By Calvin Luttrell
May 7, 2009
If you run an e-commerce Web site that accepts Visa and MasterCard credit cards, your Web site software and hosting infrastructure must meet certain guidelines according to Visa. Visa has turned up the heat every year as credit card fraud soars. Up until recently, you have not had much in the way of requirements for secure online Web transactions. Many sources, including online merchants, have leaked credit card numbers to hackers, costing Visa and MasterCard millions of dollars in fraud protection. This situation, for Visa and MasterCard, is not sustainable long term.
Over the years, Visa has cranked up requirements for software, announcing new levels of PCI Compliance. Luckily, this has only involved very large customers who are of higher risk because their sales exceed 20,000 transactions in one year’s time. In Visa’s self-assessment checklist you are required to use a PAPB certified platform. This standard has already been updated to PA-DSS certification. These certifications mean that your software is designed in a way to be compliant with PCI guidelines on how you treat cardholder data in your environment - meaning your system is secure according to the best practices.
Many businesses have enjoyed accepting credit cards online using basic security like SSL. SSL offers a secure connection between the Web server and the Web browser, making a purchase or supplying sensitive data very secure. Any party attempting to sniff this data for credit card numbers would be foiled. However, once that data is stored on a database somewhere in your IT infrastructure, you are responsible for how it’s protected. Your customer’s cardholder data must be protected at all costs. If cardholder data is exploited through your system, you can be fined $25,000 and be placed in a high risk category, which would require you to pay high-priced consultants to baby-sit your operation.
In order to avoid exploitation, only a few staff should have access to cardholder data for transaction purposes. Any attempt to access cardholder data should be logged in a database table along with the user who accessed it. It should be encrypted and not easily viewed on a Web page if someone was looking over your shoulder. No error logs or messages should ever contain the credit card portion of the cardholder data, nor should you store the 3 digit pin to create a more secure transaction.
The data server must not be directly on the Internet. It must be protected by a firewall in a DMZ, accessed only by Web servers also protected by firewalls. Your hosting provider must guarantee these conditions for proper e-commerce sales.
Your existing IT infrastructure must be secure for a modern e-commerce security position in a global marketplace. The threats are real and they are increasing every day. We can either move on it or have issues with Visa later, possibly forcing us to use Google Checkout or some other PCI Compliant payment system, which increases overhead.
If your systems are up to snuff, be thankful you have thought this through already. If you haven’t, make sure you have everything in place, including PCI compliance scanners. These scanners help build customer trust, as well as check for common threats to your Web site. The more of this we handle on our own, the less Visa will want to regulate payment system technologies.
If your system is not up to speed and you’re not sure how to pay for the upgrades, try renegotiating your merchant services for lower sales commissions. This can save even a small business a couple hundred dollars a month. Somewhere in your operations budget, you can find a little something and begin to move toward a more secure platform. I strongly encourage you to read more at http://www.pcicomplianceguide.org/. Things change quickly in the program, but you could be getting letters for check-up of compliance from your merchant bank as early as 2010.
Calvin Luttrell credits his experience as a senior support technician at GoldMine Software for providing exposure and instilling the values that would later become the cornerstone of his business ethos: To develop and maintain an environment of mutual support and encouragement, where a team works together to achieve a common goal. For more information visit www.projectthunder.com.