Five Easy Steps to PCI Compliance for Small Online Businesses
This is one in a series of columns for small online businesses in the open-source commerce (OSC) industry.
When making purchases from Web sites such as Amazon.com – sites that once kept your credit card data on file – you may have noticed that you must now re-enter your credit card data for each purchase. Over the past two years, large online retailers have been forced to change their security procedures in order to meet new standards and tighten online security.
Now these high standards are being applied to small online merchants, and this will require immediate changes in your online store's security procedures. In this column we examine the background of the problem and how it applies to small online businesses. Specifically, we'll outline what the small merchant must do to improve Web site security and become compliant with the new high security standards in order to continue processing credit cards online.
Security for Small Online Merchants is a Big Deal
Security breaches may seem to happen only to huge corporations — like the TJX security breach last year that compromised more than 94 million T.J. Maxx and Marshall's accounts — but in reality, cardholder data compromises affect small online store owners far more frequently.
This is because small merchants with fewer than 20,000 transactions per year represent two-thirds of all Visa transactions, and more than 99 percent of the merchants that accept Visa. Moreover, small merchants may not be technically sophisticated and so they may not even realize that they have left a back entrance to their store wide open.
Common Security Holes
Does your online store have any of these common security no-nos? Some of the most common security holes left by unsuspecting small online store owners include:
- Not changing the default password when the program was set up, such as username "Admin" and password "Admin" ;
- Not having vulnerable portions of the program removed if not needed, i.e. an "install" directory after installation ;
- Storing unneeded cardholder data on your site, or worst of all, storing it on an unencrypted server;
- Using programs with security flaws that allow "SQL injection," a technique where a hacker can gain access to your database by piggy-backing extra code into a form box in your online store;
- Not having all of the latest security upgrades and patches installed on your online store program;
- Not logging the user activity on your online store files;
- Failure to review the log files for suspicious activity; and
- Failure to perform regular vulnerability scans.
If you have even one of the above problems in your online operations, it is a disaster waiting to happen. Drop everything else until you have resolved it.
Standards Committee Addresses Security Problems
A security standards organization called PCI Security Standards Security Council was formed in 2006 to address threats to credit card information, such as those in the above list, and to find means for prevention. This group is comprised of all the major payment card brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
Initially the organization focused its attention on large corporations processing over six million transactions per year, which it dubbed Level 1 Merchants. In fact, the spectacular security breach by TJX, a Level 1 Merchant, has in court filings been blamed on the company's violation of these security standards.
Standards Focus Shifts to Small E-tailers
In 2008 the group turned its attention to merchants with fewer than 20,000 e-commerce transactions per year, the Level 4 Merchants who represent the vast majority of online payment transactions. If your online store falls into this group, at a minimum you will be required to complete an annual PCI Self-Assessment Questionnaire and possibly a quarterly network scan.
However, your payment processing company can require stricter standards, such as monthly scans by a PCI approved scanning vendor. Because Visa has instituted a program to accelerate PCI compliance with financial incentives to the payment processors who institute it, many payment processors are requiring security levels higher than the PCI standards, such as monthly security scans. This will add a cost of around $15-20 a month for each online store (or IP Address) that needs to be scanned.
Five Easy Steps to PCI Compliance
PCI Compliance need not be a nightmare for small online merchants. There are several alternative actions from which you can choose, ranging from those that are fairly easy implement to those that are more difficult. The first step is to inform yourself on the actual contents of the standards.
STEP 1. Get Your Own Self-Assessment Questionnaire (SAQ).
The first step for all online business owners is to download a copy of the questionnaire so you can see exactly what security measures will be expected of you.
The questionnaires are currently available only in Microsoft Word format, so if you use another word processing program, you will need to have the questionnaire converted to another format in order to open it.
There are five versions of the questionnaire, depending on what kind of credit card processor you use. Of course it's important to answer the correct questionnaire, and the descriptions of each category are written in financial technical jargon. Here is a rundown on the three questionnaires aimed at online merchants.
