What is PCI Compliancy?
PCI-DSS compliancy (as well as PA-DSS for application development) has been around for a long time now, established by the leading card companies as a set of rules to govern the build, implementation and running process of any company who stores, transmits or processes card details online. Visit the PCI Security Standards Council for more information.
As of the 1st July, 2010 full PCI-DSS compliancy is required for ALL merchants accepting card details to be fully compliant or risk heavy fines, a costly audit or worse, to have their credit card processing privileges revoked.
What’s the big deal?
It amazes me, after reading up about 40 hours of various articles just how clueless the industry generally is on PCI compliancy standards. The larger companies out there are far more aware while the small ones still walk on, some not even knowing what it is. Furthermore, the documentation is very hazy and in general, companies just aren’t sure what they should be doing to make sure they are compliant. Every person I have spoke to has a very different view on what they need to be doing to be compliant. Some think it is essential to have several dedicated servers, while many argue that your site will sit comfortably on a shared server. I agree with the dedicated server route where you are storing or processing the card details yourself – but seeing so much variance concerns me.
What do you need to do?
At Optix Solutions we have endeavoured to make sure all our e-commerce clients are fully compliant and have done for many years now. Our dedicated servers are ISO 27002 standards compliant. Here are some of the other tactics you should adopt to make sure your business is fully PCI compliant (I am not a Qualified Security Assessor so please remember these are just my personal view):
1. Use a validated payment application. At Optix Solutions, we work closely with Sage Pay to out source the payment stage of the transaction, ensuring that compliancy is not necessary for us, as their certificate covers this (please note, we do code to the PA-DSS standards but don’t undergo an audit due to the costs being in the tens of thousands). The big drawback of this is that payments do have to leave your website to go to Sage Pay, but the costs associated with PA-DSS and a higher level of PCI compliancy just don’t make it beneficial (it will cost tens of thousands including 3 dedicated servers and regular audits!). Sage Pay also offer a new inFrame solution to make it look as though the customer is entering the details into your site – we are currently experimenting with it’s integration as there are some limitations but we will discuss these with our customers depending on their needs. Finally, a new tokenisation system that Sage Pay also offer means the customer can store credit card details for processing next time…a problem associated with using a payment application historically. This means that one-click or rapid checkout is easily possible without affecting your level of compliancy.
2. Install SSL. For the inFrame solution, SSL is required to ensure you are PCI compliant. For other integration methods this isn’t necessary but certainly advisable.
3. Take the online self assessment questionnaire. Available here, the online SAQ MUST be completed by ALL merchants. Failure to do so means you are not PCI compliant. If you implement the 2 stages above, you will only need to complete Validation Type 1.
In conclusion, it is worth noting that PCI Compliancy cannot be avoided and heavy fines will be imposed or card processing priviliges revoked if they are. By following the 3 steps above, you ensure that your e-commerce platform is fully compliant.