The Fresh Egg blog
Latest digital marketing news
If you are currently running, or looking to run, an e-commerce website, then you will most likely have heard of the PCI DSS standards. If you're running a website already then hopefully you're following them! Working out what you, as a website owner, need to do to meet these requirements is at first glance a little daunting.
Find out everything you need to know about meeting PCI DSS compliance below.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by the Payment Card Industry Security Standards Council (PCI SSC) to provide clear guidance on the minimal acceptable standards of security that merchants handling credit card information have to meet. These standards help to ensure that online transactions are safe and secure, and that visitors' card data is protected from hackers.
The PCI warns that failure to comply with the security standards outlined can have serious long term negative consequences, including lawsuits, insurance claims, cancelled accounts, payment card issuer fines, and government fines. This is on top of any damage to your reputation resulting from a security breach and the loss of trust this can cause to customers.
The requirements themselves are quite straight forward, although they can appear to represent a lot of work, particularly for a small business, and are quite daunting to a non-technical person. The current guidelines (at the time of writing) can be found at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf. The requirements are subject to periodic review and change.
The requirements are broken down into six categories and can be summarised as follows:
Each requirement is explained in much more detail in the full documentation that the PCI offers.
Setting up and configuring a firewall is a responsibility of your hosting provider’s network administrator. To meet this requirement, as a website owner, you need to check with your webhost that your server is protected by a firewall. Your host should be able to help you certify this requirement.
This responsibility of adhering to this requirement is split between hosting and the website itself. Your hosting provider should not be using any default passwords for its hardware (routers, firewalls, servers, etc.) or the operating system and database that your website is running on. If you've used an off-the-shelf package for your e-commerce platform, then make sure that you have changed the administration passwords.
Depending on the setup of your shop you may or may not be storing card holder data. Card holder data refers specifically to your customers' card details, i.e. primary account number, cardholder name, service code, and expiration date. You might choose to retain these details so that repeat customers can easily place repeat orders through your site, without needing to re-enter their card details each time.
If you are storing card holder data, it is important to ensure that you do not record the primary account number in plain text. Under no circumstances should you store the card holders PIN, CVV/CVV2 (the three or four digit number on the back of the card) or the full track data (held in the card's magnetic strip).
If you're using hosted payment pages provided by your payment processor, then the responsibility for encrypting the card holder data lies with them. However, if you've decided to self-host the payment pages on your website and then send the card holder data across to the payment gateway, the data needs to be encrypted. All self-hosted pages need to be served over HTTPS using a valid SSL certificate for your domain, and the information sent to the gateway must also be encrypted.
Your web server needs to be protected by anti-virus software. Depending on the hosting agreement you have, this may be something that is taken care of and managed by your hosting provider, or it may be something that you are responsible for.
It is your responsibility to handle any access details for any part of the system sensibly (for example, don't publish your admin password to the server on your blog!). Your hosting company is responsible for keeping its network infrastructure secure but, if you are managing your own server, you will have responsibility to keep the operating system patched and up-to-date.
If a vulnerability is detected in your e-commerce platform, you need to work to get that vulnerability patched within a reasonable timeframe. These vulnerabilities are usually faults that will be picked up in regular security scans.
If there's no reason for your content writer to have access to customer order information, then lock those parts of your system down. Your e-commerce platform needs to be capable of restricting access to sensitive data to only the users who really need that access. Never grant more permissions to a user than they need to have to be able to get their job done.
If you're used to sharing a login between several users who administer your website, that's something you'll have to change. Each user who logs into the administration area of your website needs to be uniquely identifiable.
A record should also be kept of anyone making changes to the source code of the website. So, if FTP is being used to transfer files to the server, each person who has access to FTP needs to have their own FTP account. The same is true of a hosting control panel or remote desktop access. Your hosting company will be able to help you restrict access to the server to individual user accounts.
As the data exists logically rather than physically in real terms, this requirement means physical access to the server that's holding the data. Access to the server is normally controlled by the hosting company. (Often when a web host says that they are PCI compliant, they're referring to meeting this condition of the PCI DSS requirements.)
Your e-commerce platform needs to keep a log of users interacting with card holder data (if you're storing it). Those log files need to be reviewed, and any anomalies in the data need to be investigated within a timely period.
All access to the webserver needs to be logged, and any changes to files on the server should be carefully monitored to be certain that the website has not been compromised.
It is the responsibility of the website owner to perform regular security scans of their website. Depending on the scale of your website, you may need to employ a Qualified Security Assessor to manually review the site, but most website owners can use an Approved Vendor Scanner to automate the testing of their site, for example Security Metrics or McAfee SafeScan.
Maintaining a policy that addresses information security is your responsibility as the website owner. A security policy doesn't have to be draconic, but in the event of a breach you do need to be able to demonstrate that you've done your best to stay secure.
The PCI DSS requirements are complex if you're unfamiliar with IT infrastructure, security, hosting requirements, etc. Inevitably, there are some misinterpretations that have sprung up. A couple of common beliefs we see from clients are around compliant websites, and hosted payment pages:
"If you use PCI a compliant shopping cart everything is taken care of for you."
Many off-the-shelf e-commerce platforms claim to be fully PCI compliant but the truth of the matter is slightly less clear cut. Website software can go so far towards meeting PCI DSS requirements but cannot fully satisfy all of the standards outlined. If a retailer puts their trust in the marketing message of the software providers, it leaves itself in the position where it is unwittingly non-compliant.
"If you use payment processing pages hosted by your PSP then you don't have to worry about making your site compliant."
Another common belief is that if the payment service provider (PSP) is hosting the pages for payment collection, then the responsibility for PCI compliance stops with them and that the website owner does not need to worry about security standards. While the payment processor does have to satisfy a large proportion the of requirements for the PCI, this is in addition to those that still fall on you as the site owner.
Although understanding the requirements can take a little effort, even if it weren't a requirement from the PCI, it is worth website owners implementing the best practices outlined by the PCI DSS. The majority require very little effort to put into place but they give a website owner a little reassurance that their site is safe. In the same way that you would fit an alarm to a bricks and mortar establishment, digital monitoring can help prevent data theft, vandalism and website defacement and a number of other cyber-crimes. Also like a physical shop, no website is ever completely safe from being broken into, but practical defensive measures can help deter cyber crooks from trying.
Want help making sure your website is safe? Contact us to speak to one of the Fresh Egg team today.
Is e-commerce your thing? Find out more by reading one of the other posts in our e-commerce blog series: