|
||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
|
 |
With the spate of credit card data theft from large companies and organizations continuously hitting the headlines; card issuing companies are beginning to demand more from ecommerce merchants, large and small, to ensure that their sites are secure. PCI (Payment Card Industry) compliance has been optional for many small merchants up to now, but that may be all about to change very soon. Up until recently, PCI compliance was only mandatory for Level 3, 2 and 1 merchants; i.e. those processing more than 20,000 transactions a year or having been identified as having poor security processes. I've been informed that American Express sent a letter earlier this week (October 4 2006) to all American Express accepting merchants that this requirement now extends to all merchants, including Level 4; those with 1 - 20,000 transactions per year. While American Express are the only card issuing company demanding this from smaller merchants at this stage, you can probably expect to see the other companies following suit very soon; so it's time to get prepared.
Non-compliance risksOnline store owners who are obligated to implement a PCI compliance program who don't become compliant may find themselves without the ability to process transactions or may face fines from the card company in a situation where security is breached. In a nutshell, this means that if your online store process payments via credit card, you'll need to become PCI compliant - and it's not something you'll be able to do totally on your own as PCI compliancy requires scanning and verification by a 3rd party. It all sounds a little scary if you haven't been through it before and while it is an inconvenience and can be costly depending on the vendor you select, the process isn't as difficult as you might expect - but much of the complexity will also depend on the third party scanning vendor you engage. You should really shop around for deals on PCI compliance because you'll find huge variations on price and support. What is PCI compliance?PCI compliance is a set of security criteria that must be implemented in order to protect sensitive information during any credit card transaction. The compliance criteria include specific auditing procedures, some of which are automated, the others requiring merchant input. The Payment Card Industry Data Security Standard is referenced by all credit card issuers. PCI compliance for most merchants, that is those processing up to 6 million transactions a year, consists of the following elements: - Quarterly scan by an authorized scanning vendor Quarterly PCI compliance scanThe scanning vendor you engage will run a battery of automated tests against your web site and then provide a report. The scans are very thorough and test for hundreds of different issues. The report will contain a great deal of detail, highlighting potential problem areas in relation to severity. Depending on the issue uncovered, it may be just an advisory on how you can improve your security; but there will also be flags that show items that prevent your site from being PCI compliant. A good vendor with then work with you and your web host if necessary to help you address those issues.
PCI compliance self assessmentAdded to the scan, you'll also need to complete a PCI compliance self assessment form; a sample of which can be viewed here (PDF). It's broken down into the following requirement sections:
Many merchants may find the form utterly confusing given some of the terminology, but again, a good PCI compliance vendor will assist you with completing this form. The benefits of PCI complianceWhile all this may seem to be a terrible inconvenience, there are certainly some positive spinoffs from becoming PCI compliant; including
PCI compliance scanning vendorsLike any certification service, you have a wide range of choices - and a wide range of pricing. The important thing to remember is that as long as the vendor is authorized to provide scans and compliance reports, that's enough to satisfy the card companies. If the scanning vendor doesn't do their job properly, they are the ones with the liability - so it's certainly in their best interests to get it right. Having said that, you don't want to engage the services of a vendor who have poor communications. Time is money and the less time you need to spend on this exercise, the better. It's also important to choose a scanning vendor who will go beyond just handing you a report and then leaving you to figure it out on your own. I recommend ControlScan - I originally worked with them on a couple of compliance exercises and found them very attentive, providing detailed reporting and follow up support. As a result of the positive experience, Taming the Beast.net is now more formally associated with the company as a Platinum Partner - this means you can get a free trial and heavily discounted pricing on ControlScan services! ControlScan also provides a broad range of other services such as web site security seals and certification programs - which PCI compliance scans are a component of. Related articlesWeb site security seals and certificates
Michael Bloch Copyright information.... This article is not available for reproduction without explicit written permission from Michael Bloch and Taming the Beast.net
Click here to view article index
|
|
|
||||||||||||||||||||||||||||||||||
