Practical Ecommerce

Caveat Vendor: PCI Is Here

Here’s one of those cold chill up your spine thoughts: Every day, there are at least two new threats to data security developed by identity thieves and Internet system hackers. And it never stops. Security pros slam and lock one gate and the hordes find another chink and slither through.
Now, here’s another real spine chiller: If they make it through and steal your customer’s data, it is your fault.

Brad Caldwell

Two thirds of the states now have laws that make it a prosecutable offense if an ecommerce merchant fails to maintain compliance with data security standards allowing hackers, phishers and other varmints to invade their system. California was, at this writing, close to passing the Consumer Data Protection Act, which would force retailers who compromise data to reimburse banks and credit unions for the costs associated with data compromise.

And don’t try the “it’s not my server, I’m just renting space,” defense. It won’t work. You collect the data, you protect it. It is a payment card industry requirement (and a legal requirement in 39 states) that everyone who collects and stores customers’ credit card and personal data to be in compliance with [Payment Card Industry Data Security Standards (PCI/DSS)]( if they are to avoid being liable for costs incurred when data is compromised. Being in compliance is, at this point, your only defense against an industry fine, credit issue levy. That sounds like a daunting task that sort of takes the fun out of life and business on the Internet. But there is an army of Anti-Hackers who can help.

What is PCI/DSS?

Brad Caldwell is one of the founders of a company with a very cyber sounding name —Security Metrics, which is in the business of testing websites for data security and vulnerability. Brad actually understands all this PCI stuff and knows how you can protect yourself without a staff of hundreds in your IT department (a department you probably don’t have of anyway). We asked Brad to explain to us what PCI/DSS is.

CALDWELL: What happened was all the credit card companies had all of their own data security systems and standards and they were all different. So all of the large (retail) companies came to them and said we need to have one standard. So the credit card companies got together and created a standard that they all agreed to, which is what is now the Payment Card Industry Data Security Standard. It is all about card data security. When a card brand (e.g. Visa, MasterCard) needs the industry to comply with certain security issues, they add it to the standard and issue a date of compliance requirement.

PEC: So the question comes, who actually is liable for compliance to PCI/DSS or the protection of customer and credit card data?

CALDWELL: It is the merchant’s responsibility. The merchant is the one who is trying to attract people to purchase goods on their server. The credit card brands have determined that it is up to the merchant to be secure. What we are really talking about is, anyone who collects, stores, or transmits card data, which is pretty much anyone who takes credit cards (for payment). What PCI asks is that a merchant who has an IP that touches any kind of data be tested for security and the ability to withstand threats. If you simply have a brochure type site up that doesn’t sell anything online or collect any data, you don’t need testing. Now, if you have an office and QuickBooks and you store data in QuickBooks and you are connected to the Internet, you have to have that firewall and connection tested.

PEC: Compliance, testing, firewalls, IPs, data storage, touching the Internet, it all sounds complicated and expensive.

CALDWELL: It was, in the past. Before I started Security Metrics I was involved in selling Word Perfect for Linux online and I was concerned about hackers and security. I looked around then, and the best deal I could find was for $80,000 and that was just the first assessment. Now it’s a lot easier and much less expensive.

PEC: So how does a merchant begin the task of testing for and coming into compliance with PCI?

CALDWELL: Well, they can start by calling a company like ours. Rather than the merchant having to understand all the levels of compliance our compliance consultants can ask a few simple questions and determine what needs to be tested and how.

PEC: What physically takes place in a test or scan?

CALDWELL: That’s a good question. We actually had a customer call up and say, “I scheduled your test for 9 this morning and nobody showed up. What a scan is, is we have systems in which are stored information on thousands and thousands of problems (vulnerabilities). Our system looks at a website and compares all of those issues with what is on that site or server. If it finds a problem, it tells you how to fix it. You fix the problem and retest. It doesn’t cost any more money to retest. When the system shows you with no vulnerabilities, then you complete a self assessment questionnaire, which deals with things the scan can’t see, like your security and privacy policy. From there, you are compliant. If after you are compliant, you get hacked, you should be in good shape because you are in what is called “safe harbor.” If you are in safe harbor and you get attacked, the credit card companies have said they won’t fine you and you have a viable defense against prosecution under the new laws.

