PCI Security: Small E-tailers Face Large Fines if Hacked
Many small online merchants dont understand much about the powerful technology behind their e-commerce store or how vulnerable this technology is to being hacked. We rarely read about a small merchant's computer system being broken into, because the large ones are so much more spectacular. But some security experts now say it's not a question of if you will be hacked, it's when.
The Pain of Non-compliance
Small merchants with on-site credit card processing who are hacked and have not put PCI standards in place can be fined $20 to $30 for each stolen card number (up to $500,000). If the breach is large, they may also be required to undergo a forensic audit (the cost of which starts at $10,000), be subject to more stringent standards than other stores of their size and may be sued. In addition to the horrors of dealing with the original breach, this is enough to effectively wipe out any small merchant.
By using off-site credit card processing, small merchants may avoid many of the hassles and security risks of on-site processing, because the merchant never touches the credit card information.
A Little Background Info
PCI (Payment Card Industry) Data Security Standards (DSS) are designed to be a baseline minimum standard for credit card security. The standard emerged in 2004 when five separate programs Visa, Mastercard, Discover, American Express and JCB were combined into a single standard. The group first turned its attention to large retailers processing many millions of transactions per year, dubbed Level 1 to Level 3 retailers.
Small Merchants Now in the Spotlight
Last year the standards council began addressing the Level 4 Merchants who represent the vast majority of online payment transactions. If your online store falls into this group, at a minimum you will be required to complete an annual PCI Self-Assessment Questionnaire and a quarterly network scan.
Level 4 small merchants are defined as those with fewer than 20,000 Visa transactions, and fewer than 1,000,000 total transactions per year. Most small vendors will fall into this category.
Beginning October 1, 2009, credit card processors and their agents who accept Visa will begin de-certifying all vulnerable payment applications. This means many small merchants will suddenly receive notices that they can no longer accept credit cards unless they have begun steps toward PCI security compliance. The de-certifications must be completed within one year. The time to take action is now, before your store is de-certified.
What is PCI DSS?
The PCI DSS or Payment Card Industry Data Security Standard is a security process to help you identify all parts of your business that are vulnerable to theft. This ranges from how you dispose of and retain paper records, how your network is set up, and how you transmit and store credit card and other personally identifiable information online.
The easiest way for small businesses to begin compliance is to switch to an off-site, third-party credit card processor and to store no personally identifiable information on your Web site.
Short-form Compliance for Small Businesses with Off-site Processing
In an off-site, third-party credit card processor scenario, your customers temporarily leave your Web site, enter their credit card information on the processor's site, and then automatically return to your online store afterward to complete the non-financial portion of the transaction. Third-party credit card processor companies include 2CheckOut, PayPal and the recent entrant, CRE Secure by the open source e-commerce maker CRE Loaded.
This group of businesses is required to complete a short, 11-question Self-Assessment Questionnaire A. This can be completed in about five minutes.
Questionnaire A is for merchants who do not store, process or transmit financial information on their premises. The risk of losing customer financial data on your Web site with this group is zero because you do not maintain that info, but the short questionnaire and affidavit is a formality that must be completed each year for record-keeping purposes. You must still maintain good practices with paper and other records.
Merchants who fall into this category also may or may not be required to do a quarterly PCI scan of their system, depending on their credit card processor.
Stiff Requirements for On-site Credit-Card Processing
For merchants who continue to use on-site credit card processing, the requirements are similar, but they must answer 195 additional questions on Questionnaire C or D each year, and begin quarterly or monthly security scans of their online store. They must also take active steps to fix any areas that are found to not be in compliance and specify dates by which their stores will be in compliance.
Questionnaire C is for merchants who use a Point-of-Sale terminal connected to the Internet with a program such as Quickbooks POS. Most of these are small retailers with a bricks and mortar storefront in addition to their online store. Questionnaire D is for everyone else.
These lengthy self-assessment questionnaires cover 12 security steps in great detail, including:
- Firewall password settings
- Use of secure encryption
- Quarterly scanning of wireless networks
- Anti-virus, anti-spyware and anti-adware programs
- Creation of a company Information Security Policy for employees and contractors
- Shredding, cross-cutting or pulping of paper documents that contain credit card information
If any item on your questionnaire is not in compliance, you must specify a date that you expect to be in compliance, and explain what actions you plan to take to achieve compliance.
How to Use TCO to Build a Business Case for Unified Communications Historically, IT investments were made simply in the interest of increasing competitiveness and with little insight into the hard, fact-based...
7 Ways to Get the Most Out of Ad Hoc Meetings Things come up at the last minute, and sometimes you need to call a meeting on the fly. Ad hoc meetings are becoming more and more common in the...
Five Design Principles of an Effective Endpoint Security Strategy Live Event Date: September 17, 2014 @ 2:00 p.m. ET In response to the rising number of data breaches and the regulatory and legal impact that can...
2014 Neustar Annual DDoS Attacks and Impact Report: A Neustar High-Tech Brief Dedicated denial of service (DDoS) attacks against high-tech firms have started to take a dangerous turn. It's called DDoS smokescreening —...