Fast and Easy PCI Compliance: Self-Assessment Questionnaire (SAQ) Validation TYPE 1, Questionnaire A.
Those online merchants who use, or switch to, an off-site, third-party credit card processor, and who store no customer credit card information in electronic format, are not required to perform a monthly or quarterly scan. These lucky online merchants will be able to complete the Self-Assessment Questionnaire A in about five minutes.
An off-site, third-party credit card processors where your customer temporarily leaves your Web site, enters their credit card information on the processor's site, and then is automatically returned to your online store afterwards. Examples include 2CheckOut and PayPal.
It is important to note that this group does not include online merchants who use the generic "Credit Card" module in open source e-commerce programs. The Credit Card module records customer financial data in your online store in electronic format, and the merchant later manually processes the credit card using a virtual terminal or a terminal with a keypad.
Questionnaire A is for this group of merchants who do not store, process or transmit financial information on their premises. Because the risk of losing customer financial data with this group is zero, the short questionnaire and affidavit is a formality that must be completed each year for record-keeping purposes.
The Long and Winding Road to PCI Compliance: Self-Assessment Questionnaire (SAQ) Validation Types 4 and 5
All other online merchants will complete the long Questionnaires C or D each year, and begin quarterly or monthly security scans of their online store.
Questionnaire C is for merchants who use a Point-of-Sale terminal connected to the Internet with a program such as Quickbooks POS. Most of these merchants are bricks-and-mortar retailers.
Questionnaire D is for all other merchants.
These extensive self-assessment questionnaires cover 12 security areas ranging from:
• Firewall password settings ;
• Use of secure encryption;
• Quarterly scanning of wireless networks;
• Anti-virus, anti-spyware and anti-adware programs;
• Creation of a company Information Security Policy for employees and contractors; and
• Shredding, cross-cutting or pulping of paper documents containing credit card information.
If any item on your questionnaire is not in compliance, you must specify a date that you expect to be in compliance, and explain what actions you will take to achieve compliance.
STEP 2. Get a Free Scan.
Next, get a free scan from one of many Approved Scanning Vendors, or ASVs. It is critical that the vendor you choose be on the list of PCI-approved ASVs. The ASV will ask you for no confidential information, only your Web site name or its IP address, and ask you to confirm that you are authorized to scan the Web site. In the real world, if a criminal set up a shop and offered "free security scans" to small business owners to see if their store premises are secure, not many merchants would hand over their front door key.
But it would be easy to spoof a legitimate scanning Web site and ask unsuspecting online store owners for passwords so they can steal customer financial data. Once you select an Approved Scanning Vendor, check the list periodically to be sure the firm remains on PCI's list of approved vendors, as the approved status can change.
The free scan is normally valid for a 14-day period to allow the store owner to work on any weaknesses found, and re-scan as necessary. Some free PCI scanning sites allow as long as 60 days to continue rescanning.
In most cases the free security scan results will include a list of vulnerabilities ranging from "None" to "Urgent." Those vulnerabilities ranked at Severity 3 (High), 4 (Critical) and 5 (Urgent) will be reported on your free scan, and must be fixed.
(Continue to Page 2 for More PCI Compliance Tips and Resources)
Voice Trunking in an IP World: Charting a Practical Path for PRI and SIP IT leaders understand the real-world road to all-IP means leveraging existing technology investments as well as intelligently integrating...
B2B and B2C Convergence: A Call to Action This Aberdeen report explores and examines the growing challenge that companies face in the convergence of B2B and B2C requirements, which...
Webroot 2015 Threat Brief Threats are constantly changing, so security controls must adapt accordingly. These security controls include being aware of the latest malicious...
Email Archives: No Longer Fit for Purpose? This paper examines the difficulties and pain points that organizations encounter as they seek to straddle the conflicting pressures of ever...