PEC: What about new threats, things that come to light after or between scans?

CALDWELL: If you are using a service like ours, the credit card companies recognize that you are trying to be secure. But you may not be secure; you may have what we call a Zero Date Exploit — something somebody just found out about this morning, for example. Now, if you didn’t have a service like ours you would be in trouble. But if you have been scanned and were compliant you could say to the company ‘I was compliant —I was tested a month ago and I had no problems.’

PEC: What are ramifications for a merchant who just ignores the whole security thing and doesn’t try to comply?

CALDWELL: Well, when there is a data breach and a credit card company has to reissue cards and reimburse cardholders, somebody has to pay for that. The issuer isn’t going to pay, because the merchant is the one who lost the credit card number from his system. So normally what is going to happen is there is an assessment that says you are going to have to pay for, say, 10,000 cards.

PEC: Is there a situation where the merchant can become criminally liable?

CALDWELL: There are 39 states that now have laws protecting credit card data. And we have been asked by the credit card brands that our data could be used for evidentiary purposes. We haven’t seen criminal cases yet, but we’re seeing civil lawsuits being filed — the TJ Max case comes to mind. But I think we’re going to have that (criminal prosecution) happening on a fairly large scale. Without certification that you are compliant with PCI/DSS, you are liable for prosecution should your data be compromised.

PEC: Where does the merchant start, if he/she doesn’t know if they’re in compliance?

CALDWELL: They can call us (or a company like us — one that is certified by the payment card industry). Our consultant will ask some questions about the site, how they take cards, how they store data, the privacy and security policy. They will look at the site with them while they are on the phone. Based on that conversation and what we see on our risk assessment console, we may recommend scanning an IP or several IPs. Our service is $140 a year per IP ($199 for two) to provide quarterly scans and assessments. When the merchant gets our assessments they need to look at them and fix whatever vulnerabilities may have come up. The merchant may also do manual scans whenever they want to at no extra cost. For instance, they may want to scan as a way of checking to see if their fixes took. Merchants might want to think about PCI/DSS compliance like they thought about anti-virus software on their computer. It is a fact of life. In the modern world of the massive Internet, with millions of computers accessing the system, it is unthinkable to collect other people’s data and not protect it. What is happening now is the onus is on the merchant. That is what PCI/DSS is all about. The good thing about it is that companies like Security Metrics have made it easy and quite affordable to comply and protect yourself and your customers.

SecurityMetrics is a Qualified Payment Application Security Company (QPASC) offering security appliance with vulnerability assessment, intrusion detection and intrusion prevention functionality services. The company has more than 800,000 clients. It is a privately held corporation headquartered in Orem, Utah.

Michael A. Cox

Michael A. Cox

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Legacy User October 4, 2007 Reply

    I enjoyed this piece on SecurityMetrics. Seems like a very helpful tools and pretty inexpensive. Thank you Pec!

    — *Humberto*

  2. Legacy User October 4, 2007 Reply

    I have been researching this issue for our company. I was happy to see this article but unhappy after reading it since it comes off as little more than an advertisement employing FUD (fear, uncertainity, and doubt).

    How about going into more detail about levels. We are right at the threshold of level 4-3 (20k+ transactions a month). From what I have read, the CC industry is only concentrating on the huge retailers right now (level 1 which i think is 1 million+ transactions a month). And its uncertain if that attention will trickle down to our lowly level.

    As for fine from the CC company. It was my understanding that those were levied against the merchent bank and could be passed on to you depending on the terms of your merchent account agreement with the bank.

    I don't know anything about state laws so a list of states and possible links to resources where we can read those laws would be helpful.

    I haven't even touched on (as you can probably tell), how much this issue angers me. I'm not sure in what world PCI/DSS is exactly fair for small businesses. Up until now the CC industry made so much money they are/were able to write off any losses (as opposed to coming up with a more secure system). So NOW, instead of coming up with a more secure uncomplicated way of processing CC payments, they decide to pass off ALL responsibility of securing their crappy unsecure complicated CC payment system onto the actual business who are ALREADY paying them for the privilage of using this system.

