June 18, 2005
PCI Compliance
Disclaimer: None of the following should be construed to be legal advise. Views are based upon my own understanding of the issues from my own research.
This post is meant to be a Heads Up for all who accept credit card payment via their web site, though PCI Compliance actually encompasses more than just web transactions. Many online merchants have never heard of PCI Compliance. If you haven't, now is the time you need to get in gear and find a solution that works for you.
PCI (Payment Card Industry) Compliance is a good thing in my opinion. It may be a pain in the butt for some, but it's still a good thing !
With that personal opinion out the way, let's explore what PCI Compliance is, what it's supposed to do and what you need to do to get all of your ducks in a row.
PCI Compliance is basically an initiative that all of the major credit card vendors (Visa, MasterCard, AMEX, Discover) have put forward in an attempt to offer better protection to their cardholders. With all of the identity theft going on out there today, it's at least a step in the right direction.
Those who have already been taking their customer's privacy seriously, and who have already been guarding this type of ultra-sensitive data as they should, have nothing to worry about. However I imagine that many webmasters and merchants who though they had good security procedures in place are due for a real eye opener.
Which, again, is a good thing IMHO.
Basically, PCI is going to require anyone who accepts any of the major credit cards to do an assessment of how secure their internal systems are. At the very least, everyone is going to have to complete a questionaire that will make them take a good, hard look at their internal procedures. The vast majority of small businesses will fall into this category.
Merchants with larger volumes will have to do more. They will complete the questionaire also, but they will also be required to contract with one of the approved 3rd party companies who will scan their systems, looking for any security holes or other deficiencies. These basic requirements are placed on any merchant who conducts 20,000 or more transactions in a years time with any of the major credit card companies.
Anybody at or above this level has a deadline of June 30, 2005 to get everything in place, and to get your Proof of Compliance filed. Yes, you heard me right. Even though you may have never heard about PCI Compliance before, you have less than 2 weeks to get your ducks in order if you want to continue accepting either Visa or Mastercard for payment!
The issue is that many out there have been far to lax in their data security procedures. Now it's time to pay the piper, as they say.
Currently, there is no deadline requirement for merchants who have less than 20,000 transactions in a year's time. In fact, there are only recommendations from the credit card companies instead of requirements.
Don't expect this to remain the norm though, as there are a couple of caveats. First, your merchant bank can (and probably will) require you to complete and file the questionaire at the very least. They may also require you to contract for a scan to make sure everything is in order.
Why?
Because the credit card companies are going to place the merchant banks on the hook for all fines if you don't provide adequate security that results in theft. And you know the merchant banks aren't going to want to be liable for those fines, especially when it's easier for them to simply require that all of their merchants meet the minimum standards.
In other words, even if you're in the majority and have less than 20,000 transactions per year you should start familiarizing yourself with the PCI Compliance procedures and get everything in place now. You don't want to lose your ability to conduct business after all.
Additional information is available in a special section of MasterCard's site. You can also find a PDF version of the PCI Manual. Visa also offers information about the Cardholder Information Security Program (CISP) on their site.
Many, if not most, of the approved 3rd party providers, such as ScanAlert have a lot of good information on their site as well.
My suggestion to every webmaster who accepts credit card payment is to check with your merchant bank and/or merchant service provider as soon as possible to get the scoop. None of this has been publicized well enough in my opinion, and the standards put forth by the credit card companies leave a lot of wiggle room for the merchant banks.
As a for instance, I've not seen anything yet from any of the merchant service providers stating what their clients need to do. Probably because they do not know at this time, having yet to get the requirements their merchant banks are going to be placing on them. The question begs though whether places like 2Checkout.com are going to require every webmaster who uses their service to fill out a questionaire and/or have a scan of their site conducted. It's certainly within the realm of possibility!
And who's to say whether all of the popular shopping cart systems out there are going to have to make changes so that their customers can comply with the new standards. It's certainly possible, especially for those who store the cardholders data (mainly credit card number and CVV security code) in a database at the time of purchase.
In other words, don't wait. And don't be lulled into thinking that just because you have less than 20,000 transactions and/or use some merchant service provider that the new standards will not apply to you. They apply to everybody, even those merchants who do not offer any type of online payment option, but happen to occasionally send email. Or at least that's the way I read the standards.
Bottom line, you'll definitely want to be ahead of the curve on this one. The merchant banks, merchant service providers and 3rd party scanning companies are likely going to get overwhelmed quickly once it hits the fan on June 30th. Not having all of your i's dotted and t's crossed could make you liable for fines from the credit card companies. Or even worse they could simply refuse to process any transactions for you if you're not in compliance in their opinion. Forever.
I'll be blogging more about PCI Compliance as I go through the process myself (questionaire and quarterly scanning in my case). It really doesn't look too bad to me, but I've always had security procedures in place that are well above the average webmaster. And since I run our servers, it's not going to be a big deal if the scan says that something needs to be updated or tweaked. The same is definitely not going to be true for most, who will have to coordinate with their hosting company.
Get onboard the PCI Compliance train now. You don't want it to leave the station without you, since the consequences can be quite detrimental to your business' success.