E-Commerce Startups deal with PCI compliance
November 3rd, 2008 by admin Posted in Compliance, Merchant, PCI DSS, Payment Applications, Third-PartiesWhen I see someone doing something well I light to put the spotlight on it. Damon has a great blog for startups and how they can deal with security issues. You see, small companies have different needs and interests than larger companies, and thus will approach the compliance issue from a very different perspective.
When small startups try to understand the details and differences between: PCI DSS, PCI PIN, and PCI PA-DSS it can be overwhelming. Throw in acronyms such as DSE, ISO, TPP, and people just stop listening.
I once was talking with a small business owner who was reading through the Self-Assessment Questionnaire (SAQ) and stopped at the first question, which basically said, Do you have a properly configured firewall? The business owner called into the back room and asked the store manager, “Hey, do we have a firewall?” The store manager replied that he thought they had a fire extinguisher which was up to date. I then watched as the store manger checked the “In Place” box on the form stating they had a properly configured firewall in place.
I’ve learned from teaching classes and developing eLearning for small businesses the following things:
- Small companies do not care about security
- Small companies do not care about regulatory compliance
So, assuming our constituents do not want to be experts in either information security or regulatory compliance, how can we convince them to do the right thing and secure their systems?
It’s very important that we digest the information for our target audience. I’ve taught this information to large and small companies alike in various industries, and each constituent has a different take home message pertinent to they way they do business.
If there is one take home message I would have for a web startup audience it’s that PCI only applies to you if you “store, process, or transmit cardholder data.” Now I don’t have to even define cardholder data before you ask how to get this compliance monkey off your back.
It’s simple, just don’t ever store, process, or transmit cardholder data - let someone else do it for you. In reviewing a shopping cart recently they had two modes of operation:
- Solutions that don’t require customers to redirect
- Systems that redirect your customers to a payment site and then back
Small startups want to choose number two because it causes the end user to enter their credit card data at the third-party vendor, instead of the company accepting it themselves. Even if the company only accepts it for one second on their one web server, that server is in scope for PCI compliance.
So, want to do away with PCI? Don’t accept cardholder data online, and let someone else do it for you. (This doesn’t solve the problem for in-store retail sales. That’s another story.)
But what if a governing body asks me to validate compliance, or provide them a report stating we are doing everything right? Well, you can confidently fill out the Self-Assessment Questionnaire (SAQ) A. This means you only have card-not-present transactions and all Cardholder Data functions are outsourced. SAQ A is only 11 questions, instead of the 224 question long SAQ D (they are labeled A, B, C, and D.)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
11 Responses to “E-Commerce Startups deal with PCI compliance”
By Ben Cecka on Nov 3, 2008
Coming from the small business area myself I’d argue that it isn’t that the care factor is always low, for us it’s been more a matter of tearing down our old financial models and rebuilding them to include the necessary capital for security — not an easy task.
The nice thing about the smaller business though is that it only takes 1 or 2 people to really get behind a movement to make it happen. If the money and expertise is there it can happen fast too.
By Michael Dahn on Nov 4, 2008
@Ben, I fully respect the difficulty of small businesses to deal with compliance issues. Even though your costs may be lower in dollar amounts I think the percentage is probably higher.
I also respect the difficulty in rebuilding systems. Any small company that is doing their own software development is what I would call an “advanced” small business.
Most small businesses are people who are non-technical and don’t want to be. They want “just the facts” to enable them to get on with their business and mitigate most of their risk. That is who I target this post towards.
By Cullen on Nov 4, 2008
I am exactly in this situation now. We have an established eCommerce site but are relaunching it from scratch and want to make sure we get off on the right foot on PCI compliance.
You would not believe HOW MUCH confusion is out there on compliance, and when you are in the scope of compliance.
Many supposed “experts” have told me that as long as I am not writing CC# info to a database permanently I don’t have to worry about it.
Others have told me that if my server has SSL, I don’t have to worry about it.
