Senior Marketing Manager for the Web Security Group, Sarah Grayson has over 15 years of experience in high technology ...
Regulations around electronic payments are nothing new, but in today’s threat laden environment, staying up to date with credit card security standards is crucial. eCommerce has created an ideal environment for cyber criminals to take advantage of unsuspecting merchants and obtain consumer financial information.
Merchants and payment providers rely on a set of industry standards known as the Payment Card Industry Data Security Standards (PCI DSS). The majority of this responsibility has fallen into the lap of online merchants, but many see it as an obligation rather than a necessary process. There are over 350 different points of audit that must be met in order to be fully PCI complaint, which can be daunting for small to medium sized businesses.
We spoke with Sally Baptiste, Director of Global Credit Card and Electronic Receipts at McAfee, and Alex Mulin, Senior Business Development Manager at X-Cart to answer five of the most commonly asked questions when it comes to PCI…
1. Is there any way to avoid PCI compliance?
Unfortunately, there is no way to be an online merchant and get out of PCI compliance. Any merchant who accepts payments inherently accepts all liabilities and therefore must follow industry standards.
While this may sound like a discouraging assertion, there are ways to offload some of that liability through Transparent Redirect or iFrame payment gateways. These services rely on third party payment providers to collect and store customer information at the time of check out on behalf of the merchant.
By using these services some of the liability is removed, but it’s important to remember that in the event of a breach (even if it’s on the third party’s side) your company’s name will still be the one splashed across the headlines.
2. Is it enough to just have SSL certification and not store credit card information to be compliant?
Relying on SSL certification is not enough to be completely PCI complaint. While SSL encrypts financial data in transit, when the information reaches its destination—company bank account, server, etc.—it is vulnerable to attack if there is no other method of protection established. Employing SSL only fulfills one out of the 369 requirements you need to be completely PCI compliant.
Not storing credit card information may indeed absolve you as the merchant from some of the obligations, but it also has unforeseen consequences. One of the most important being that there are many unofficial places where customer financial information may end up within your organization:
E-faxes and unauthorized internal emails, hand written credit card numbers from the sales team and more—you could be storing credit card data through secondary methods without even knowing!
3. Is it enough just to run PCI and security scans to be compliant?
Running frequent security and PCI compliance scans will cover three to four more points of audit at most. Scanning the pages where data is collected and retrieved may cover the majority of vulnerabilities, but as we said in the last point, it won’t pick up back end or private port-to-port transactions.
These scans are not enough, but they are a crucial step in staying completely secure if you employ a Transparent Redirect or iFrame service. Scanning the code that nestles the iFrame into your payment page is key as well as checking the gateway between your site and the transparent redirect company’s site.
4. What about accepting payments through PayPal or other eWallet providers?
Transactions completed through PayPal or other eWallets create a completely touch free situation for merchants. On the backend PayPal is charging the customer’s card – so it’s a separate and unique transaction removed from your site.
Reluctant consumers aside, if you chose to only accept payments through eWallets, your site would be completely removed from PCI compliance, but not exempt from personal information collection legislature and requirements.
5. Can partnering with third party security providers help meet PCI requirements?
Absolutely. The easiest time to steal data is when the merchant is in the process of collecting it – so enlisting a security provider to help you do so safely is important. Credit card data in motion only has SSL encryption and no other protection, so it’s most vulnerable at that point. Partner companies can enhance your back-end security in order to help as well as remove quite a bit of responsibility.
The key areas to focus on are the two to three pages where customer information is being entered. However, non-purchase pages are also applicable if you have an update feature where customers can update their payment or account information. It’s important to remember that not storing credit card data during a transaction is different than not storing a credit card number in an account.
Before you embark on this journey down the PCI rabbit hole, research which standards your company already complies with because of in-house policies or standards. This could potentially save you from headaches down the road and provide a much needed head start.
As a merchant, you shouldn’t look at PCI as something to get out of, but instead something to leverage. PCI compliance is crucial to the foundation of an online business—ensuring safe financial transactions and helping to build customer confidence. Keeping up with PCI standards shows that you are taking the necessary steps to keep your customers’ data safe.
X-Cart recently held a webinar on this topic. Listen to the full presentation here.
Visit our website for more information on how the McAfee PCI Certification Service can provide your company with step-by-step compliance guidance, and be sure to follow us on Twitter at @McAfeeSECURE for the latest in eCommerce news and events.