    Where is the outrage at this decision. Their is none. because no one even understands the system to begin with. Now we are expected to pay what basically amounts to a CC fraud tax to some "approved" companies provided by the CC industry. I wonder if you dug really deep how many connections you would find between these scanning compaines, the CC companies, and executive family memebers of said CC companies

    I know this sounds like crazy talk and I know $200 a year isn't a lot to pay for peace of mind, but CC companies really annoy me, and for them to try and absolve themselves of all responsibility for the fraud situation really rubs me the wrong way….Thanks for letting me vent ;-)

    — *Me*

  3. Legacy User October 4, 2007 Reply

    I agree with "Me" and the first post – CC companies have literally passed the buck. Just another step in the march to ultimate corporate rule, where the highest goal / aspiration is increasing corporate profits. Why not run my entire CC processing thru Paypal – and circumvent dealing with them directly?

    — *Richard*

  4. Legacy User October 4, 2007 Reply

    We are a Level 4 ecommerce dealer. We use Authorize.Net with auto capture on our transactions. The customer is charged when they place the order making it unnecessary. Only Authorize.Net has the customers credit card number in and encrypted state. We can only see the last four digits when we refund through the Authorize.Net virtual terminal.

    — *Scout*

  5. Legacy User October 4, 2007 Reply

    We have explored However we are a drop ship reseller. We can not and do not charge the customer until the last product is on the truck and shipped. Due to production schedules this could be 6-8 weeks out. does not provide the functionality to charge the card 6-8 weeks later.

    So…we HAVE to store credit card information so we can authorize the transaction properly 6-8 weeks later. I posted this issue on a supposedly expert PCI/DSS forum and the only reply I got was to try charging the customer when the order is placed. I mean that is just silly. Has anyone been charged on their credit card immediately for a product that shipped 6-8 weeks later. No. I didn't think so.

    From what I can gather is that we need a third party company (say to process the transaction AND store all the CC info in a PCI compliant manner for us. Then I would be able to process a transaction 6-8 weeks later using the transaction # provided by them. That would make infinately more sense than trying to get me (a small business with nary an IT person or data security expert in site) to secure my website and database that I barely understand on a web server that I rent and have zero control over (and again no understanding of).

    I feel like broken record. It all seems just a bit silly and ridiculous. Keep in mind I am open to suggestions. If anyone knows of a PCI/DSS compliant payment service that can provide the functionality I outlined above, please let me know. I am no expert and maybe this service exists. I just haven't found it yet.

    I have a feeling that it doesn't though. I think there is some type of incorrect assumption that people pay for products with CC that ship immediately and this just isn't true. So if I can't capture and store credit card info at time of purchase, how can I charge the card in 6-8 weeks

    I was reading up on the proper methods of encryption for a database which includes double blind keys created by some kind of solid state key generator and involving 2 lockboxes and 2 different key holders. Are you kidding me! Even if I understood half of that it looks like something for launching nuclear bombs! So instead of the CC industry using smart cards or whatever and having a system where I don't have to figure out how to secure THEIR data for THEIR crappy system, this is my alternative. What a joke…

    — *me*

  6. Legacy User October 4, 2007 Reply

    Definitely agree with "Me". Credit card companies were started as "non-profit" and because of their "risk", our government allowed them to charge outrageous interest and fees. Now, they are going public..but guess what? They still get to charge those absurb interest rates and fees. To top it off, they want to pass their responsibility to the merchant and the cardholder.

    The Compliance program is nothing but a scam–just another way to milk the small to mid size businesses–the ones with the least margin of profit because they have to complete with the rest of the world. If you look closely at the companies doing the audits, I'll bet you willAnd if you think it will only cost you $200 a year for your audit, you are in for a surprise–between Visa and the auditing company, they continually come up with more and more requirements until you are at thousands of dollars a year–mandatory!

