Netpreneur

Up until late 2006, PCI compliance was only compulsory for merchants capturing credit card data on their sites and processing more than 20,000 transactions a year; or having been identified previously as a security risk.

PCI compliance for all Australian merchants capturing credit card data from their sites for Visa, MasterCard, American Express and Discover Financial Services transactions became compulsory way back in September 2006; but many still don't know what it actually is, let alone how to implement it. This is no fault of business owners, but it just appears that the financial institutions in Australia have had challenges getting the right information through.

With credit card data theft from large companies and organizations continuously hitting the headlines in Australia; card issuers are now demanding more from ecommerce merchants, large and small, to ensure that transactions occurring via their sites are secure. They've created what's known as the Payment Card Industry Data Security Standard (PCI DSS) or PCI compliance for short. This isn't just an Australian initiative, it's been implemented globally.

The Risks of Non-Compliance

Australian online store owners who are obligated to implement a PCI compliance program and don't become compliant may find themselves without the ability to process transactions or may face fines from the card company in a situation where security is breached. Additionally, the added protection that being PCI compliant provides can prevent damage to your business reputation and legal action by decreasing the chance of breach of your systems.

Unfortunately, achieving compliance is not something you'll be able to do totally on your own as PCI compliancy requires scanning and verification by an authorized 3rd party.

It all sounds quite frightening if you haven't been through it before and while it is a somewhat time consuming exercise and can be costly depending on the vendor you select, the process isn't as difficult as you might expect - but much of the complexity will also depend on the third party scanning vendor you engage. You should really shop around for deals on PCI compliance because you'll find huge variations on price and support.

What's Involved With PCI Compliance?

PCI compliance is a set of security precautions that must be implemented to provide maximum protection of sensitive information during any credit card transaction. The compliance criteria include specific auditing processes, some of which are automated, the others requiring some action on the part of the merchant. The Payment Card Industry Data Security Standard is referenced by all credit card issuers.

PCI compliance for most online businesses, that is merchants processing up to 6 million transactions a year, consists of two main elements: 

1. An automated scan of your site and the server you're hosted on by an authorized scanning vendor every 3 months
2. Yearly self assessment questionnaire  

Quarterly PCI Compliance Scan

The scanning vendor you select will execute a range of automated tests against your web site and the server it's hosted on and then provide a report. The scans test for hundreds of different security issues.

The report will contain a great deal of detail; much of it in technical jargon, highlighting potential problem areas in relation to severity. Depending on the issues flagged, it may be just an advisory on how you can improve your security; but there may also be critical items that prevent your site from being PCI compliant. 

A good vendor with then work with you and your web hosting company if necessary to help you address those issues. Chances are, if you are hosted on a shared server with other accounts, server based issues affecting your compliancy will affect all other clients on the server, so it's in the host's best interest to deal wit the issues.

PCI Compliance Self Assessment

In addition to the scan, you'll also need to a self assessment questionnaire; a sample of which can be viewed here (PDF). It consists of the following requirement sections:

1. Build and maintain a secure network
2. Protect and maintain client data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks

Many merchants may find the form quite off-putting given some of the jargon in the self assessment, but again, a good PCI compliance vendor will assist you with completing this form.

The Benefits of PCI Compliance

While all this may seem to be an utter pain to do, there are real benefits from achieving PCI compliance, including

• Your scanning vendor will give you a seal you can display on your site; a great reassurance to potential customers that you are able to secure their details. Many merchants experience a boost in sales when displaying recognized seals.

• You'll feel better knowing that your platform is secure to industry standards.

• You will be actively helping in the fight against fraud.

• You will help to lift the general reputation of ecommerce - and that benefits the entire industry.

Scanning Vendors

There are a wide range of choices available; some costing far more than others and doing essentially the same thing. Remember to shop around and that you don't have to find an authorized scanning service in Australia as the PCI standards are global. All PCI scans must be executed by a compliant network security scanning vendor - a list of approved vendors can be found at https://www.pcisecuritystandards.org/

Tags: credit card processing, ecommerce, pci compliance