It’s possible you may have heard about PCI DSS compliance but are unsure of what it is and if it applies to you. Firstly, what does it mean? It stands for Payment Card Industry Data Security Standard, a bit of a mouthful isn’t it?
Does it apply to me and my business? – most probably. If you accept, store or transmit payment card data then you need to become compliant with this standard or risk facing a fine.
Quite how you do this depends on how you handle transactions. For example, a shop with a single card machine connected to an analogue telephone line will have a much less complicated process to fulfil the criteria; than a business with a full ecommerce website and telephone ordering system.
As a business accepting card payments, most likely you will have been asked by your merchant acquirer to undertake the compliance process. They will also have suggested an accredited partner, who will help you complete the relevant questionnaire for your business and any external security scans that need to take place.
The questionnaires are relatively straightforward, but for anybody with an internet connected card machine the process may start to become more complicated. It’s not good enough to just plug the machine in to the corporate network anymore and let it connect to the internet this way, it needs to be isolated from the rest of the network. This can be achieved either through segmenting your network or placing the machine in a DMZ (Demilitarized zone) – not something that your accredited PCI partner will help you with, it will either need to be configured by your IT department or an external support consultant. You will also need to answer many other technically biased questions regarding the setup of your corporate network.
Another stumbling block where things become more complicated is ecommerce sites. Although your third party payment gateway such as SagePay may be compliant, the server that your website sits on may not be. Many people use hosting packages that include web space on shared servers. By their very nature, these servers will allow connections on a multitude of ports and all of the admin staff at your hosting company will have root access. This will not be compliant. The only answer is to host the site on its own dedicated server or a VPS (Virtual Private Server); where you will have sole access and full control over what services are or are not running and which ports are open or closed. This will need to be addressed by your Website administrator.
Of course, the above is just the tip of the iceberg and the topic merits much further investigation. So it’s something that’s worth addressing sooner rather than later so as not to let it become a Skeleton in the closet for your business.
PCI DSS is not just a one off event; it’s an ongoing process that will require regular maintenance tasks to ensure that once you become compliant, you stay compliant. The standards required are always changing so it is in effect a moving target.
If you haven’t already, do it soon!
Paul Cox – Technical Consultant