As consumers, many of us have been victims of data breaches with all that entails: locking down accounts, identity theft monitoring subscriptions, and further erosion of trust between customers and vendors. In many cases, the organizations that fail to protect our personal and financial data are credit reporters and data brokers like Experian, which we’ve never consciously done business with. It is even more sobering to approach this scenario as a business that must continually earn customer satisfaction; if your site is hacked and customer data is compromised, it is likely to have a considerable impact on your reputation and relationship with your customers.
Last week we touched on some protection and mitigation strategies to reduce your risk in this area. One of the most proactive steps you can take is to ensure that your e-commerce site is compliant with PCI DSS standards, which can guide you in affirmative steps to secure your site better and demonstrate to customers that you take the security of their payment data seriously.
What is PCI Compliance?
PCI DSS stands for The Payment Card Industry Data Security Standard. It is a common set of requirements formulated by a joint council created by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) about 15 years ago. PCI standards have extended far beyond the credit card companies themselves to other organizations like banks, payment processors, and websites that transmit credit card information.
Most websites do not store any sensitive information or credit card details themselves. If you take credit card payments online, you are almost certainly securely transmitting the credit card details that customers enter to a payment processor such as Authorize.net or Stripe, which in turn charges the card on your behalf. At no time does your website store a copy of any customer’s full credit card number; instead, your site at most stores a customer ID and credit card ID that can be used to run additional transactions with a returning customer who has already made a payment on your site.
Why is PCI Compliance Important?
As we just noted, your website doesn’t store any credit card data on its own. (If you are for some reason collecting credit card numbers on a website form and then running them manually, you should stop doing this immediately as storing credit card numbers on your site is very risky without robust security; doing this will increase your liability.) This makes it very important that the actual payment processing services are 100% secure and reliable. The use of uniform standards across the industry allows customers and website owners to feel confident in the knowledge that the credit card payment processors are all taking the same steps to ensure that data is stored safely and securely.
While you, as a website owner, do not store any credit card information, your site is still an essential node in transmitting payment details. Customers still enter their credit card numbers on a public web page, sent over the internet to the payment processor. If your site were hacked or otherwise compromised, bad actors could intercept credit card information at various points before reaching the payment processor. The PCI DSS standards for websites are an essential roadmap for you as a site owner to ensure that your site is appropriately secured and ensure that others can understand how secure your site is.
More generally, all of the PCI DSS standards represent best practices for securing your server and network against bad actors. Achieving PCI compliance and gaining certification of your status is a significant first step if you think about other security and privacy regulations such as HIPAA.
What do you have to do?
Many payment processors like Paypal and Stripe now offer fully integrated checkout processes in which all data entry and transfer happens entirely in an environment that they control. As a site owner, if you choose to use a service like Stripe Checkout, users enter their credit cards and checkout in a Stripe interface rather than filling out a payment form that you host. These embedded checkout processes are seamless and well-designed and, most importantly, can make you 100% PCI compliant out of the box.
However, many site owners prefer to maintain their payment forms and checkout processes to maintain control over the branding, look-and-feel, and user experience associated with the e-commerce process. In that case, while most of the responsibility for securing payment data still belongs to your payment processor, there are steps that you should take to secure your site.
PCI entails compliance with 12 standards; of course, the devil is in the details, and each of these standards may have many moving parts, but this should help you understand where to begin in evaluating your site’s security and addressing potential vulnerabilities. These standards can also be useful in making your site more secure, generally, even if you do not process payments yourself.
- Configure a server firewall to prevent unauthorized access.
- Make sure that you set and create secure system passwords yourself rather than relying on defaults.
- If you store any sensitive customer data, make sure that you password protect anything kept virtually and lock up any physical copies.
- Any cardholder data transmitted over the internet must be encrypted (i.e., sent over https)
- Make sure your server has antivirus software and that it is regularly updated.
- Keep all of your software, including but not limited to antivirus and firewalls, up to date.
- Limit the number of people with access to sensitive cardholder data to those who need it.
- All users with access to cardholder data should have their own logins and secure passwords.
- Limit in-person and monitor access to the physical servers hosting cardholder data to those who need it.
- Track and log all server activity and access to cardholder data so that you can see what happened in the event of a breach.
- Schedule regular monitoring and testing of your security systems.
- Document your policies.
There are different compliance levels based primarily on whether you store cardholder data and the number of transactions processed per year. Assuming that you process fewer than 6 million credit card transactions annually, you are permitted to self-assess your compliance (rather than hire an external auditor). The most common self-assessment questionnaire (SAQ) for e-commerce websites would be the SAQ A-EP.
While certification based on self-assessment operates on an honor system, if you misrepresent your compliance with PCI Standards (whether intentionally or accidentally), it can damage your reputation and have material consequences in the event of a breach. This doesn’t mean that you need to hire an official Qualified Security Assessor (QSA); that can cost tens of thousands of dollars, plus the QSA will typically not be implementing their recommendations.
We recommend subscribing to an Approved Scanning Vendor (ASV), which can scan your site and server for known vulnerabilities. The results of these scans will provide a punch list of potential vulnerabilities that you’ll need to patch before completing your assessment questionnaire. If you don’t have any system administrators or DevOps professionals on staff in your organization, the results of your scan can serve as a scope of work that an agency can use to quote what it will take to secure your environment.
If you aren’t sure where to start, feel free to get in touch. NPG can help shepherd you through the entire PCI process, including setting up scans, evaluating and addressing any vulnerabilities found, and then assist you in completing your self-assessment questionnaire to certify your PCI Compliance.