
Regularly Test and Monitor Networks
- Requirement 10- Track and monitor all access to network resources and card holder data.
- Requirement 11- Regularly test security systems and processes.
Maintain an Information Security Policy
- Requirement 12- Maintain an information security policy.
These 12 requirements cover different business areas that break down into more than 200 sub-requirements.
Each sub requirement is a check box in the self-assessment questionnaire that you will have to to follow. They can be very simple, an example being 6.2 that requires that “all system components and software are protected from known vulnerabilities by installing patches” to some more complex requirements like 10.2 that requires “automated audit trails implemented on all system components”.
PCI and Ecommerce Websites
In the next article of this series we will talk about PCI and ecommerce-only businesses. What do you have to do if you have a small business that is all online? What if you do not have a real network and your site is in the cloud? What if your business is only you?