Wednesday, September 9, 2009

PCI Compliance For Dummies

For most people, the world of PCI [Payment Card Industry] is very complicated, frustrating, and extremely boring. So, in an effort to help you keep your sanity, Katana has put together the following information for every online business owner that's been told that they need PCI Scanning or PCI Compliance for their website, but don't ever get a straight answer as to what it is, why they need it, what to do about it, or how to get it. The goal here is to simplify PCI for you so that you can make a clear, educated decision and weigh your options on your terms. You won't find any other resource like this online, so be sure to bookmark it or print it out so you can easily access it again.

NOTE: the official PCI documentation can be found at: www.pcisecuritystandards.org.

Question: What are PCI compliance and how does it apply to me?

Answer: PCI stands for Payment Card Industry. It is an organization that was founded by the five major credit card companies: American Express, Discover, JCB, MasterCard, and Visa. It was formed in order to create a uniform set of security standards for companies to follow when processing credit card transactions. Until the PCI Council was organized, each of these companies had their own standards that were similar to each other but not uniform, which created a lot of problems.

These standards are part of your merchant agreement that you sign when you decide to accept payment cards and whether you're aware of it or not, you are ultimately financially responsible if someone steals your customer's credit cards and you're found not in compliance. And one fact you may not be aware of, all of the other parties that are involved in the process of helping you process credit cards have the ability to pass these exorbitant non-compliance fines and penalties on to you, the merchant.

The PCI council actually has 12 main security requirements that all merchants are required to be compliant with. [Yes, I ended in a preposition.] However, the extent to which the 12 requirements need to be met depend on the number of transactions that a company processes in a year, which are separated into 4 levels. They are broken down below for you, but if you need more information, the "offical" documentation can be found at:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml


Question: So, what exactly do I need to do to become PCI Compliant?

Answer: As mentioned above, the requirements for PCI Compliance depend on which merchant level you fit into based on the number of transactions you process in a year. Basically, all merchants are required to do two things: quarterly PCI Scanning on all external-facing IP addresses and a yearly Report On Compliance.

PCI Scanning involves having a PCI ASV [Approved Scanning Vendor] scan any and all IP addresses that the public has access to, that participate in the transaction process. This typically includes your websites IP address, however, if you transfer your customers to a third-party shopping cart hosted by your shopping cart provider during the checkout process, then you should include their IP address to be scanned as well.

Report On compliance is basically a report that you submit to your acquirer [an acquirer is typically the company whom you initially signed up with so that you could process credit cards, i.e. a third-party service provider, your actual bank, etc.] to show them that you are compliant. The type of report varies depending on the merchant level you fall into.

Here's a breakdown of 4 Merchant Levels, and what is required for each level:

Level 1 is any merchant that does over 6,000,000 transactions a year. Basically you need to bring an assessor on-site called a QSA to evaluate your security and create an in-depth Report On Compliance for you. Quarterly PCI Scans are also required.

Level 2 is any merchant that does between 1,000,000 and 6,000,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 2 merchants to complete a Self-Assessment Questionaire [SAQ] instead. Quarterly PCI Scans are also required. Level 2 merchants also have an extra one-page form that takes about 5 minutes to fill out that basically states that they don't keep certain types of credit card information on file.

Level 3 is any merchant that does between 20,000 and 1,000,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 3 merchants to complete a Self-Assessment Questionaire [SAQ] instead. Quarterly PCI Scans are also required.

Level 4 is any merchant that does between 1 and 20,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 4 merchants to complete a Self-Assessment Questionaire [SAQ] instead. Quarterly PCI Scans are also required.

As you can see, the requirements for Levels 2-4 are all basically the same [except the extra form for Level 2]. For all three levels, you essentially need to get quarterly PCI Scans performed by an ASV and you also need to complete an annual SAQ.

It's worth mentioning that these compliance requirements will be much more simple and stress free if you DON'T STORE CREDIT CARDS ON YOUR SERVER. If you store customers' credit cards with a Payment Gateway Provider like Authorize.net, LinkPoint, Paypal, etc., the SAQ is a breeze. If you store credit cards on your own server, then the SAQ gets MUCH more complicated.

Once you've completed your PCI Scan and SAQ then you submit these documents to your acquirer. If you're a Level 4 merchant, depending on your acquirer and when you signed up, you may be able to have the quarterly scan requirement waived, although with the new PCI 1.2 standards implemented on October 1st, 2008 for all new merchants, more and more acquirers are requiring quarterly scans.


Question: I'm a Level 4 Merchant and I heard that PCI Scanning was optional, is that right?

Answer: Effective October 1, 2008 PCI Level 4 merchants using third-party software are required to either use PCI-validated payment applications or be PCI compliant in order to board as a new merchant with Bank of America.

http://corp.bankofamerica.com/public/public.portal?_pd_page_label=landing/merchantnews/padss&subct=PA-DSS&ctid=2

According to the new standards, if you are a level 4 merchant that processes less than 20,000 transactions and you don't store payment card information on your server, and your shopping cart provider is PCI validated, then you don't necessarily need to do quarterly scans, but you will still need to fill out the annual SAQ. However, if your shopping cart provider is not PCI validated, then you will need to be PCI Compliant and provide an annual SAQ and quarterly scans of your IP, and possibly scan your shopping cart providers IP if the shopping cart is hosted on their server and not directly on yours.

What it really boils down to is your acquirer's [your merchant bank's] specific requirements, as each acquirers requirements are different. Your acquirer has a lot of influence on what you need to provide as far as PCI compliance. If you are concerned about your liability or your responsibility as a merchant, contact your acquirer and ask them what they require from you in order for you to be PCI Compliant. Although, it's important to keep in mind that no matter what your acquirer does or does not recommend that you do in order to be PCI compliant, you could still be financially responsible if something happens.

2 comments:

  1. Awesome, thank you for dumbing it down, easier to explain to merchants!

    ReplyDelete
  2. Wow, cool post. I'd like to write like this too - taking time and real hard work to make a great article... but I put things off too much and never seem to get started. Thanks though. katana

    ReplyDelete