Your Guide to Achieving PCI Compliance for Self-Hosted Ecommerce Solutions

Posted on by

188H

The topic of PCI compliance is immensely important to any online retailer that transmits or stores cardholder data (i.e. credit card or debit card information) in their own, physical on-site servers or remote data farms. Cardholder data that is processed through an online store and retail point-of-sale system combine to form a single transaction volume used to determine an organization’s merchant compliance level.

If PCI compliance is an entirely foreign concept to you, a good primer on the subject can be found here. Keep in mind that if you are using a SaaS or cloud-based ecommerce technology solution, like Bigcommerce, as opposed to a self-hosted or an on-premise solution, your PCI compliance is mitigated through your provider. The heavily lifting is vested expertly and wonderfully in the hands of the technology experts working for the SaaS companies, which in our professional opinion is exactly where it belongs.

If you are using a SaaS ecommerce solution, your PCI compliance is mitigated through your provider.
Click To Tweet

For those not utilizing a SaaS or cloud-based ecommerce technology, the following information outlines the steps you must take in order to ensure that your online business is PCI compliant. Your compliance level determines the amount of work you need to do, and the levels are as such:

  • Levels 1 and 2 are for merchants processing 1,000,000 transactions or more per year
  • Level 3 applies to an organization that processes greater than 20,000 credit or debit card transactions per year
  • Level 4 applies to an organization that processes less than 20,000 transactions per year

In the interest of brevity, as this subject is vastly complex, we’ll concentrate this article on a Level 3 or Level 4 organization.

Self Assessment for PCI Merchant Levels 3 and 4

If you are a Level 3 or Level 4 merchant, the PCI DSS provides you the option of doing an internal assessment, whereby a qualified staff member or corporate officer from your organization can perform his or her own audit and sign-off to produce a formal PCI DSS Attestation of Compliance package indicating such.

The first steps are to determine your required compliance level and then download and review the appropriate Self-Assessment Questionnaire (SAQ) found on the PCI SSC Website. There are different SAQs for each merchant level and also different related DSS Attestation of Compliance forms for each level as well.

There are different SAQs for each merchant level.
Click To Tweet

Before you venture down this path and attempt to download your SAQ and get started, you’ll need to first digest a six page document just to figure out which SAQ form to use in the first place. And, if you aren’t thoroughly bored and confused after doing that, you almost certainly will be aftering referring to the lengthy PCI glossary of acronyms and technical jargon related to the subject.

In my humble opinion (and also according to the PCI SSC themselves), the best and easiest thing to do here is to contact your merchant bank and have them help you identify which specific documents you need to use. This is an essential step, as they will often point out deviances in the standard PCI DSS they feel may apply in your case.

Level 3 merchants require quarterly external vulnerability scans by an ASV (Approved Scan Vendor). A list of ASV’s can be found here and include such companies as Cisco Systems Inc, Alert Logic, Inc and Backbone Security, Inc to name a few.

Don’t be dishonest or misrepresent information on the SAQ.
Click To Tweet

Completing a self-assessment questionnaire for Level 3 and Level 4 merchants is based upon the honor system, much like completing your income tax return. It’s tempting for organizations to guesstimate their way through some answers or outright fabricate them to avoid the human and physical resource expenditures required to correct vulnerabilities  Many frankly don’t understand some of the items on the SAQ to be begin with.

That said, don’t be dishonest or misrepresent information on the SAQ. If you have a data security breach and your documents come under scrutiny, you can be fined heavily and, in the worst case, your merchant account(s) can be dropped by your bank/financial institution.

Achieving PCI Compliance: Getting Started

The PCI DSS contains what are actually common-sense general data security best practices for any system administration team that is used to hosting sensitive corporate information in a modern network environment.

The trouble in reaching compliance begins when an organization does not have experienced enough internal IT/IS departments and can unfortunately discover that their internal hosting environment is wildly insecure and susceptible to both internal snooping by their own staff or they are wide open to outside intrusion.

The PCI DSS contains what are actually common-sense general data security best practices.
Click To Tweet

Every organization aiming to achieve PCI compliance begins in the same place, and there are three steps in the journey to adhering to the PCI DSS and becoming compliant:

  • First, Assess –– Perform your own audit to identify the cardholder data you are responsible for, take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose sensitive cardholder data.
  • Next, Remediate –– Fix the vulnerabilities you discover in priority sequence. Ideally move away from storing cardholder data at all unless you absolutely need to. Many organizations store cardholder data within their own homegrown ecommerce platforms after taking a one-off guest checkout order with no intention of using the information again. In this case, why hold onto it at all? Only a merchant looking to set up recurring billing may actually need to retain cardholder data themselves and we’ve often found that B2C ecommerce merchants typically don’t need to support recurring billing profiles.
    • Wherever and whenever cardholder data can be stored by an external qualified body instead of your own organization is ideal, because nothing will help reach immediate PCI compliance more quickly than not storing or transmitting cardholder data at all.
  • Finally, Report –– Compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands (i.e. Visa, Mastercard, Amex, etc.) with which you do business.

