I post at SearchCommander.com now, and this post was published 12 years 4 months 12 days ago. This industry changes FAST, so blindly following the advice here *may not* be a good idea! If you're at all unsure, feel free to hit me up on Twitter and ask.
There’s a set of “requirements” called Payment Card Industry Data Security Standards (PCI DSS) that was developed by the PCISSC Payment Card Industry Security Standards Council.
I first heard of these “requirements” in the bar on the last day at Pubcon Vegas 2008, where someone said “Trust me, you’d BETTER learn about it, because they’ll make your life miserable if you don’t…”, and they were sure right.
In 2009 one of my long time consulting clients actually began GETTING FINED by their processor for not being PCI compliant.
At first the fine was about $40 monthly, but that quickly mushroomed, and all of a sudden, they were told that it was several hundred dollars a month.
We changed shopping carts, then worked with the web host, and all was finally resolved, but it took four months and several thousand dollars. Can you afford that unexpectedly?
Before you ask “who has the authority to fine them?” you should know that in their case it was called a “fee” and not a “fine” and it was imposed by their middleman transaction processor, not Authorize.net or their bank.
The official “power” to impose that fee is actually non-existent and totally arbitrary, sort of like blockbuster charging a late fee – because they can.
Get On Top of PCI Compliance NOW
It likely won’t be long before EVERYONE that will process the credit card you take on your website will have to decline your business transactions, and this will put you out of business.
This simply designed to provide a standardized set of consistent security measures for merchants to follow that are handling credit card transactions. – i.e. it’s for our own good.
Yes it’s going to be a pain in the ass to get compliant, but it’s not nearly as bad as trying to recover fraudulent funds that get their transactions reversed after you have shipped or delivered your product, is it?
Worse, will it be as bad as finding out that not only are you being charged a “fee” but in fact, your bank will no longer accept your transactions?
All you have to do is check your site with a vulnerability scanner for PCI Compliance. There are a number of them out there, and your bank should offer one to you soon, if they haven’t already.
In some situations, you may find the need to move to web hosting platform that is claiming compliance that is willing to offer a statement about their compliance, and here’s our statement…
We are not PCI compliant.
There – do you you like that? We also have NO INTENTION of becoming a PCI compliant web host, because in doing so, we’d open ourselves to liability just by claiming we are.
I just completed an evaluation, and while I won’t go into the specifics, even though they may be fixable, they are going to be consuming, and we probably won’t be compliant in 2010.
The most frustrating thing is that the last time we scanned for this, nearly 8 months ago, we DID pass the test, although the test was from a a different source.
Also, note that I’ve yet to run an audit anywhere recently (6 hosts in the past month) and find a perfect report, so I think the entire industry has some work to do.
If any web hosts want to leave links to their PCI compliance statements as comments, please do!
What EXACTLY is the Standard?
The standard includes these 12 requirements for maintaining a secure operation:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
So there it is – right from the horses mouth – You’re gonna get screwed, and may have to move your hosting.
What can you do now?
Try this free PCI Compliance scan from Comodo. The last one we ran, got us back a 39 page report.
The report is self explanatory if you’re a tech person. If not, then you’ll need to run it by your computer service folks or admins so they can explain what’s a server issue for your web host, and what might actually be related to your shopping cart, your website, your interface, etc.
After that, start looking for a host that is willing to say they’re PCI Compliant. Then, run a test on a URL they host, and don’t just take their word for it. Remember, if they turn out not to be, YOU are the one that gets screwed.
And again, if you have any recommendations, please be sure to leave a link to their actual compliance statement. I’ll update this post in the future…