6 Popular E-Commerce PCI DSS Compliance Myths ExplainedAugust 27, 2014 by Daniel Humphries
PCI DSS compliance applies to any business that accepts credit cards, whether they’re e-commerce or physical merchants. After all, just because your storefront is made of pixels and not brick-and-mortar doesn’t mean the PCI council is any less interested in how you secure your customers’ sensitive data.
But PCI DSS is complex, and lots of businesses struggle with compliance. Recently, we explored common PCI DSS audit failure points. In this article, we’ll dig into some of the myths and misconceptions surrounding PCI and e-commerce specifically—and, with the help of five leading compliance and security experts, explore how businesses can remediate those issues as they arise.
Myth #1: I’ve Outsourced Data, So I’ve Outsourced Compliance
The PCI council recommends that you segregate sensitive cardholder data to reduce the scope of compliance. If your business is online-only, then you can take the principle of “reducing scope” much further than a physical merchant, by outsourcing a lot of the “heavy lifting” to a specialized e-commerce platform.
In this scenario, third-party solution providers supply you with all the PCI-compliant tools you need to build your site, including hosting and even processes payments for you. Since they’re handling all the sensitive information, the burden of compliance falls on their shoulders, and you, the merchant, can sleep easy—right?
Well, not quite, says Jeff VanSickel, a senior consultant at IT security consultancy SystemExperts: “Even though you outsource, you still have the responsibility, as the merchant, to make sure that the payment processing company is PCI-compliant, and to check every year that they continue to be PCI-compliant.”
Clauses in a contract such as, “‘Payment processor must demonstrate on an annual basis that they are PCI-compliant with respect to services’…are the bare minimum,” says VanSickel. “If I’m an [online retailer], I want them to demonstrate to me a little bit more than that.”
John Summers, vice president of security business at Akamai, a leading cloud service provider, agrees.
“You are responsible for that end-to-end [business transaction] process,” he says. “Your auditors have to take a look at it, and you have to get audit materials from that third party and … make sure the contracts are written correctly. Many times, merchants don’t understand that they’re responsible for all of that.”
After all, if you can’t show PCI auditors that you have done your due diligence about who is handling your customers’ sensitive information, then they are liable to start looking into you in much more detail…
What Should You Do?
Always maintain a close working relationship with your third-party service provider, says VanSickel, and don’t be afraid of asking for detail. For example, you could ask for the results of Web application vulnerability testing on the Web application that you’re using, he says.
“Maybe[, for example,] I’m looking for results that they did a Web application vulnerability testing on the Web application part that I’m using,” he says, noting that this is something you could ask for more information on.
Summers cautions against putting too much detail in your agreements, however.
“[PCI] gets tweaked and changed and improved over time. My counsel would be to put terms and conditions into your contract that give you a right to audit, and insist that a hosting provider provide you with all necessary audit trails and that they commit to maintaining compliance with the then-current PCI standard,” Summers says. He adds that if you get too specific, “you can lock yourself into an older version of the standard, and not keep up with it as it evolves.”
Myth #2: My Site’s Payment Processing Is Outsourced, So Phone Orders Are Worry-Free
Some merchants who outsource get a little too relaxed, and don’t realize that they can accidentally come back in scope by doing something as simple as accepting phone orders, says Daniela Hagen, compliance director of global e-commerce provider Cleverbridge.
“Some of our clients have said, ‘We are outsourcing all of the payment processing and shopping process to you, Cleverbridge—so by accepting telephone orders we are not in scope, because we are entering the order in the shopping cart, [which is maintained by Cleverbridge] directly.’”
However, Hagen says this is a big mistake, because by accepting credit card information over the phone, the phone system itself (which is usually a Voice Over Internet Protocol (VoIP) system) has suddenly come in scope.
“You should always think about threats and ways of attack, and in this scenario, a criminal could easily implement a keylogger on the computers. He could even get a lot of credit card information through the voice content,” Hagen says.
