Practical Ecommerce

PCI Compliance: Commonly Asked Questions

Editor’s note: Payment Card Industry compliance is a requirement for virtually all ecommerce merchants. But it’s also a complex and difficult topic to understand. With that in mind, Practical eCommerce is teaming with Coalfire IT Audit and Compliance, a firm expert in PCI matters, in a series of articles aimed at answering merchants’ questions about PCI compliance. For the first article in this series, we get the insights of Coalfire co-founder and president Rick Dakin. We asked Dakin two questions that we believe are representative of those that many merchants have. We’ll continue asking him and other Coalfire representatives questions throughout the series.

Dakin helps clients develop balanced approaches for effective IT governance and regulatory compliance programs. His experience results from more than 25 years in senior management with leading IT firms.

If you have a PCI compliance question, email Kevin Patrick Allen, contributing editor, at kevin@practicalecommerce.com and we’ll attempt to address it.

Practical eCommerce: PCI compliance is different for varying sizes of business. Assume a business grosses $700,000 per year and processes roughly 13,000 credit card transactions each year. What does it have to do to become compliant?

Rick Dakin: Review the PCI Data Security Standard and identify the control areas that apply to your environment. Make sure you have implemented those controls that require the use of approved payment applications, limitations on physical and computer access to

Rick Dakin

Rick Dakin

cardholder data, and other security controls.

Once you are satisfied that you have implemented the relevant controls, go back to the PCI Security Standards Council website and download the qualifications sheet to determine what level of compliance report you should submit. With only 13,000 transactions per year, you are definitely a Level 4 merchant but you will have a few choices on which compliance validation requirements apply to you.

In most cases, you must obtain quarterly external vulnerability scans from an approved scan vendor (ASV) and complete a self-assessment questionnaire (SAQ) each year. Again, the type of SAQ that is appropriate for you will be highlighted in the qualification process that is listed on the PCI SSC link provided above.

As an option, Coalfire (a PCI Qualified Security Assessor) provides an online SAQ form that includes a qualification process that selects the appropriate compliance test procedures for you.

PeC: Our ecommerce company is very small. What are the chances that
we’ll get caught if we don’t become PCI compliant?

Dakin: Until now, I would have to report that very few acquiring banks (i.e. merchant account providers) have implemented comprehensive programs to validate PCI compliance for level 4 merchants. Unfortunately, the chances of getting caught are increasing every day. However, I do not expect that your processor will identify your non-compliance and start issuing fines. The more likely scenario is that a bot net program will identify your site and load malware to collect cardholder data for subsequent fraudulent use by a cyber criminal. The number of level 4 merchants getting compromised is growing at an alarming rate.

At the time of compromise, a forensic investigator will assess your level of PCI compliance and determine that you were not compliant. Accordingly, all fraud conducted on cards that we identified on your compromised systems will be charged back to you. This Account Data Compromise Recovery or ADCR process enables the card brands to collect losses in the system directly from you. The cyber criminals are getting better and we typically see losses of over $50,000 when just 1,000 cards are compromised.

The other program that is picking up steam is the requirement for processors to validate that its merchants are using only PCI compliant (or PA-DSS validated) payment applications, which includes shopping carts. This requirement will probably increase your chances of being identified as non-compliant in 2010 as the deadline for PA-DSS validation approaches (July 2010).

Kevin Patrick Allen

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

Comments ( 2 )

  1. cokekiller December 1, 2009 Reply

    This series of articles leave a bad taste in my mouth. It seems very self serving for Mr. Darkin who owns a PCI compliance consulting company to basically give veiled threats of fines from our bank and and fines from the ACDR for having a non compliant system. Especially on a site that caters to Level 4 merchants.

    PCI really chaps my a**. I mean what is this? This article (and the ones before it) come off almost as a mafia protection scheme. Pay us or else! I mean the credit card industry is already a monopoly. So on top of the fact that I have to pay ridiculous fees for every product that is purchased from me they have now pushed anti-fraud measures all the way down to to lowly level 4 merchants.

    What a crock of s***. What is the real law behind all of this? Or is this simply a monopolistic industry all collectively agreeing together on a set of "standards" that users have to follow or "collectively" face the same fines. And I am still not clear WHO exactly is fined for non compliance. From my reading it is the merchant bank who is fined and not the end user. It is up to the merchant bank to put PCI compliance into our merchant account agreements and the fine langauge to the end user will vary by bank and agreement.

    Why don’t you shine some clarity on that instead of giving me stupid vague threats. Am I supposed to be listening to you or waiting for some direction from my merchant bank? Clear as mud right. Why don’t you try to impart some pertinent non self serving knowledge. That would be helpful.

    As for a normal person opinion of PCI. The CC companies can stick it where the sun don’t shine. Why don’t THEY create a system that is SECURE. Wow, novel idea. I will tell you why because I worked in a CC fraud call center. THEY DON"T CARE. They still make loads of money even with fraud. It is a cost of doing business. To actually create a better secure system would cost MONEY. Easier to use threats and fines to push the cost off to the end user merchant – right? I may be level 4, but I am not stupid.

    In fact I am so stupid I already thought of a system that does an end around this whole thing. QUIT giving ME the credit card info. Create a system where the user can swipe their card – the info goes straight to where ever – the bank, the CC company, the payment gateway – I don’t care. I never wanted the stupid UNSECURED credit card info anyway. Then, just return a token code (which I can reference back to) back to me tied to that purchase info and deposit the purchase amount into my bank account. Wow problem solved. No audits. No questionnaires. No paper trails. No PCI auditing/consulting companies. No lawyers. Oh wait then everyone would need a swipe machine. Sorry. Not my problem. You created the system that uses little plastic cards. you figure it out. It is almost 2010…

    And I will really put on my tin foil hat here. I would LOVE to know how many credit card industry ties there are to "PCI Compliance Consulting" companies. wouldn’t that be a wonderful nugget of info to know. My guess is close to 99%….

    Please end this series of self serving articles until you can tell me that EVERY level 1,2,3 merchant is in compliance. Then I will start to worry.

  2. moxsapphyre December 1, 2009 Reply

    PCI doesn’t appeal to me much either. But it’s one of those inevitable hoops that I will have to jump through as an Ecommerce Manager.

    Our merchant agreement already required us to be PCI compliant back in 2007. Not that anybody knew what that was and our merchant bank hasn’t taken any steps at enforcing compliance.

    Calls to our merchant bank yielded ZERO answers, just a link to a PCI website (I think it was pcisecuritystandards.org).

    This whole PCI compliance situation simply sucks. Our shopping cart provider is pushing a $4000 upgrade on us with veiled threats that some of their clients that chose not to upgrade have already been fined.

    As far as I can tell, level 4 merchants aren’t required to be in compliance until July 1, 2010. We’ll end up jumping through the hoops, but not until we absolutely have to.