“PCI DSS”, or “PCI Compliance” is something that everyone with an e-commerce site is going to start hearing more and more about in the coming months. You may have already started hearing about it, and probably decided early on that you’re not a fan. I can’t say I blame you, but hear me out.
Discussions with any merchant around PCI compliance seem to quickly move towards “this is crazy rubbish!”. This is the response you’d expect from any non-believer when faced with a new religion. But hold on tight cause I’m about to go all crazy-fanatical on you! For those of you just starting to hear about this little miracle, here’s the short(ish) version. Up until a few years ago all the major credit card companies such as Visa, Amex, and Mastercard operated their own “security standards”, which was a set of rules and requirements that they placed on their customers, banks. The banks then passed the requirement on to their customers, merchants.
The problem was that if you were the customer, and wanted to process a Visa card or an Amex card, for example, you would be required to agree to comply to two separate security standards (one for Visa, one for Amex). To alleviate this problem, the card companies formed the Payment Card Industry Security Standards Council, which then unified all the differing standards into one document which they called the Payment Card Industry Data Security Standard, or PCI DSS for short(…ish).
This standard applies to any merchant, be it online or offline. For this discussion however, I’m only referring to e-commerce sites. If you maintain an e-commerce operation that conforms to the PCI standard, then you are said to be “PCI compliant”. Perhaps the most shocking thing that I encounter in my line of work is that all organisations with an e-commerce site have already agreed with their bank or other payment provider that they will operate in a PCI compliant manner, but most of them haven’t even heard of it.
If I may, allow me to dispel a few common myths about PCI compliance, starting from the most common:
- It’s not my problem.
If you’re operating a merchant account on an e-commerce site, you’ve signed an agreement with your bank or payment provider stating that you are PCI complaint, and that you agree to pay fines that result from a security breach caused by a lack of compliance. That is, you are legally obligated to be PCI compliant already.
- It’s still not my problem.
Some companies I’ve spoken to have the impression that PCI compliance for e-commerce is the responsibility of their hosting provider. This isn’t true. If your hosting provider has agreed, in writing, to give you PCI compliant hosting, then yes they are liable. However, this is rarely the case. Sadly, it is you that has the legal agreement with your payment provider, not your hosting company.
- It’s unnecessary nonsense.
I’ll agree wholeheartedly that the PCI standard, if you read it, is incredibly detailed. A common reaction is to dismiss it as corporate nonsense that’s been written by people with far too much time on their hands. The reality is that PCI DSS is, for me, about more than just compliance – it’s my religion!
The above three myths, in their order, pretty much spell out the common path of merchants first getting exposed to PCI. First, you ignore it as if it doesn’t matter. Next, you dismiss it as someone elses responsibility. Finally, you ignore it as if it doesn’t matter again.
What I’m here to say is that PCI DSS is not a compliance issue, it’s a quality issue. I’m sure I sound like a real preacher here, but I see the PCI standard as something like “the bible of responsible web hosting”. In this standard, you have all the components of a well-structured, properly-managed, reliable and trustworthy web hosting platform. Here’s some of the big major requirements of the PCI DSS standard:
- Database servers not accessible to the Internet
- Web servers behind an Intrusion Prevention Firewall
- Up-to-date virus scanners and vulnerability management
- Police background checks on anyone with high-level access to the hosting environment
- Regular security scanning and network penetration tests
- Proper information security and response policies
This is just a sample. The PCI DSS standard is massive, and contains more than 100 questions for the hosting company relating to the environment.
A few weeks ago I was standing outside a data centre and I ran into a technician for one of my competitors. I won’t say who, but I asked him, “How are you guys going with PCI compliance”? The response was “We looked into it and decided it wasn’t worthwhile”.My argument here is simply that, if you’re running a responsible hosting environment, you should be PCI compliant already! In the list above, is there anything there that doesn’t seem like common sense? Would you like to host your website with a hosting company that doesn’t have all of those requirements covered?