How to Make your Website PCI DSS Compliant
For small businesses wanting to sell products online, the regulatory hoops that you’re required to jump through if you need to take payment cards can be somewhat daunting. However, if you don’t comply, then you risk a hefty fine and even having the ability to take cards taken away from the business.
Card payments online are regulated by the Payment Card Industry Data Security Standards (PCI DSS) and there are 12 requirements for compliance which come under the following summary headings:
- Build and maintain a secure business network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test business networks
- Maintain a policy that addresses information security
It’s worth pointing out that you can simplify the compliance process substantially by ensuring that you don’t save or store any cardholder data. This means that instead, you should use a card reader or point-of-sale (POS) processor that doesn’t retain the information on business systems. You can also use a payment gateway such as those provided by PayPal and Stripe, but you should be aware that the responsibility for your customer’s data remains with you. Whatever option you choose, you should first ensure that you check that using them does mean that you’re compliant.
For example, even if you use a payment processor, your site still has to be secure if and when payment details are being inputted and transmitted. This means that as such your web server must be compliant and your site should use Secure Socket Layer (SSL) encryption. You should check with your provider if you can store this data on their secure systems if you need to keep payment information for future payments.
1Choosing a Secure Web Host
When choosing a host for your website, you should ensure that the servers, the hosting plan and the ecommerce and shopping cart applications comply. You can find a list of validated payment applications on the PCI council website to help you to choose and I would also recommend hitting some ecommerce forums to check out what others are saying. It’s worth pointing out here that if you’re new to ecommerce, then cheap or free web hosts will rarely be good enough to ensure compliance. You should also consider using dedicated hosting over shared as this means that you and only you are using that machine. With shared hosting, you’re often sharing one machine with multiple websites and this makes compliance difficult. However, if you choose dedicated or virtual private servers, then they are much more likely to be compliant, albeit quite a bit more expensive.
Ensure that the host you choose allows you to use PHP and MySQL databases too – most do these days and if you’re not sure, then you can always give the hosting company a call to discuss your needs in more detail. Ensuring that the server and site transactions are secure before building your site will save you heartache in the long term. However, if you really don’t need to store data, then I would urge you to consider using a payment gateway which takes the customer to an external, secure site before asking for any details.
2Choosing a Shopping Cart
There are a huge amount of shopping carts to choose from and as such it can get pretty confusing when it comes to choosing the best for you. In order to ensure that you’re protecting both your business and your customers’ data, you should aim to choose one that is PA DSS (Payment Application Data Security Standard) compliant. This means that the cart software has already been put through a series of rigorous tests to ensure that it encrypts data sufficiently to protect against cyberattack when in transit.
Again, if you’re not particularly technologically minded, you can choose a hosted cart which takes the shopper off your site and onto its own which is fully secured. With a hosted cart, all of the sensitive data is inputted off your site and the details held on a secure server.
3Employees and PCI DSS
The safety of your customer data is your responsibility and this means that it’s important that your staff understand just how vital it is to your business that it’s kept secure. With this in mind, all staff who deal with customer details as a part of their job must ensure that they follow the rules.
You should ensure that all staff who deal with data:
- Are aware of the processes used to protect sensitive data.
- Don’t store customer data on any unauthorized computers or on paper.
- Use strong passwords on all user accounts.
Additionally, you should ensure that all computers, devices and servers on the business network (or those that connect to it) have the following:
- AV software and up-to-date patches applied to commonly exploited software such as Windows/OS, Office, Adobe products and Java.
- Are protected by a firewall on the network.
- Are protected by having secure password and encryption on all network routers, including wireless.
For those businesses that allow employees to bring their own devices to work, these should be managed with a robust BYOD policy that sets out what is required of the employee. If you or they are still unsure about what the process entails, then you can take awareness training courses through the PCI council.
Security is something that many IT professionals consider to be a problem that can’t be solved due to human intervention. By far the most security issues that affect business are caused by a lack of knowledge in the end user. This means that it’s often difficult to mitigate the risk because the end user doesn’t know enough to know that they shouldn’t click on that phishing link, for example. In recent years, security threats have become increasingly sophisticated and do everything that they can to evade detection. This is worsened by the fact that phishing attempts are now often highly targeted to reach the most vulnerable person to attack, such as administrative staff.
Threats these days are backed by the sheer amount of information that can be gathered on social media about an individual within an organization before an attack is attempted. This means that cybercriminals are forearmed with enough information to sound as if the email they send through with a malicious link appears to be from a friend or known supplier. With this in mind, education on the risks is essential and a sound policy on social media and what can be downloaded should also be put in place.
Link scanners can also be installed to ensure that any malicious links physically can’t be clicked on, thus taking away a lot of the end user risk.
4PCI DSS Levels
There are four levels of compliance, which depend on how many card transactions that you take over the course of a year.
- Level 1: for merchants who process more than 6 million Visa transactions per year – requires you to have an onsite security assessment annually and a quarterly network vulnerability scan.
- Level 2: for merchants processing between 1 million to 6 million Visa transactions per year – onsite security assessment at own discretion, you’re also required to provide an annual self-assessment questionnaire and a quarterly network vulnerability scan.
- Level 3: for merchants processing 20,000 to 1 million Visa ecommerce transactions per year – self-assessment questionnaire is required annually and a quarterly network vulnerability scan.
- Level 4: for merchants processing less than 20,000 Visa ecommerce transactions per year and all other merchants processing up to 1 million Visa transactions per year - self-assessment questionnaire is required annually and a quarterly network vulnerability scan.
Remember – It’s an Ongoing Process
Many businesses ensure that they are compliant in the first instance and then forget about it until it’s audit time. Sadly this leads to fines and further audits (which cost money) being carried out more often. It’s important to remember that compliance is an ongoing process and it must be checked often, not just before the auditor is about to put in an appearance.
You must always:
- Assess – take an inventory of existing IT assets and business processes for card processing, analyzing for vulnerabilities as you do and identifying customer data and where it’s held.
- Remediate – not storing data unless absolutely necessary and fixing any known exploits.
- Report – compile and submit reports to acquiring back and card brands that you deal with.
There are many things to consider when it comes to compliance and by far the easiest way for the smaller ecommerce business owner is to use a payment gateway or hosted cart. This removes a lot of the necessary steps and takes a lot of the risk away when it comes to employees handling payments and the security of your business network.
However, that’s not to say that it’s the best solution for you and so you should aim to put in a lot of planning and groundwork if you’re planning on taking payments through your site and retaining customer details. Ideally, you should avoid doing the latter and talk with your payment card processing provider to see what your options are. It’s not quite as daunting as it first appears, but it does pay to be very careful as many businesses that fail to adequately protect customer data go out of business following a data breach, thanks to the cost of ensuring that it doesn’t happen again.
For best results, have a read through the PCI DSS 3.0 (and below) documents library on the PCI council website. Don’t be put off by all the jargon either, a quick Google can help you to understand the technicalities or you can go through the help files on the PCI council website.