Demystifying PCI Compliance

Rob has done his homework. He provides a good place to start yours.

PCI compliance is admittedly not the most interesting topic; however, it is a necessary evil and source of confusion when building e-commerce sites. With the use of third party payment processing solutions such as authorize.net, many of us have said, "I don't have to worry about that because it doesn't apply to me." The problem with this type of thinking is that it prevents us from giving clients the best possible advice when building their e-commerce sites. 

Does PCI DSS Apply To Me?

PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. In other words, if the cardholder data (CHD) passes through any part of your system, it applies to you. If not for that last part about transmitting data, most of us would be off the hook.

So, What Now?

First, you might want to take a deep breath and collect yourself. This isn't a quick answer. Now, let's take a look at the basic requirements.

  1. Build and Maintain a Secure Network
    This is primarily a hosting issue. If your hosting provider is not PCI compliant, then you cannot comply.
  2. Protect Cardholder Data
    This is fairly simple. Do not store cardholder data, and use SSL when transmitting any payment information. Technically you may store cardholder data, but there aren't any good reasons to accept the additional risk. The safest and easiest option is to pass the data to the third party processor and forget it. Check log files as well to make sure that none of this request data is being logged. It's surprising how many people log secure data and don't protect the log files.
  3. Maintain a Vulnerability Management Program
    Keep all software up to date. Install the necessary security patches to the server and any other software you may be using, including Expression Engine and WordPress.
  4. Implement Strong Access Control Measures
    If you are not storing any cardholder data, then you can give individual credentials to anyone who needs system access. This is a good security practice and provides the ability to turn off anyone's access if necessary.
  5. Regularly Monitor and Test Networks
    Monitor and test your systems on a regular basis. Most of this can be handled by the hosting provider. The rest can be accomplished by auditing software, logs, and data storage.
  6. Maintain an Information Security Policy
    You need to ensure everyone in your company is informed about the rules and regulations. This is something that most small shops seem to struggle with.

In a Nutshell

Let me boil this down to a few quick rules:

  1. Make sure your host is PCI compliant.
  2. DON'T store cardholder data.
  3. Update your software with security patches.
  4. Control access to the system; only let those who need access have access.

That may seem like a lot of work, but there are alternatives:

  1. Don't transmit cardholder data. There are numerous services that will host your payment page. If the user never sends their credit card information, then you are not liable for it.
  2. There are a few solutions that will send the cardholder data over JavaScript to a third party; however, using a solution such as this does require a user to have JavaScript to pay. A new service Stripe offers a solution for this.

Wrapping It Up

There are probably thousands of e-commerce sites that are not PCI compliant. As far as I can tell, no one is fining non-compliant shops or making them become compliant. However, I'm not sure that I would say that you aren't at risk as a non-compliant shop. There is always the possibility that a mishap may have you facing the wrath of the credit card companies. Food for thought.

Other Notes and References

Another interesting service I came across during my research is Dwolla. Their goal is to move payment processing away from the credit card carriers. I would keep an eye on what they are doing in the future.

If you want additional information, I would suggest starting with the PCI At-A-Glance Guide.

Disclaimer: The above is NOT legal advice. You should consult your lawyer and your merchant account provider with any questions.