In short: By accepting that credit card directly, compliance is now your problem.
What Should You Do?
If you accept phone orders, then you will need to identify where on your networks the customer interactions involving sensitive cardholder data are happening, says Hagen. However, she adds, identifying them, limiting the scope and implementing all the applicable PCI requirements is no easy task.
You will also have to make your phone system secure. Firms such as Orecx provide security solutions for VoIP, but Hagen notes that you’ll have to talk with the vendors that sell these solutions to find out if they’re right for your business.
Myth #3: If Jeff Bezos Can Do It All By Himself, Then So Can I
Some small and midsized e-commerce merchants prefer to build their own platforms, thus retaining control over their own security and customer data. Of course, if you go down that path, then you will also have total responsibility for PCI DSS compliance—and you may want to read our article on the “Seven Deadly Sins” of PCI DSS compliance before going any further.
Meanwhile, Rick Wilson, president of e-commerce software and hosting firm Miva Merchant, says there are many factors to consider if you are hoping to fly solo, and outlines a few of the basics start-ups and SMBs often overlook. For example:
Cheap hosting is not worth the cost-savings. “Most hosting providers are not configured to do PCI-compliant hosting. Your average commodity hosting provider [that’s] charging $7 a month for Web hosting … well, it’s OK to put your blog there, but you should not host an e-commerce site on hosting like that. Realistically, you should be paying at least $59 a month or much, much more for anything … PCI-compliant.”
Shared servers bring a lot of potential problems. “Shared servers are not expressly forbidden by PCI, but do not ever have your database on the same server as your website—that’s rule number one[, as it is much easier to hack and gain access to sensitive data]. There’s no chance you’re PCI-compliant … don’t do it.”
Craigslist is not a good place to find a Web designer. “If you go to Craigslist or hire a local agency to build you a [website] … that developer is going to build the site on his computer and then come show it to you, and when it’s done, you’ll launch it. It’s usually easier to do that, from a developer’s perspective, with some open-source software that he can install on a local computer. However, with open-source software, while it is possible to build something PCI-compliant, it is a lot more challenging than most people realize.”
What Should You Do?
If you do want to go it alone, Wilson recommends that you spend money on top-quality professionals who can help you. You will need people with security and compliance expertise. You should also seriously consider outsourcing at least part of your platform; in particular, he recommends using a reputable, third-party payment gateway such as Authorize.Net or Paypal’s Payflow.
Meanwhile, you shouldn’t forget that even after you have built the site, maintaining PCI compliance incurs serious ongoing costs.
“At Miva Merchant, we spend six figures every couple of years to make sure we stay validated,” says Wilson.
Myth #4: I’m Totally On Top of My Logging and Monitoring
Now let’s say you do build your own e-commerce platform, and it works pretty well. You assemble a great team, and soon, the orders are rolling in. But as your business grows, so does the quantity of information it generates—and guess what? PCI wants you to audit and monitor that flood of data. And, say our experts, lots of small and midsized businesses (SMBs) struggle with this requirement.
“PCI should be thought of as an insurance policy,” says Wilson. Logging and monitoring is crucial, he adds, because “any time anyone is able to access sensitive data in your store, then there [will have] to be a log of it somewhere.”
Thus, if you are implementing PCI’s rules correctly, you will be able to analyze and identify instances of unauthorized access on your servers. However, this is an immense challenge for SMBs, says Hagen.
“You have to deal with hundreds to thousands of logs each day, because you have logs from servers, from security systems, from the computers that are in in scope, from your antivirus protection and so on.”
“The one thing you really lose from an SMB perspective,” adds Tim Sedlack, a compliance expert for Dell, “is the expertise on what you need to collect [and] how long you need to collect it for.”
Even storage requirements can be confusing, he adds: “Do I need to store all logs from all applications, or only the logs I’m interested in?”
What Should You Do?
Wilson again recommends that you consider outsourcing to a third party—at least to handle the payment processing.