I’m a tech nerd, so I understand that if the webform resides on your server, then that server will be “processing storing or transmitting” cardholder data. Yet even people like engineers at Rackspace have told me that I wouldn’t be in scope at this level. I even had a guy at TrustWave tell me that if I host my website on a third party webhost, PCI compliance is “their responsibility” and “I won’t have to worry about it.” Even if I get one of these $5.99/month webhosts that are -obvious- not ever going to be compliant.
I am currently looking at this service called Braintree, which does transparent redirects for payment. Basically this SHOULD get me the best of both worlds.. a payment form that appears to the consumer to be on our site, but the data is never transmitted to our server so we stay out of scope.
Anyone have experience with this, or know any alternatives?
By jeffatrackaid on Nov 4, 2008
Outside of the security scanning, we’ve found helping startups deal with PCI is a major issue. Keeping pace with the regulations is tough enough for security assessors let alone a startup with 1000 other things to worry about.
I am starting to see PCI compliant hosting emerge, but it is certainly buyer beware with regards to these services.
While outsourcing your card processing is certainly an option, there are some items to consider.
You need to assure that your service guarantees and billing policies mesh with those of your payment processor. You will want to have a clear understanding of payment schedules, chargebacks, and other account activities, especially as your business grows. You would not want poor customer service at your payment processor to reflect negatively on your emerging business.
Cost is another factor to consider. While PCI may be costly for a startup, third party processor often charge higher transaction fees and a direct merchant account. As your business grows, re-evaluating your costs is key.
In working with small hosting companies, an issues I’ve discovered is that not having cardholder data can be a negative if you ever decide to sell or merge your business. Companies with memberships or other recurring revenues need to consider this risk. If you sell your business, the new owner will want to integrate payment processing into their existing systems, if you do not have the cardholder data, this may be impossible. As a result, you have to bug your clients for new cards which could lead to cancellations.
Cullen
In terms of any third party service, ask them for verification documentation about their PCI compliance. They should be able to produce this for you.
By Cullen on Nov 4, 2008
I just got this email reply from the ‘ControlScan PCI Expert’
Cullen,
They do not. It used to be required for your webhost be be compliant, but with the rollout of version 1.2 you just have to maintain awareness of their compliance and get an agreement in place that says any data they have, they are responsible for.
Best Regards,
–
——————————-
Gabe
Internet Security Technician
ControlScan, Inc.
Atlanta, Georgia 30339
http://www.ControlScan.com
ControlScan – Security That Fits.
——————————-
I’m a little confused. Are you saying my webhost does not need to be PCI
compliant?
On 11/3/08 5:19 PM, “ControlScan Support” wrote:
Cullen,
You are not required to host with one of these solutions. As long as
whichever webhost you choose will work with you to patch any
vulnerabilities found on the server your site is hosted on and allows
3rd party vulnerability scanning to become PCI Compliant, that will be
sufficient. It would also greatly help if the host you choose is PCI
Compliant themselves (and may be required depending on who you ask). You
will also have to fill out the Self Assessment Questionnaire (SAQ)
regardless of which option you choose. Let me know if you would like me
to recommend some webhosts that understand and will work with you
through the PCI process.
Best Regards,
By jeffatrackaid on Nov 4, 2008
Cullen
PCI compliance is per-merchant and technically has nothing to do with a specific web host. You as a merchant have to be compliant. You can use any hosting provider, but at the end of the day your hosting needs to be compliant. By using a compliant provider, you make things a little easier.
If you get a dedicated server, you would still need to pass the security scan. A PCI compliant provider should pass the scan automatically. Even once the scan is completed, you then need to complete the SAQ which has some technical requirements that you must meet.
By Joe on Feb 26, 2009
One issue everyone seems to fail to recogninze is that using a third party processor to handle your credit card transactions will not make you PCI compliant unless they provide you with a contract stating that they accept responsibility for the card data they store for you, which none of them do.
I believe in what PCI is supposed to accomplish. I don’t want my customers cards to be stolen. However, the way it is being enforced as if it is law, when it is not is going to hurt a lot of small businesses that don’t have the resources needed to resolve these issues.