PCI Compliance: Offense Is the Best Defense
Jun 14, 2011 5:00 AM PT
There are no compromises when it comes to PCI compliance. Every online retailer that accepts major credit cards, from the smallest back-bedroom merchant to Amazon.com, has to comply with the mandates of the Payment Card Industry-Data Security Standard, also known as "PCI-DSS."
PCI-DSS is a set of requirements instituted by the PCI Security Standards Council, an industry organization founded by American Express, Discover, MasterCard, Visa, JCB and others. It defines how retailers are expected to manage their IT security infrastructure to protect cardholder data.
Far from a static standard, PCI-DSS maintains a two-year revision cycle. The current Version 2.0 took effect Jan. 1, 2011, with a formal stakeholder feedback period set to begin later this year.
Depending on retailer size, achieving PCI-DSS compliance can be time-consuming and expensive. Larger (Level 1) retailers spend US$2.7 million on average to become PCI-compliant, while moderate-sized Level 3 retailers spend an average of $155,000 to meet PCI standards, according to a Gartner research survey.
Meeting the Challenge
Although the cost to maintain PCI compliance is considerable, there are ways to make PCI-DSS mandates easier to satisfy and to streamline the process of sheltering cardholder data. In fact, with the right business and infrastructure partners, it is possible to remove as much as 75 percent of the burden from the start -- not to mention reduce your overall risk and exposure when handling cardholder data.
For merchants, PCI-DSS requirements vary by the number of annual credit card transactions completed. The PCI Security Standards Council groups merchants into four levels (currently, Levels 2 through 4 are exposed to similar rules):
|Merchant Level||Annual Requirement|
|Level 1 (over six million annual transactions)||Requirements include an annual onsite audit by a Qualified Security Assessor (QSA) and quarterly scans by an Approved Scanning Vendor (ASV)|
|Level 2 (one to six million annual transactions)||
Requirements include completion of an annual Self-Assessment Questionnaire (SAQ) and quarterly scans for network vulnerability by an ASV
|Level 3 (20,000 to one million annual transactions)|
|Level 4 (all other merchants)|
For the smallest e-commerce retailers (Level 4), the first exposure to PCI-DSS usually comes via a letter from their bank saying that they must be PCI-DSS-compliant. If you're not certain of the level of compliance required for your operation, the bank will inform you of your PCI classification level.
Level 4 merchants can go to the PCI Security Standards Council website and download the SAQ (self-assessment questionnaire). A list of ASVs (approved scanning vendors) is available on the site as well.
As a Level 4 retailer, you may be able to defer your PCI-DSS requirements to a payment partner. For example, with PayPal's Website Payments Standard service, your customers' credit card information never transverses your server. From your shopping cart, customers are sent to PayPal for credit card processing; all you receive is a transaction number and payment from PayPal.
One caveat: if your website integrates with PayPal using an API (application programming interface), you are still required to meet PCI compliance since your servers capture and transmit the credit card data first.
Larger merchants, by contrast, face additional challenges. Level 1 businesses must submit to a QSA (qualified security assessor) audit; it's believed that Level 2 retailers will soon face this mandate as well. The QSA results, along with the quarterly programmatic scans, are incorporated into the merchant's Report on Compliance (RoC).
Outsourcing partners can help bring all but Level 4 online retailers much closer to successful compliance with PCI-DSS. A well-qualified managed hosting partner, for example, will already have in place many of the security policies and infrastructure necessary to satisfy key elements of PCI-DSS.
Even established e-commerce companies find that the right hosting partner can make a difference by performing a gap assessment that addresses specific requirements for application, network, physical and database compliance.
Custom vulnerability scripts and software that ensures application, network, physical and database compliance are among some of the services provided hosting partners. They might also offer intrusion scans, egress filtering and other security compliance services. The end-result can be a significantly reduced overall cost of compliance, without cutting corners.
Whether you're a new retailer just opening your doors or an established business with tens of thousands of customers, it's essential to remember that PCI compliance is not a one-time task. Assessment and testing cover only a single point in time; you can be compliant now and not later -- which is why you need to continually monitor every aspect of you cardholder data security investment.
Level 1 and 2 merchants, in particular, must choose the right hosting partner. Most hosting providers offer fee-based PCI assistance such as reporting services -- but many will leave you to run the actual reports yourself. The optimal hosting partners will install and run PCI-DSS reports on your behalf; all you do is supply the final report to your bank.
While PCI compliance may seem like a headache, the cost of meeting PCI-DSS is far less than the cost of the loss of customer confidence and possible loss of business you can suffer after a compromise. Taking a proactive approach to securing cardholder data is the best defense. Ensuring and maintaining full PCI compliance is the best defense there is.