“It’s almost impossible for a small merchant to do this themselves,” says Wilson.
If you do decide to do this alone, however, there are tools that can help you handle the flood of information coming from your logs. Some of these tools—such as Security Information and Event Management (SIEM) systems—are very expensive and difficult to operate. Other vendors sell products that are designed to help with the filtering and analysis required to make sense of logs, such as Dell’s ChangeAuditor.
“We’ve tried to automate as much of the expertise as we can,” Sedlack says. “Those general guidelines about what you collect and how long you keep logs for are automated as much as possible.”
However, he adds, the smallest number of users the system supports is 200-300. If you have less than that, and don’t want to outsource—it’s all on you.
Myth #5: WAFs? Not My Problem
Then there is the matter of the Web application firewall (WAF). PCI recommends, but does not require, that merchants protect their e-commerce platforms with a WAF. However, if you are not well-read in cybersecurity, then the distinction between a “firewall” and a “Web application firewall” may be somewhat mystifying.
Summers explains that while a traditional firewall looks at the structure of network layer protocols, Web application firewalls such as Akamai’s Kona solution provide much deeper scrutiny of the application layer.
Specific protections that you get out of a WAF that you typically don’t get out of traditional infrastructure include defense against a variety of attacks beloved of hackers—such as SQL injections or cross-site scripting—that are typically used to steal data from e-commerce and other enterprise systems.
But even if you know nothing about hacking, then Summers says a WAF offers two core benefits: “Protection against data theft, and penetration at the application layer of the business process.”
Meanwhile, VanSickel adds that using a WAF “doesn’t take away from the fact that you still need to do testing, and have secure coding practices and do code reviews. You still have to know that stuff.”
What Should You Do?
WAFs add an extra layer of security to your e-commerce site. However, they are complicated machines, says Summers.
“To use one, you have to combine knowledge of attacks at the application layer, and keep track of those threats as they evolve. You have to know which of those attacks are relevant to the way your application is structured, and which aren’t,” he explains.
“Tailoring it to your business takes time,” Summers adds, “so if, economically, it makes sense for a business to devote human resources to that, great—but it’s likely you’ll keep it up better at a lower cost to your business by leveraging third-party expertise.”
Myth # 6: No Data Is on My Site, So I’m OK
Meanwhile, another question arises in relation to WAFs: If you’re outsourcing the payment processing, but have built the rest of your site, do you need one? Sedlack says that, in fact, you might.
“If there’s no data on my site, but I still look at the transactions and get reports out of the data, and even if it ‘lives’ at that third party, well—you’re still accessing that data over [the] Web, and you should have one of these Web application firewalls and manage it appropriately,” says Sedlack.
Indeed, says Williams, sites that link out to third parties are often vulnerable; if the connections between your site and the third party are not secure, this presents an opportunity for hackers to intervene.
Williams says that a common scenario “is that as the credit card information is entered in the browser and then … sent up to the server that’s hosting the order page, there is an opportunity for thieves to steal that credit card and other information. So you [should] make sure there are application-layer protections, [such as WAFs], in front of that particular order page.”
What Should You Do?
If you want to avoid the pain of attacks on the joins of your site but don’t want to invest in a WAF, says Rick Wilson, then you should use PCI-approved vendors at all times, or focus your efforts on name-brand solution providers such as Paypal that will have been subjected to rigorous PCI compliance testing themselves. You should also consider bringing in an outside consultant or expert to advise on how secure and compliant your site really is.
PCI DSS compliance is a challenge, and small and midsized businesses often underestimate how much time and energy it will take to make certain that their platforms are compliant. If you take the time to do your due diligence, however, then you can greatly reduce the risk of something happening later, once your business is established.
It’s all about staying ahead of anyone trying to access data that would allow them to steal credit card information.
“The PCI requirements are clear,” Sedlack says, “but they do take work to accomplish. If you’re starting from scratch, it might be best to get some expert assistance in order to achieve compliance quicker than you could if you were on your own.”