Simple PCI Guide for Merchants

What is PCI?

PCI Compliance for Ecommerce
PCI Compliance for Ecommerce

The Payment Card Industry (PCI), formed in 2006,  is a joint industry organization set up by a small group of the major credit card companies. This group is not a policing organization, and does not enforce the PCI DSS, nor set penalties for violations of the PCI DSS vulnerabilities. Enforcement of the PCI mandated requirements is left to each specific credit card company. PCI DSS does not replace the individual credit card company’s compliance programs, but rather fortifies them.

It is actually the individual credit card companies, such as Visa or Mastercard, who enforce the compliance rules. While currently there is no Federal Law to force merchants to comply, many states and localities do in fact have such mandates or policies already.

PCI DSS compliance policy includes all merchants and service providers who accept, capture, store, transmit or process any credit and debit card data in any way. A compliance related incident will result in steep fines, suspension and even revocation of your card processing privileges. That’s right… This IS a big deal, even for you.

Major PCI Merchant Requirements

Build and Maintain a Secure Network

  • Install and maintain a proper firewall to protect cardholder data.
  • Do not use vendor supplied default passwords for anything

Protect Cardholder Data

  • Do NOT store cardholder data
  • Encrypt all transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software on all computers processing or transmitting cardholder data. This also includes your server or hosting account, office PC with processing ability and even POS systems.
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict cardholder data to a full NEED TO KNOW level.
  • Each employee, vendor or other person(s) with access MUST have a unique ID which can be logged.
  • Restrict physical access to Cardholder data. This is best accomplished by again NEVER storing cardholder data.

Regularly Monitor and Test Networks

  • Track and monitor access to your network resources and Cardholder data.
  • Regularly test your security systems and specific processes

Maintain an information security policy

  • You must maintain a company policy that addresses your information security processes, level and protocols.

Below are some very simplified, yet common mistakes we have seen companies make in in regard to their security. While, doing these things will certainly bring you closer to compliance, you will need to hire an approved scanning vendor who will scan your websites and be able to make very specific reports and lend your company compliance support more specific to your individual requirements.

  1. Do not use simple usernames such as “admin” when setting up access to any software including your hosting. Never use the usernames or access information which is supplied by the software.
  2. Every single vendor, employee or other personnel with access must use strong alpha numeric passwords, which also contain a symbol whenever you can. Change these every 30 days for everyone with access.
  3. You must have the ability to properly log access for any user who has access to or uses your software or hosting account. This means, your hosting must have proper logging ability and your should additionally be logging access with your ecommerce software as well. These are additionally, not going to help you unless you are looking at them.
  4. Each IP with access accepting or handling cardholder data must be scanned. This includes office PCs and other inventory/invoicing PCs (manned or not). DO NOT EVER use a wireless connection to access your website, hosting and certainly not to process, collect or transmit cardholder data…. It’s just too vulnerable.
  5. Follow the security recommendation and updates for your ecommerce software… If your software has none or lacks the ability for you to be updated either from your software or email regarding security patches and updates… Then you need new software.
  6. Keep ALL of your software up to date with the most recent stable version and patches. This includes the software associated with your hosting account such as PHP and even your accounting software if integration exists or cardholder data is stored.
  7. NEVER, EVER STORE CARDHOLDER DATA on your site or unencrypted hosting environment.
  8. Restrict access to your software and hosting to trusted employees and vendors. Frequently review your access accounts for vendors who no longer need access and employees who are no longer with the department or your company.
  9. Protect all of your site’s forms properly to prevent SQL injection by submitting additional data.
  10. Limit the number of shipping addresses and failed credit card transactions that customers can make on your site. Additionally, make use of velocity and IP based filters to tag and restrict suspicious transactions.
  11. Perform regular vulnerability scans for all of your systems and sites.
  12. You will need to create a company policy for your security procedures such as password changing, scanning and access maintenance. This needs to actually be a documented policy that can be referred to and utilized by you and your staff.
  13. You are required to properly, shred and dye, or pulp ANY document containing cardholder data… This includes scratchpads for taking orders.
  14. Use your hosting and PC virus scanners regularly and keep them up to date.

Remember, these are just the basics, and whatever your PCI compliance level you are likely going to need assistance to properly tackle and execute a program to bring yourself in to compliance. If you already have a network tech for your office, make sure that tech is skilled and educated for this purpose.

These regulations and related costs in time and money are part of doing business, they are not some veritable insurance policy…. Tell you what, if you cannot afford scanning and compliance you certainly cannot afford a fine for loss of electronic data from your company.

Closing Note:

I want you to clearly understand 3 very important points… So you page scanners will at least leave this site understanding these core points.

  1. If you process credit cards you have already agreed to maintain PCI compliance as part of your merchant and gateway agreements.
  2. This is a cost of doing business if you process credit cards and must be included in all budgeting and financial planning for your site… It’s not optional.
  3. If you have a PCI compliant hosting you must still maintain all of the PCI requirements for your own website, including scanning. YOU ARE NOT COVERED UNDER SOME PCI COMPLIANT HOSTING UMBRELLA.

6 responses to “Simple PCI Guide for Merchants”

  1. […] Originally, PCI was Greek, however, merchants are learning and much support is available to meet the needs of small businesses whose budget for these matters can be quite small. Your merchant provider, merchant gateway provider or PCI approved scanner can help you to understand and manage the protocols necessary to keep not only yourself, but your shoppers safe. I have a post here to get you started on the road to PCI compliance. […]