Merchant Focus: What is PCI DSS compliance all about?

Merchant Focus: What is PCI DSS compliance all about?

What are the PCI DSS standards and how could they affect your business if you are accepting credit cards?

To protect against credit card fraud online, in October 2007, new Payment Card Industry Data Security Standards (PCI DSS) were introduced. These new standards applied for merchants handling credit card data. These standards affect anyone who is storing, processing or transmitting credit card information. How could it affect you?

The standards include a number of mandatory requirements and procedures that need to be followed if you are collecting, storing or transmitting credit card details online. These credit card details are called PANs in industry-jargon which stands for Primary Account Numbers. The standards also apply to the network components (your computers, servers, and applications that process the credit card details).

They were developed PCI Security Standards Council, which includes companies like Visa, MasterCard, American Express and JCB. The purpose of the standards is to encourage the take-up of consistent data security procedures all around the world.

PCI DSS standards are not specific laws in most countries, but are enforceable because of the contract you sign when you get your merchant account. Processing transactions via Visa or MasterCard forms a contract with those organisations under the terms and conditions of your merchant account. Those terms and conditions allow Visa and MasterCard to impose heavy fines for failure to comply, so it is important that you make sure you understand the requirements.

Read on to find out how PCI DSS affects you and some simple steps you can take to make sure you stay compliant.

If you are using a bank or third party payment provider’s website to collect and process credit card details
The good news for you is that you don’t need to do anything else because customer credit card details are being collected on another website to yours. You and your website are not in possession of or responsible for the customer’s credit card data at any time. This means the new standards apply to the third party provider – it services like PayPal, Paymex, NAB’s Payment Gateway Service and Paymate who are subject to the new standards, not you. Payment providers like e-Path are subject to the rules too, as they collect credit card details as if they were a third party processor but do not actually process the card transactions. You log in and process them manually. This means that you will need to treat the credit card details you receive from them in the same way you would if you were processing them manually in a physical store.

If you are using manual credit card processing in your Ozcart store
To maintain PCI compliance, you need to have your credit card data captured by a PCI DSS compliant server. To make this as easy as possible, redirecting to the gateway’s servers for data collection and redirecting back to the website after payment are the simplest and most cost-effective means of doing this.

If you are using a payment gateway provider like eWAY or DirectOne with SSL
As in many cases accepting credit cards in your store directly improves conversation rates from fewer clicks, being compliant without shifting to a third party payment solution is something definitely worth striving for. How easy is it to do? The good news is that compliance can be a pain-free process. Compliance covers the software used to collect credit cards and transmit them to a gateway like eWAY, and the transmission system themselves. The rules also extend to the servers your store is housed on, which are managed by us.

There are 12 specific rules that apply under the standards:

  • Install and maintain a firewall (Our servers are heavily firewalled and this is monitored 24/7. We regularly track potential exploits and tweak our firewall rules to protect against them.)
  • Do not use vendor default passwords (Every customer receives their own randomly generated password to access the secure section of their site)
  • Protect stored data (Behind the scenes all customer passwords are encrypted in the database, and credit card details are not saved)
  • Encrypt transmission of cardholder data (Customers using payment gateways are required to use SSL Certificates for this purpose.
  • Use and regularly update anti-virus software or programs (You should ensure your computers have anti-virus whenever you do anything online)
  • Develop and maintain secure systems and applications (We actively manage the security of our servers and install new updates and patches as required. Our servers are managed 24/7)
  • Restrict access to cardholder data by business need-to-know (full credit card information is not saved in your store and cookies are not used to save sensitive data)
  • Assign a unique ID to each person with computer access (Each customer has their own username and password)
  • Restrict physical access to cardholder data (Full card information is not saved in your store)
  • Track and monitor access to cardholder data (Your server logs the IP address of every visitor and the time of their visit and what pages they accessed. Full cardholder data is not saved by your store)
  • Regularly test security policies and procedures (The server your site is housed on is actively managed and tested.)
  • Maintain a policy of information security for employees and contractors (Our data center requires a two part physical badge process for all access to the DC and has 24/7/365 video monitoring of all entry/exist points and common areas. We have information security policies in place for support staff and suppliers, you should ensure you have these for your employees too.)

Merchants that need to comply with the standards are divided into four categories. The categories are:

  • Level 1 – Visa and MasterCard global transactions totalling $6 million and up, per year, and any merchants who experienced a data breach.
  • Level 2 – Visa and MasterCard transactions totalling $1-$6 million per year.
  • Level 3 – Visa and MasterCard e-commerce transactions totalling $20,000-$1 million per year.
  • Level 4 – Visa and MasterCard e-commerce transactions totalling 1-$20,000 per year.

Most Internet merchants processing transactions through payment gateways fit into level 4.

What does it take to comply?

  • Ensure you have developed a privacy policy, returns policy
  • If you are accepting credit cards, ensure you have SSL on your site. This is free for the first year with Ozcart websites.
  • Complete a self assessment questionnaire. Some elements of the questionnaire relate to your own office computer network so you will need to complete an on-site audit to answer everything.
  • Provide a PCI Compliance Statement on your website (optional)
  • Pass network scans (quarterly) through an approved vendor such as ScanAlertâ„¢ (who offer the Hacker Safe (McAfee Secure) TrustMark). Level 1 merchants must also pass penetration tests.

Completing the questionnaire is easy and can help you identify potential security vulnerabilities – protecting yourself against potential hackers and security breaches online and offline as well.

For more information
Visit https://www.pcisecuritystandards.org/

Ozcart Ecommerce

Ozcart has been in business since 2006 and is an online, hosted shopping cart that you can use for your current or new online store. We offer so many features for the same low price. In fact, we are addicted to adding new ones to ensure that we remain one of the best choices for a shopping cart. https://ozcart.com

No Comments

Post A Comment