Jump to content

Achieving PCI-DSS Compliance - How-to...


ploughguy

Recommended Posts

I use eWay to process card payments.  They recently signed all their customers up to Trustkeeper, allegedly to help us all become PCI-DSS compliant, although some cynics say it was a shameless grab for $150 per customer since it was delivered on an opt-out basis right at peak tax return  time so most people would have assumed it was junk mail and not read it.  I only discovered I was enlisted when I was reconciling my bank account and found a $149 payment that I was not expecting.

Anyway, for $149 I found out that PCI-DSS exists which is a benefit in itself.  I started going through the audit questionnaire.  It includes questions like “Does your organisation adhere to modern development practices?”  Well, yeah, I use Coda rather than vi, if that is what you mean. No punch cards...   It is not at all what they mean, I suspect, but they don’t actually say what they do mean.

There is a whole section on firewalls.  These, of course are provided by my hosting service.  I opened a ticket asking if they are PCI-DSS compliant.  Got an answer that said yes.  Added some other questions to the ticket and a different guy (they are all guys - well, boys probably) answers and says “well, ac-tuallee, **cough**, your plan is so old (I installed CC 4.3.4 in 2009) that it is -not- PCI-DSS compliant”  well, who even knew it was optional?

These are just examples - I am going to fail compliance immediately because I am still running CC 4.3.4, so my personal problems are huge...

What I want to do is start an ongoing discussion about the need for compliance in the first place, the meaning of the questions, and ways of achieving compliance for small store operators and CC software developers.

Doesn’t that sound almost as much fun as discussing tax returns?

So - do you think you are compliant? If not, why not and do you know what you can do to fix it?

Link to comment
Share on other sites

If you use a payment gateway that sends the customers to the payment processor's site (like PayPal or Authorize.net SIM - don't know about eWay), then being PCI-DSS compliant is not really your concern. If your customer stays at your site, even if the payment processor sends an iframe from their site, then the onus is on you.

But keep this in mind: you can pass all the expensive and thorough professional auditing of your site and organization and have dozens of certifications. But if, somehow, customer's credit card data gets leaked, then by definition, you were not PCI-DSS compliant.

"Modern development practices" involves: visualizing the worst case scenarios and assuming they exist, writing code to deal with those scenarios, having fresh expert eyes go through the code looking for mistakes, running black-box experiments, fixing unexpected results, logging those experiments, results, and remediations, then restarting from step 1 ad nausium. Become familiar with the terms waterfall and agile in the context of software development.

A major component of PCI-DSS compliance involves paperwork, policy, and planning. Scenario: you get a call from a customer who complains their card data was hacked and they are blaming your store for the leak. What is your written policy on how to deal with that? What written plans have you put in place to conduct the necessary forensics? What written logs do/did you keep when having conducted the necessary forensics, and what did you actually do to resolve the complaint? What are your written backup policies and plans to recover from a physical theft of equipment and/or data files? What are your written upgrade policies and plans to assure you are/were aware of vulnerabilities of the equipment, software, and/or data files, and what written logs do/did you keep to show you are using the latest (or at least provable) secure versions?

Link to comment
Share on other sites

BSmither,

The eWay gateway is one of those “you harvest the data then send it to us as a service call” jobbies.  That opens up a whole can’o’worms.  Add to this my custom developments, and I get a questionnaire that is about 500 questions long.

I was going to shut the direct CC interface down and let Paypal do it all, but after the mandatory cooling-off period, I’ve decided to do the manly thing and treat it as a hobby.

I think it would be useful to create a resource for small CC installations like mine that collects draft documents that attempt to meet the requirements by stating manageable policies.

Link to comment
Share on other sites

A resource for small businesses? In the USA, one cannot go wrong with starting with the U.S. Small Business Administration. (Other countries may have something similar.)

Plenty of articles exist that give "white-paper" overviews of ecommerce resources.

Your merchant card provider may have a library. For example: https://usa.visa.com/support/merchant/library.html

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...