Payment Card Industry (PCI) compliance is composed of an intricate set of rules that affect millions of online businesses. These are validation regulations that are set forth as security measures to protect the client and business owners’ confidential information while conducting online transactions through the use of payment cards. These regulations affect internet vendors, retail merchants and other merchant services providers.
The Payment Card Industry Data Security Standard (PCI DSS) is an in-depth set of international security requirements that protects card holder data. This system was developed by VISA and the PCI Security Standards Council to assist the adoption of consistent data security measures that will cover the globe. Who then needs to be PCI compliant? These shall cover the merchants, service providers who stores, process and transmits credit card numbers. The program is applicable to be used for all types of payments which include card present, mail/ telephone orders and ecommerce.
As Defined by VISA There Are Four Levels of Merchants:
• Merchant Level 1- Any merchant regardless of acceptance channel processing over 6M VISA transactions every year.
• Merchant Level 2- Any merchant regardless of acceptance channel processing 1M to 6M transactions per year.
• Merchant Level 3- Any merchant processing 20,000 to 1M VISA ecommerce transactions per year.
• Merchant Level 4- Any merchant processing less than 20,000 per year.
Any company that stores, processes or transmits cardholder data on behalf of another individual or company is defined as a “service provider”. Web Host Providers are categorized as a Service Provider as defined by the governing rules of PCI compliance. There are two levels of Service Providers: Level 2 requires self-assessment and quarterly remote network scans and Level 1, which additionally requires a thorough on site audit by a 3rd party.
Web Hosts are required to complete a Self-Assessment Questionnaire (SAQ) to become certified as PCI compliant. There are five validation types that help determine which among the four SAQs needs to be completed. Most online ecommerce systems fall under SAQ validation types 1, 4 and 5. SAQ validation type 4 merchants have specific requirements to fulfill which mandates the use of certified PCI compliant 3rd party service providers as indicated in the SAQ Questionnaire C (SAQ-C).
Under Type 4, all that is needed is the use of a dedicated server to achieve PCI DSS compliance under the SAQ-C. The dedicated server needs to be configured so that it can pass the required quarterly vulnerability scans. Tuning the dedicated server to meet PCI DSS compliance for SAQ-C is not a hard task to accomplish, but it needs the competence and experience of a Systems Administrator. Vendors like Mcafee Secure can deliver the PCI vulnerability scans and PCI compliance certificates, as well as other information that you might need to pass your PCI DSS requirements. It would be more convenient for you to subscribe to a scanning service like McAfee Secure for your ongoing PCI compliance scanning. The SAQ-C along with the vulnerability scan must be submitted to your merchant account provider to show compliance with the requirements of PCI-DSS.
How can you tell if your web hosting provider is PCI compliant? Simply ask them. If they are telling the truth they can provide you with a copy of their Certificate of Validation from their most current annual audit. If they cannot give you a copy of the validation then they are stating their claim of being compliant based on their own self-assessment without an external validation.
The PCI DSS requirements are a clear sign of what one can expect from the ecommerce economics in the near future. It is highly recommended that you request to include from your hosting provider, a maintenance agreement that will cover the maintenance of PCI DSS compliance for your ecommerce system. The reason for this is that the Payment Card Industry is constantly reviewing their requirements, so a pass at present does not really compare to a pass six months after.
Installing and maintaining a firewall configuration to protect cardholder data is one of the requirements for PCI compliance. This is something that the web hosting provider is solely responsible for. The web host provider uses a host based firewall that utilizes packet inspection configured using a strict firewall to allow only the necessary data. Web hosts use defense in depth by adding multiple layers of security to ensure that there will be no breech in a security system that will result in its compromise.
Web hosts should protect cardholder data by using SSL (secure socket layer) certificate allowing all communications to happen over HTTPS. This effectively encrypts all data between the web server and the end user’s browser. Web hosts are responsible for comprehensive testing of this system to ensure that it is as well protected as it should be.
Finally, the true value of PCI is seen through the eyes of your customers. When your customers perceive your website to have advanced security measures to protect them, they will likely have total confidence on you and the services that you offer resulting in a better return on your investments and online business success.