When you develop Web sites that collect payment via credit card for goods and services sold online, part of your responsibility is to establish and maintain PCI compliance. If followed properly, the Payment Card Industry Data Security Standard (current version 1.2) does a very effective job of providing a safe shopping experience for customers. However, achieving compliance is easier said than done, especially for startups and developers for small online retailers.
After reviewing the 200-plus sub-policies, procedures, activities, and technical nuances that make up the PCI Data Security Standard, most small and startup E-commerce companies will choose to outsource portions of their website operation to third party service providers. In this scenario, each party is independently responsible for maintaining control over compliance for their respective organization. You shouldn’t fall into the trap of assuming that someone else is handling your compliance needs. Everyone involved in your online store is responsible for a piece of the security compliance pie.
Anyone that touches or has access to credit card data in any capacity is responsible for PCI compliance, regardless of their role. This includes the online retailer, the Web application developer, and the hosting provider.
The most important steps every E-Commerce developer should complete as they establish a PCI compliant business:
- Step 1 – Become educated about the payment card industry mandates. Taking the time to become knowledgeable here can go a very long way.
- Step 2 – Identify which portions of the PCI DSS you directly control and which items will be outsourced to third parties (A QSA – Qualified Security Assessor – can help with this step)
- Step 3 – Select service partners that have expertise in protecting personally identifiable information (PII).
- Step 4 – Thoroughly review each service partner’s ROC (report on compliance) to make sure there are no unfulfilled requirements or pending remediations for critical items
Achieving and maintaining PCI compliance for your entire online operation starts with the online retailer, since it’s the retailer’s name on the “front door,” not the hosting provider or developer’s company. The E-commerce retailer is the first and most pivotal piece of the pie because they are legally liable for breaches.
In fact, PCI DSS requirement 12.8 states that if cardholder data is shared with service providers, the retailer must maintain and implement policies and procedures to manage service providers. For example, the PCI DSS requires you to:
- 12.8.1 Maintain a list of service providers.
- 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
- 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
- 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.
Being PCI compliant requires that your service providers to be PCI compliant. Your organization’s security foundation is only as strong as the weakest link in your PCI compliance checklist, regardless of whether the link resides within your control or in the hands of a service provider you’ve chosen.
Let’s review another PCI DSS requirement to show an example of how each party (retailer, developer, and hosting provider) plays a role in providing secure, PCI compliant E-commerce experience:
Requirement 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:
- 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
- 7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
- 7.1.3 Requirement for an authorization form signed by management that specifies required privileges
- 7.1.4 Implementation of an automated access control system
This requirement has several implications:
1) Certain business activities performed by the retailer could fall into requirement 7.1. The retailer should oversee:
- Granting privileges for acceptance (and procedures for disposal) of credit card information received via phone, fax, or email.
- Granting permission for service reps to retrieve and input payment card information into the point of sale system if/when a “glitch” with the web application occurs.
2) E-commerce application developers are responsible for developing and maintaining the Web–to–database “tunnel” through which credit card information flows. Therefore, the Web developer’s piece of the pie includes:
- Granting privileges for developers to create, test, and troubleshoot data provider connections that feed CC information from the web application to the DB (and potentially API connections that feed CC information into a payment processing gateway)
- Granting privileges for managing encryption keys, and encryption key creation and retirement.
- Assigning emergency response chain of command and establishing who should and can access the systems if/when a malfunction occurs
- Assigning encryption key holder responsibilities
3) The hosting provider definitely has physical access to the cardholder data, and in some instances virtual access as well. Therefore, requirement 7.1 applies to hosting providers as well. In this case, the hosting provider owns:
- Granting privileges for physical access to data storage devices containing cardholder data, but also restricting specific access points to be only accessible to the tenant.
- Assigning an emergency response chain of command that is an extension of both other parties’ emergency response chains to authenticate and respond to requests originating from other parties’ policies and procedures.
- Restricting all access to key containers, repositories or other encryption key storage devices to the tenant to whom the keys belong.
Fortunately, you are not alone in deciphering the PCI compliance code. Understanding which party owns what piece of this big PCI compliance pie is a something that takes time and know-how to get your arms around. Once you become familiar with the standard, it will be easier to define which of the PCI compliance standards fall within your area of responsibility and which should be is shared among the various parties responsible for providing the safest online shopping experience.
A version of this article appeared in eCommerce Developer on March 30, 2010.
This entry was posted on Tuesday, March 30th, 2010 at 12:01 pm and is filed under Compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