    Is there a pattern here–high interest rates and fees, no risk or responsibility, and you cannot go bankrupt on them? Credit card information can be secured–but it will cost the banks and credit card companies to make the necessary change. It all has to do with the account number and the necessary encryption. But then, I guess that's not their responsibility–nobody is making the credit card companies comply with their own rules.

    — *Lee*

  7. Legacy User October 4, 2007 Reply

    A portion of my statement was left out. To finish what I said… If you look closesly at the companies doing the audits, I'll bet you will find a money connection to the card issuing banks (who have a definite connection to the credit card companies). It's a neat little package.

    — *Lee*

  8. Legacy User October 8, 2007 Reply

    Compliance is not a scam. PCI is out there to protect the integrity of ecommerce. Compliance is only a scam until it is actually your information that gets stolen because the website you buy from decides to cut corners.

    The easy scapegoat in this equation is the credit card companies. I do not know how you can hold a credit card company liable for a security breach on your own servers. Credit card companies created these standards because there really are internet hackers who are looking to steal credit card information online. There is no way for credit card companies to protect this data; they can only require that merchants accepting credit cards actually take the steps to ensure that customer credit card information is safe.

    PCI is not just for big companies. One third of all credit card transactions online take place on smaller websites. It is only logical that these companies should look to protect this data as well.

    Hosting customer data securely is not cheap, but if merchants choose not to do it, they are putting their customers' financial records at risk. PCI is a safety standard for the web. Complaining about it is about as silly as complaining about safety standards for buildings. It just makes sense.

    As for storing credit card information for 6-8 weeks, i don't know how you would do that and still be compliant. With our software, you can store just the authorization to charge the card for one month, but after that, you would need to reauthorize the card with the customer.

    Michelle Greer

    — *Michelle Greer*

  9. Legacy User October 9, 2007 Reply

    Me, are you charging any form of deposit? If so, there could be a workaround that might work. If not, you could have a customer fill out a pre-order form and then email them a link to a checkout page when their order comes in. As a consumer, if I were willing to wait 6-8 weeks for an item, I don't think that would be too much to ask for. It might help to explain to your customer why you have a pre-order form (because you do not want to store their credit card information for weeks at a time).

    There is no way for credit card companies to ensure that the credit card data you are storing is secure. You can preach about the evils of big business all you want, but credit card companies do not have the authority to set up merchants' server environments for them in a way that safeguards credit card data. PCI is about consumers–NOT credit card companies. PCI is ensuring that credit card information is secure. It is a lot easier to hack into a server than you may realize.

    I do sympathize for your situation, but rest assured, there is a purpose behind PCI Compliance that goes beyond passing costs on to small merchants.

    Michelle Greer

    BTW, many shopping cart software companies including our cart are already PCI/CISP certified. This means that a merchant can be PCI Compliant for as low as $29 a month. I don't think the expense has to be as high as people realize.

    — *Michelle Greer*

  10. Legacy User October 9, 2007 Reply

    "As for storing credit card information for 6-8 weeks, I don't know how you would do that and still be compliant. With our software, you can store just the authorization to charge the card for one month, but after that, you would need to reauthorize the card with the customer."

    That is exactly the roadblock that we ran up against. One month to hold an authorization. So basically after a month I have to go back to the customer and ask them to reenter their credit card info…

    I can't have the only company on all of the internet who ships items further out than 1 month. I am a B to B website. My customers understand this lead time. It's not a problem with them, but it is a limitation on all the current CC accepting systems that I have researched.

    Have you ever had an ecommerce site call or email you to come back and re-enter your CC info? I haven't. I can preorder books on Amazon months ahead of time and it ships when the book comes out. They don't contact me to reenter my credit card info? I guess I have to assume that they have the resources that i don't to PCI secure my credit card info so they can charge the card 6 months later.

    On another note. How do I even present the re-enter CC data question to the customer. One the question itself sounds shady…and two it makes you look like you lost the info in the 1st place so you have to ask for it again…which just make you look incompetent. We all know any problems with CC's makes you lose a customer in an instant.

    "Credit card companies created these standards because there really are internet hackers who are looking to steal credit card information online. There is no way for credit card companies to protect this data; they can only require that merchants accepting credit cards actually take the steps to ensure that customer credit card information is safe."

