PCI Compliance: Protecting the Customer’s Credit Card Information is Your Responsibility
So you’re thinking about (or are already) accepting credit card payments – on your website? Great! Welcome to the wonderful world of e-commerce.
The Theory is Simple Enough:
You have a product and somebody willing to buy it wants to use his credit card to pay for it. Assuming you already have a merchant account – all you need is to pick one of the countless little apps or plugins out there that “allow” you to accept credit card payments, and — cha-ching — money starts flowing in, right? WRONG.
You didn’t really think it was that easy?
Did you read the fine print in your merchant account agreement? The part where it says that you have to be compliant with all the rules and regulations and – more importantly – that if you’re not, you are subject to (repeated) fines and might lose your privileges if you’re found to be in violation of any of the above?
May I Introduce the PCI Security Standards Council:
“From the world’s largest corporations to small Internet stores, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customer’s payment card data secure.”
Who or What is the PCI Security Standards Council?
“The Council’s five founding global payment brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. — have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.”
What Does This Mean for You – the Merchant?
For you, the merchant (the person or entity) who has entered into a contract with a member of the Council (the Credit Card companies, in case you’re wondering), this means: “As a merchant, you are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements developed by the major card brands to facilitate the adoption of consistent data security measures.”
Source: http://www.authorize.net/resources/pcicompliance/ (There’s 12 of them, just in case).
“But I’m Using XYZ to Process Credit Cards, So I’m Good, Right?”
Plain and simple: No.
While the third-party implementation (it’s always a third party, don’t even begin to argue) itself might (or might not – see SQUARE below) be PCI-DDS compliant, it doesn’t make YOU compliant. Remember: YOU have the contract with the Credit Card Companies.
Sooner or later, you will receive an email (or a letter) containing something like this:
Subject: Action Required: PCI DSS Compliance Notice
Please note: You have a deadline of [_date_] to validate PCI DSS compliance.
As a merchant accepting credit cards as a form of payment, you are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security requirements designed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to help merchants protect customer payment account information.
As your merchant account provider, [_provider_] is required to regularly confirm you are PCI DSS compliant. For your convenience, we’ve established a program with our partner [_partner_]; a leading provider of PCI DSS compliance services, to assist you in validating compliance with the security standard. This program will guide you through the process of validating PCI DSS compliance and automatically deliver necessary proof to [_provider_].
Don’t even think for a moment that it doesn’t apply to you, because it does.
Common arguments like “But we don’t process enough transactions” or “But we outsource credit card processing” are not valid. Again, it’s YOUR responsibility.
What about PayPal or authorize.net?
Both are third-party processors, and while PayPal’s and authorize.net’s (CIM and Simple Checkout only!) solutions themselves are PCI compliant, you still have to ensure that the way your customers access these solutions is compliant as well.
Real Life: How We at inlineVision are Affected
At inlineVision, we literally sit on both sides of the fence:
First, as a merchant (we accept credit card payments), but also in our position as a Hosting Provider.
Not only do we have to be compliant ourselves, but we also have to ensure that our clients can pass their compliance checks: By ensuring our servers are up-to-date with the latest security patches and the required, quarterly vulnerability scans pass the scan of an Approved Scanning Vendor like Trustwave.
The result of the most recent Vulnerability Scan on behalf of one of our clients yielded this result:
“The TrustKeeper vulnerability scan dispute that you submitted on 2012-12-07 has been reviewed by Trustwave’s security analysts and has been APPROVED”.
(Meaning: We successfully were able to prove and dispute false positives – and our e-commerce hosting solution is now fully compliant)
Considering the staggering numbers of credit card fraud (http://www.statisticbrain.com/credit-card-fraud-statistics/), identity theft, security breaches and related data loss every year, it is your duty as a responsible business owner to be part of the solution and not to contribute to the problem.