Understanding the PCI Compliance Pie and the Developer's Slice of It

By Chris Drake on March 26, 2010 · with 9 Comments

When you develop websites that collect credit card payments, part of your responsibility is to establish and maintain the sites' PCI compliance.

If followed properly, the Payment Card Industry Data Security Standard (PCI DSS) does an effective job of providing a safe shopping experience for customers. However, achieving compliance is easier said than done, especially for startups and small online retailers.

Woman standing in front of servers After reviewing the 200-plus policies, procedures, activities, and technical nuances that make up PCI DSS, most small and startup ecommerce companies will likely choose to outsource portions of their credit-card-payment collection needs. However, each ecommerce company is still responsible for maintaining control over its compliance. Those companies shouldn’t fall into the trap of assuming that someone else is handling their compliance needs.

Important Steps For Ecommerce Developers

Ecommerce developers should learn their responsibilities for PCI compliance matters. To do this, I suggest:

Become educated about the payment card industry mandates, and keep learning as you go.
Identify which portions of the PCI DSS you directly control and which items will be outsourced to third parties. A Qualified Security Assessor can help with this step.
Select service partners that have expertise in protecting personally identifiable information.
Review each service partner's "report on compliance" to make sure there are no unfulfilled requirements or pending remediation for critical items.

Merchants Are Responsible

The ecommerce retailer is the first and most pivotal piece of the PCI compliance pie because the company is legally liable for breaches.

In fact, PCI DSS requirement 12.8 states that if cardholder data is shared with service providers, the retailer must maintain and implement policies and procedures to manage service providers. This includes:

12.8.1 Maintain a list of service providers.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.

Remember that a merchant's security foundation is only as strong as the weakest link in its PCI compliance checklist, regardless of whether the link resides within its control or in the hands of a service provider it has chosen.

Limit System Access: Who Is Responsible for What

Requirement 7.1 states there should be limited access to system components and cardholder data. Only those individuals whose job requires such access should have it. Access limitations must include the following:

7.1.1 Restriction of access rights to privileged user IDs to the least privileges necessary to perform job responsibilities
7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
7.1.3 Requirement for an authorization form signed by management that specifies required privileges
7.1.4 Implementation of an automated access control system

Implementing Requirement 7.1

Requirement 7.1 has several implications. They are:

The ecommerce retailer should oversee:
- Granting privileges for acceptance (and procedures for disposal) of credit card information received via phone, fax, or email.
- Granting permission for service reps to retrieve and input payment card information into the point of sale system if/when a “glitch” with the web application occurs.
Ecommerce application developers are responsible for developing and maintaining the web–to–database “tunnel” through which credit card information flows. Therefore, the web developer’s piece of the pie includes:
- Granting privileges for developers to create, test, and troubleshoot data provider connections that feed credit card information from the web application to the database (and potentially API connections that feed credit card information into a payment processing gateway).
- Granting privileges for managing encryption keys, and encryption key creation and retirement.
- Assigning emergency response chain of command and establishing who should and can access the systems if and when a malfunction occurs.
- Assigning encryption key holder responsibilities.
The hosting provider definitely has access to the cardholder data. Therefore, requirement 7.1 applies to hosting providers as well. In this case, the hosting provider owns:
- Granting privileges for physical access to data storage devices containing cardholder data, but also restricting specific access points to be only accessible to the tenant.
- Assigning an emergency response chain of command that is an extension of both other parties’ emergency response chains to authenticate and respond to requests originating from other parties’ policies and procedures.
- Restricting all access to key containers, repositories or other encryption key storage devices to the tenant to whom the keys belong.

Summary

Fortunately, ecommerce developers are not alone in deciphering the PCI compliance rules. Understanding which party owns what piece of this compliance pie is a something that takes time and know-how..

Once you become familiar with the standard, it will be easier to define which of the PCI compliance standards fall within your area of responsibility and which should be shared among the various parties responsible for providing the safest online shopping experience.

9 Comments

pinnacle says:

Tuesday, March 30, 2010 · 07:34 PM

OR.........you can simply use a PA DSS certified shopping cart and following the documentation provided and you don't have to worry about anything listed in this article.

funloveralways says:

Tuesday, March 30, 2010 · 07:34 PM

In my opinion this whole PIC compliance is a complete money making scheme. You have not include the crucial expenses that the PCI Compliance brings to the table.

If you are a retail store and performing less than x number of transactions you can do self assessment to get PCI Compliance. If you are exceeding the minimum limit then you have to hire a security assessment company who will charge you between 20,000 to 25,000 dollars to give you a compliance certificate! Plus each year you have to get a new compliance certificate for a minimum cost of 10 to 15K. 90% companies will fail the initial compliance test, therefore you will end up spending more money in obtaining compliance certificate then what you anticipated initially.

You may need both PCI as well as PA-DSS certificate. This new expense will put the small companies out of business or will increase the online products pricing. Which in returns kills the whole concept of buying on-line and saving money. This compliance model doesn't impact large retailers such e-bay, yahoo, amazon etc. for them 20K to 25 means nothing. But for a small company who is doing even 250K in revenue but exceeding transactions count will have to pay these additional fees. So the success of your business will become you enemy.

If you are e-commerce service provider then you must get a PCI compliance as well as PA-DSS certification (Even if you are not storing customer CC data).

Once again the e-commerce service provider has to come up with 20,000 to 25,000 for assessment and this price will go up because you will have many hosted servers offering hosted e-commerce solution, plus each year obtain a new certificate.

