PCI-DSS Simplified

There are 12 mandated security requirements to PCI-DSS.

  1. Install and maintain a firewall configuration to protect data
  2. Do not us vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored data
  4.   Encrypt transmission of cardholder data and sensitive information across public networks (i.e. SSL)<br />
  5.   Use and regularly update anti-virus software<br />
  6.   Develop and maintain secure systems and applications<br />
  7.   Restrict access to data by business need-to-know<br />
  8.   Assign a unique ID to each person with computer access<br />
  9.   Restrict physical access to cardholder data<br />
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security.


    This type of CC data CAN BE STORED on your PCI-DSS compliant server (all methods require security protection)

    a. Account Number

    b. Cardholder Name

    c. Expiration Date

    d. Service Code

    The following CC data [COLOR=Red]CAN NOT BE STORED FOR ANY REASON[/COLOR] to be PCI-DSS compliant

    a. Magnetic Strip

    b. CVV, CCV, CVVC, CVC, CSC, CVD (This is the 3 digit code or 4 digit verification code on the CC itself)

    c. PIN Data (Debit Card PIN or CC Cash Advance PIN)

    What can happen to you if you are not in compliance?

  13.   Fines up to $500,000 per incident<br />
  14.   Remediation costs estimated at $90 to $302 per record<br />
  15.   Potential customer lawsuits<br />
  16.   Company reputation and brand damage<br />

[B]Should you be afraid?[/B]

In my opinion not at all. You just need to be aware and follow the PCI-DSS protocol.

[B]Merchant Levels:[/B]

[B]Level 1[/B] = (This is the highest level and requires the most scrutiny. Unless you are a Wal-Mart you don’t have to fear) Def: More than 6 million transactions annually across all channels, including e-commerce. Req: Annual Onsite PCI Data Security Assessment and Quarterly Network Scans

[B]Level 2[/B] = Def: 1,000,000 – 5,999,999 transactions annually (You will defiantly need to have a dedicated server and some beefy security but I assume you can afford to hire a specialist to handle this all for you by then if not you should probably not be doing this) Req: Annual Self-Assessment and Quarterly Network Scans

[B]Level 3[/B] = Def: 20,000 – 1,000,000 e-commerce transactions annually. Req: Annual Self-Assessment and quarterly Network Scans. (Some of you may fall into this category. If you do you should be on a VPS or Dedicated Server with a company that guarantees PCI-DSS compliance or run and maintain your own servers) NOTE: You will also see that Level 3 is specific about e-commerce as most fraud with CC is online so this focuses in on the bulk of the fraud they deal with.

[B]Level 4[/B] = Def: Less than 20,000 e-commerce transactions annually, and all merchants across channel up to 1,000,000 VISA transactions annually. Req: Annual Self-Assessment and Annual Network Scans. (Most mom & pop e-commerce sites will fall into this category however it was meant to also encompass brick and mortar stores who are getting into the e-commerce game, many of these already perform a lot of transaction but up until now they have all been in their stores. This makes PCI-DSS simpler to start even if you are a big merchant)

[B]What is a SAQ (Self-Assessment Questionnaire)?[/B]

INFO: When PCI-DSS was new there use to be just one questionnaire that everyone had to fill out. That was chaos and since 2008 they have created 4 different questionnaires based on the different types and sizes of merchants. Here they are:

[B]SAQ A[/B]: Addresses requirements applicable to merchant who have outsourced all processing, transmission and storage of cardholder data. (This would be the PayPal, Gateways, or similar users out there who do not store any CC data in their store databases or on file in their office)

[B]SAQ B[/B]: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or stand-alone dial-up terminals only. (If you have or seen the old machines that imprinted the CC data onto the hand forms you know what they are talking about). This type of questionnaire was not designed for e-commerce.

[B]SAQ C[/B]: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the internet. (Terminals via the Internet and not a phone line, built in card swipes via QuickBooks, you get the idea all data transmitted over the internet and not by mail or telephone line.)

[B]SAQ D[/B]: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C. (This is tricky so if you are an e-commerce merchant who uses a payment gateway but you still store the CC data on your server for customer convenience or you have a mixed environment. Best way to think of this is if you do not fit A, B or C definitions then you are a D)

Instructions for SAQ V1.1 and V1.2 here: [URL="https://www.pcisecuritystandards.org/saq/instructions.shtml"]https://www.pcisecuritystandards.org...ructions.shtml[/URL]

[B]Network Vulnerability Scans:[/B]

The PCI Standard requires merchants to scan all outward facing IP addresses. These IP addresses are not protected by a firewall and can be hacked through an open port. The SAQ identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside.

See Demo Video from an ASV: [URL]http://www.qualys.com/products/demos/pci/demo.html[/URL]
(note: I am not affiliated nor have I ever used Qualys before but it's a good demo)

[B]How to get started:[/B]

1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes member from each area. (Mom & Pops this will be yet another hat for you to wear by yourself unless you hire someone)
2. Determine your merchant level (1-4)
3. Determine with SAQ your organization will need to complete
4. Evaluate whether your organization will try to achieve compliance internally or engage with a QSA (Qualified Security Assessor)
5. Engage with an ASV (Approved Scanning Vendor) to start the required external IP vulnerability scans.
6. Make sure that your organization has an Information Security Policy and that it is being enforced
7. Immediately address any significant deficiencies discovered during the assessment or scan
8. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.

[B]What should you do if you are breached? – (Immediate Action Required)[/B]

1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify:

a. Your Merchant Account Provider (i.e. PayPal)
b. Visa Fraud Control Group @ 1-(650)-432-2978
c. Local FBI Office
d. U.S. Secret Service (if Visa payment data is compromised)

3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report. (Here is a step by step from Visa: [URL="http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html"]http://usa.visa.com/merchants/risk_m...mpromised.html[/URL] )

I realize many out there this is overwhelming but if you just take the time to understand the basics and know what questions to ask you can master this and put it behind you.

[B]If you are using a HOSTED server be certain to ask your provider a few questions:[/B]

1. Are they PCI-DSS compliant
2. If so what LEVELS of compliance are they
3. Also if so do they have specific instructions on how to make sure your site is PCI-DSS compliant on their servers.

CS-Cart is PCI-DSS compliant but with any software it’s going to have to be testing on your installation. You will have to pass a PCI-DSS scan and if you do not you will have to fix the issue and get scanned again. Once you pass you just have to pass the scans when they are required for you type of business.

[B]Here are a few links that may assist you in your research.[/B]

[B]PCI Quick Reference Guide:[/B] [URL="https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf"]https://www.pcisecuritystandards.org...uick_guide.pdf[/URL]
[B]Docs for PCI DSS V1.2:[/B]
[B]PCI Security Standards Council Site: [/B][URL]https://www.pcisecuritystandards.org/index.shtml[/URL]
[B]PCI Compliance for DUMMIES (FREE DOWNLOAD):[/B] [URL]http://www.qualys.com/forms/ebook/pcifordummies/[/URL]
[B]ASV (Approved Scanning Vendor) that provides the free eBook:[/B] [URL]http://www.qualys.com/products/qg_suite/pci/[/URL]

You can use any ASV you wish I only noted the above because they have the FREE book.

Good luck on your TREK!