Completing the Self Assessment Questionnaire (SAQ)

The SAQ is a relatively short document (i.e. five or six pages long) and can itself be completed in a number of hours by someone qualified within your organization. The work getting to that point, though, comes into play when attempting to answer the SAQ questions truthfully and thoroughly, and in a manner that will actually result in achieving compliance. In so doing, an organization will doubtlessly encounter some significant technical challenges. Below is a quick outline of what you can expect based on my own experience is seeking compliance for clients.

Technical Challenges to Satisfying the SAQ

Even if credit card data passes through your self-hosted (i.e. non-SaaS) ecommerce platform, you are still on the hook for ensuring that any related servers you control (be it your database server, PoS system, credit card processing terminal, utility server or internet application server) are sufficiently secure and compliant.

Each server that cardholder data is stored inside or transmitted through requires:

  • Tripwire software with a notification escalation profile to alter key systems and alert administrators that someone may have accessed the server. A tripwire is software that detects the presence of a code change or file structure profile change on a server.  A notification escalation profile is a series of automated email or SMS messages. dispatched to key systems personnel in the event that intrusion is detected or an unexpected change to the file structure profile has occurred.
  • Virus scanning software installed and running daily.
  • Its operating system to be kept up-to-date with the latest security patches.
  • The containing room or server rack (i.e. the physical environment containing the computer systems running commerce related servers) be kept under lock-and-key with limited authorized administrative access only.
  • Entrance to/from the room by administrative personnel (including date/time and purpose of access) needs to be logged. These logs need to be archived and migrated off of the primary servers and housed securely elsewhere so that auditors can readily access them if required by the bank or credit card company.
  • Ensuring that all cardholder data that is retained for local storage be done so using what the PCI DSS refers to as strong encryption –– see the PCI SSC Glossary of Terms for more info on that. Encryption protects the data from easily being read and utilized by attackers if stolen during a breach event.

Ongoing Maintenance: Mitigating Common Data Security Exploits

Physical servers need to be continually patched against newly discovered security vulnerabilities. Consider various security exploits that have arisen recently such as HEARTBLEED, POODLE.

Note: SSL is the underlying encryption technology behind the HTTPS protocol for secure data transmission over the Internet.

Your web application or ecommerce platform that is processing credit or debit cards also needs to be secured against client side (i.e. web browser) code exploits such as XSS and SQL Injection Attacks, to name a few.

How much time and costs are typically involved in reaching compliance?

On average, our experienced systems administration team will spend three to four business days securing a single server and preparing the appropriate documentation for a Level 3 or Level 4 merchant. The costs for doing so when factoring our time and the merchant’s staffing resources averages out to about $13,740 USD.

The costs for PCI compliance for a Level 3 or 4 merchant is about $13,740 USD.
Click To Tweet

Merchants attempting to reach PCI compliance themselves however, without support from an outside partner, and who are already themselves adept at dealing with data security subject matter, can expect to spend upward of 3-4 weeks of time performing the following tasks:

  • Researching the PCI Data Security Standards (DSS)
  • Determining which level of compliance and which PCI SAQ is required
  • Securing their physical servers (often the largest and most costly aspect of the project)
  • Examining any third party plugins or software components on the servers that cardholder data passes through and ensuring they, too, are PCI compliant and can produce external documentation that proves such
  • Completing the PCI SAQ and Attestation of Compliance

For complex undertakings involving more than one onsite data center and where a merchant is both capturing and retaining cardholder data, budget at least six weeks in your project plan and estimate related costs to be between $44,600 – $59,500 USD to reach compliance.

The above estimate factors some time for multiple staff within your organization that usually involves a multidisciplinary group of business analysts, system administrators, ecommerce platform developers, project managers, legal teams and resource protection staff. It also takes into account some budget for outside consultant/auditor fees, and provision to hire a third party Qualified Security Assessor.

The estimate does not factor in any additional costs related to purchasing new server racks.
Click To Tweet

Note however that our estimate does not factor in any additional costs related to purchasing new server racks, upgrading computer systems, adding new software licenses and installing access control systems (such as staff ID card systems) or any other physical expenses that may be required to achieve compliance.

We’ve Successfully Achieved PCI Compliance: What next?

Maintaining compliance is an ongoing process, usually involving quarterly vulnerability scans along with completing a new SAQ and Attestation of Compliance each year.

If your organization is presently at PCI compliance Level 3 and your credit card transaction volume is trending upwards at a rate of 20% or more annually, consider hiring a QSA and having a formal external security audit done every year, even if your bank doesn’t require it.

In this manner, your team won’t be flanked by a last minute crunch to get it done which will result in overstatements, omissions and increased third party auditing costs. You’ll also proactively position your organization for an easy transition upward to a higher compliance level at a later time.

The post Your Guide to Achieving PCI Compliance for Self-Hosted Ecommerce Solutions appeared first on The Bigcommerce Blog.