Everybody’s talking about Payment Card Industry (PCI) compliance and, if you’re an e-commerce merchant, you probably know by now that you have to bring your online store into compliance with the PCI Data Security Standard (DSS). But what does that mean to you? There’s a lot of confusion about what, exactly, you have to do to achieve full compliance.
One big myth that’s spreading among merchants is that payment gateway, shopping cart or web host compliance alone is all it takes. Get that established and you’re all set. Wrong! That’s a common misconception—and a potentially expensive one once PCI starts issuing fines and penalties against the noncompliant.
Think of it this way: if your house has four doors and only three of them are locked, is it secure against intruders? Of course it’s not. Any one of those locks is a great start, but no more than that. Until all four doors are locked up tight, that house will never be secure. The same goes for your e-commerce site. A compliant payment gateway, shopping cart or web host by itself is good to have but, without compliance in all areas, you’ve got a virtual unlocked door. With a great big welcome mat for intruders just outside.
The good news is that there are companies out there that can help. Just as there are websites that can guide you through completing and filing your taxes, there are many—like those of qualified security assessors (QSAs) and approved scanning vendors (ASVs)—that can walk you through the necessary steps to certified PCI compliance. It’s a complex but ultimately understandable process.
The Road to Compliance—All Gain, Little Pain
The PCI standards are pretty clear. Here’s what they are and some actions you’ll have to take to meet them:
• Build and maintain a secure network: take steps like installation and maintenance of firewalls, and ensure that vendor-supplied default passwords are changed.
• Protect cardholder data: be able to show that you’re protecting stored cardholder data and properly encrypting it for any transmission through networks.
• Maintain a vulnerability management program: use and update anti-virus software and ensure that all systems and applications are secure.
• Implement strong access control measures: take steps to definitively restrict internal access to cardholder data to need-to-know areas/personnel, establishing unique passwords and other identifiers.
• Regularly monitor and test networks: establish a program for testing all security systems and processes; monitor and keep records of all tests run and all access to networks and cardholder data.
• Maintain an information security policy: develop a policy and keep it updated as business conditions change.
Easy, right? Okay, it may seem like anything but. No worries—just take a breath and do what it takes to assess where you stand.
Here’s What You Have to Do (more…)