All these additional costs have no impact on large e-commerce solution providers or on-line retailers but small companies will suffer.

I am not sure who came up with these assessment fees but they are outrageous and will kill the small on-line industry eventually and the big companies will remain in business.

Armando Roggio says:

Tuesday, March 30, 2010 · 07:44 PM

@pinnacle

Forgive me for saying so, but I think you have over simplified the issue. If a merchant uses a hosted cart that is PCI DSS compliant then, yes, that merchant should be covered so to speak.

But the merchant is not covered because of the cart, but rather the hosting environment. A shopping cart by itself is not enough to meet the PCI DSS requirements.

And not every PCI compliant hosted shopping cart takes an online retailer's operation completely out of the PCI DSS scope. For example, if that hosted cart allows merchants to access credit card data that data must be handled in a compliant way.

And with a licensed cart, you must ensure that you have a secure hosting environment or a third-party solution that removes scope.

Armando Roggio says:

Tuesday, March 30, 2010 · 07:51 PM

@funloveralways Interesting points. I agree that it can be a challenge to become PCI DSS compliant, but I think that is the value of an article like this one.

funloveralways says:

Tuesday, March 30, 2010 · 11:01 PM

Pinnacle: Pardon me but there is a lot more to all what you summarized in two lines.

PCI Compliance and PA-DSS compliance are two different things. PA-DSS is applicable when you own the shopping cart code and you host either on your own server or with an ISP.

Yes people have many options:

So far I think www.earlyimpact.com and www.123ShopPro.com are the the only two companies in North America who have acquired PA-DSS compliance.

Rest if you are buying a shopping cart code if they are not PA-DSS compliant then even if you obtain PCI- Compliance you are still NO GOOD, because you are not PA-DSS compliant.

Fine one will argue and say go to a hosted e-commerce solution provider to get PCI compliance, but then they don't let you touch the code, therefore customization of the store becomes pain in the neck. They will let you touch the code if you are willing to pay three times the monthly fee :) like volusion allows at premium monthly account.

check out https://www.pcisecuritystandards.org/index.shtml

I completely disagree with all the nuance around PCI standards. It is purely a money making scheme and its designed to put small companies out of business.

To me as long as the e-commerce software or the hosted e-commerce solution provider is not storing customer CC data and they are using SSL and connecting to a reputable merchant service provider such as google checkout or authorize.net (They are the one who make the most money in on-line business due to monthly subscription costs and per transactions costs) why the store owner should spend any more moeny on obtaining expensive e-commerce solutions?

beats me.

Chris Drake says:

Tuesday, March 30, 2010 · 11:01 PM

@pinnacle - A lot of transactions other than standard shopping carts are happening online that requires credit cards. For example, we're seeing a growing trend in subscription-based businesses that have recurring billing requirements or variable (usage based) billing which are requiring the storage of credit cards. So you're absolutely right - partnering with a hosted cart and leveraging their PCI DSS compliance will save you time and money if you're doing a simple shopping cart environment. However, for the many cases where people "own" the transaction - I hope this article provides value. Thank you for your note.

@funloveralways - PCI compliance can be a huge challenge for a small business and being compliant is simply not affordable. We've built affordable hosting packages to really help small businesses with their compliance needs but yes - the auditor cost can be a challenge. But if you look at it from an auditors perspective - they're putting their neck on the line as well by "underwriting" you as compliant.

Even though our pricing is the lowest in the industry the reality is that many businesses still cannot afford our PCI hosting package. So they continue to gamble with their security and roll the dice everyday. I appreciate your thoughts on this subject.

pinnacle says:

Friday, April 02, 2010 · 02:10 PM

@armando,

You're right I should have expanded my point to include those you made, but I always find the fastest way from point A to B is a straight line and using a PA DSS certified cart is the straight line vs. all the information about what Developers should, can, might want to consider, etc.

uzmagardazi says:

Thursday, May 05, 2011 · 05:43 PM

I shall appreciate, if you can confirm following:

If the customer is posting credit card data to our site (even if that post is in "memory" and never stored) via a form, then our site falls within the PCI scope. Currently we are using the DLL provided by “Your pay” on the same page to send the credit card information directly to them. What PCI standard requirements we need to implement?
Do we violate PCI requirement in case the above mentioned form is available using non-protected technology i.e. http? What PCI standard requirements we need to implement?

johnclark79 says:

Friday, August 05, 2011 · 03:43 AM

PA-DSS only indicates that the application is designed to adequately protect CHD if it is properly implemented per the vendor's implementation guide. This means that the QSA will not have to validate the application properly protects the data, only that the merchant has installed the application to the vendor specifications (although there are bad PA-DSS assessments that don't mean squat so don't think just because you have PA DSS certification that your app is golden). There is still a lot of evaluation required around transmission, storing of CHD, controlloing user access, internal policies and procedures, etc.

Understanding the PCI Compliance Pie and the Developer's Slice of It

Important Steps For Ecommerce Developers

Merchants Are Responsible

Limit System Access: Who Is Responsible for What

Implementing Requirement 7.1

Summary

Related Articles

9 Comments

pinnacle says:

funloveralways says:

Armando Roggio says:

Armando Roggio says:

funloveralways says:

Chris Drake says:

pinnacle says:

uzmagardazi says:

johnclark79 says:

Sign in to leave a comment...

Popular Tags