    This can be where we agree to disagree. I contend that the easier solution would be to have a system that doesn't force a business to store data that could be used for CC fraud. It's THEIR system. I am not a CC or data security expert. But I have a feeling that if they wanted to get rid of this problem they could. However that would cost the CC companies a lot lot of $$$. With the PCI solution it costs all businesses a lot of $$$ and the CC companies little $.

    Of course this is what they want. Usually big companies can't force something like this on a business because we could take our business elsewhere. But the CC transaction system is a virtual monopoly so they know they can force this standard down our throats and save a boatload of money in the process. I would do the same thing if i could. I just don't want people to be so naive as to think they are doing this out of the goodness of their hearts. It is a solution to a huge problem THAT THEY CREATED that doent's cost them 1 cent…How nice huh!

    But that is all spitting in the wind. I still need a PCI compliant secure way to accept credit card for orders that ship 6-8 weeks out. If anyone has more suggestions I'm still open! When I was researching this I felt like I was the only person on the face of this earth with this problem. Maybe I am. I guess as the CC industry forces PCI on more and more people, this problem will pop up more often and maybe someone will come up with a solution. Until then I guess we just keep doing the best we can…

    — *Me*

  11. Legacy User October 10, 2007 Reply

    Hmmm…that is not a terible suggestion. It might even be possible since we don't charge the card until the last item ships, we really don't need the credit card info until that point…

    I can see where the immediate pushback will come from. Once the person enters the CC data they consider it a completed order (in their mind). That 6-8 period would give them a long time to rethink that decision and having no credit card info we will have no recourse if they decide not to buy or buy elsewhere. Having the credit card info makes the contract to buy a little more binding.

    Thanks for the suggestion!

    — *Me*

  12. Legacy User November 30, 2007 Reply

    We are a business that only stores hardcopy information concerning CC. None of the CC info is stored electronically. However, our bank is telling us that we need to be compliant, be scanned, etc. We believe that this shouldn't apply as we are not storing any electronic data.

    I have yet to see that hacker that can get my computer to go to the file cabinet, place a slip on the scanner, scan it, then make the image available to the hacker. However, we seem to have no choice in the matter of compliance. Does anyone know any good providers that will recognize our minimal if any need for compliance? For us it does indeed appear to be a scam! We do keep our information under lock and key and shred it before disposal, so we do meet those parts of the requirement.

    — *ANON*

  13. Legacy User December 2, 2007 Reply

    We are a drop ship ecommerce store. We do charge the customer's CC upon completion of the order because a customer's order may come from several different suppliers with different ship dates. Often we do not find out that the order has shipped until several days after shipment. Different ship dates from different suppliers also presents problems with having multiple charges (for different ship dates) with only one authorization. We post the anticipated lead time on every product and we post prominently on the checkout page that the credit card will be charged at the time of order. We have not yet had any complaints or even comments about this practice from our customers.

    I am more concerned with security of data and PCI/DSS than I am about charging a customer's credit card at the time of order.

    Basically, I understand that you are not supposed to charge until a product ships, but I don't see the difference between charging a credit card or receiving payment via a check in the mail that you deposit prior to placing an order with your supplier. I've also heard that some authorizations only hold for as little as 3 days – is there a way to guarantee that an authorization will hold for 30 days?

    Ecommerce and drop shipping together present a complex problem that don't seem to play well with the current regulations. However, I feel that it is my responsibility to protect customers data by not storing it.

    — *DropShipper*

  14. David Durick October 25, 2008 Reply

    In regards to the comments about needing to charge a customers 6-8 weeks or at any time after an order is taken, our software would allow you to enter that card information and then bill them anytime in the future.

    Our software is PCI compliant and the person entering the information will never see the full card number again, but our software was designed to allow you to pull that customer up and initiated a transaction on the customer’s credit card or checking account. That way, you the business, never stores the card data but you always have access to the customer and the last 4-digits of the card so you can create a transaction on that customer. If our software can be of any help to some of you, let me know.