Blog Header Banner

PCI DSS Compliance in the Cloud for Web Sites, Servers, And Colocation   no comments

pci-dss compliant datacenter

pci-dss compliant datacenter

Active readers of the blog will know that I tend to write articles that you can apply to your everyday hosting. In the past, I’ve written you articles on backing up your software, determining if you need a dedicated server, what exactly is DNS and the list goes on. The one common thread these articles have is that each article assumes you have some type of hosting or possible server. In fact, these articles assume that you’re selling or possibly interested in selling products online. When you branch to selling your products online, you need to be aware of some type of mysterious item called Payment Card Industry Data Security Standard or PCI DSS. This will be the focus of our post today so let’s jump right into it.

 

What is Payment Card Industry Data Security Standard (PCI DSS)?

 

The payment card industry data security standard is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment for their customers. PCI DSS compliance is there to ensure that cardholder data is not stolen and shared around the globe. As a store owner, whether this be a website or a physical store, it’s your responsibility to ensure your customers data is protected and secure. PCI  DSS compliance is a standard set by the PCI Security Standards Council(PCI SSC). You can read about the standards here:

 

https://www.pcisecuritystandards.org/

 

PCI compliance against common belief isn’t actually a federal law in the United States, however, some U.S. states refer directly to the PCI DSS. For example, in 2007, Minnesota enacted a law that prohibits the retention of payment card data. In the 2009, Nevada followed suit. In the state of Nevada, merchants  are now required to comply with the PCI DSS standard. This allows those merchants to be shielded from liability should a breach in security occur. The following year, in 2010, Washington state incorporated standard into law. However, merchants are not required to abide by the PCI Compliance, but those are who, are shielded from liability. You can read more about this here:

 

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard#Mandated_compliance

 

 

Now that we’ve covered what exactly PCI DSS compliance is, let’s see if this currently applies to your situation.

 

Do I need to be PCI DSS compliant?

 

To answer this question, I must first ask you one back. Are you currently taking online payments from your customers? If so, yes, I would HIGHLY recommend becoming PCI DSS compliant especially if you’re based in the United States or the UK.  To take this either further, yes, you’ve setup your ecommerce site and you’ve begun taking payments. At this point, you need to decide between two options

 

  1. Allowing a 3rd party website known as hosted payment gateway to process payments
  2. Taking payments directly from your website

 

Each method has its pros and cons. Using a 3rd party or a hosted payment gateway is the safer route. The hosted payment gateway will store, process and transmit the account data. You will then use the 3rd party’s Merchant ID to collect the money and greatly simplify your PCI DSS compliance. Of course, there are different type of hosted payment gateways which we won’t get into for this article but they are listed below:

 

  1. Redirect method that sends your customer to a different site to process payment and then return them back to your site once payment is completed
  2. Iframe method places a payment form that’s fully hosted by your payment provider into your website. The customer stays on your site and is never redirected
  3. Direct post method sends the data directly to the payment service provider

 

If you decide to take payments directly on your website, you will be storing, processing and transmitting account data to your server. You will have to sign up for your own merchant account and comply with the highest level of the PCI DSS standards. As you can see from above, if you’re taking online payments, you will need some PCI compliance to provide your customers with a safe state of mind when providing payments to services off your website.

 

Now that you know what PCI DSS compliance is and know that if you’re running an ecommerce site, what are the steps that you need to take to achieve the PCI DSS compliance

 

Steps to PCI DSS compliance

 

Listed below are steps to PCI DSS compliance. You can go to https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs to get a further in depth guide to the steps you would need. These steps below should be taken as a general guide

 

  1. Build an maintain a secure network
    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do no use vendor-supplied defaults for system passwords and other security parameters
    3. Protect cardholder data
      1. Protect stored cardholder data
      2. Encrypt transmission of cardholder data across, open public networks
      3. Main a vulnerability management program
        1. Use and regularly update anti-virus software or programs
        2. Develop and maintain secure systems and applications
        3. Implementing strong access control measures
          1. Restrict access to cardholder data by business need to know
          2. Assign a unique ID to each person with computer access
          3. Restrict physical access to cardholder data
          4. Regularly monitor and test networks
            1. Track and monitor all access to network resources and cardholder data
            2. Regurarly test security systems and processes
            3. Maintain an information security policy
              1. Main a policy that addresses information security for all personnel

 

Following those general steps whether you’re processing payments directly on your website or using a 3rd party payment gateway, will help to ensure that your customers account data is protected and secure. It will also help to ensure you’re complying with PCI DSS standards and while PCI DSS standards aren’t federal law in the United States, complying merchants will greatly reduce the risk they could suffer from liabilities from a data breach

 

Currently, here at Turnkey Internet, we’re 100% PCI DSS compliant. All of our payments are secure and consistently monitored and updated to ensure that all customer data is secure. Being PCI DSS compliant at Turnkey Internet allows us to offer our customers a piece of mind that non PCI DSS compliant merchants can’t offer. Personally, if a company isn’t compliant it makes me wonder if I can truly trust the merchant with my secure account data.

 

Hopefully this article will help guide you to a PCI DSS compliant ecommerce website that will ofer the same piece of mind that Turnkey Internet offers all of our customers.

 

Listed below are some references that will provide you greater details on the process of becoming PCI DSS compliant

 

Until next time

 

https://www.pcisecuritystandards.org/index.php

https://www.pcisecuritystandards.org/smb/

https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

 

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by Jeremy on October 28th, 2014

Tagged with , , , ,

Leave a Reply