Because of this popularity, many online merchants are more than happy to accept debit card transactions. Until recently, online debit cards were treated as Signature Debit transactions. The customer’s electronic signature is substituted for their physical signature. Thus allowing debit cards that have a Visa or Master Card logo to process much like credit cards.

The other form of debit card transaction is a Personal Identification Number (PIN) Debit. Here, a customer pays with their debit card and authorizes the purchase by entering their unique ID. Because the purchase must be authorized by the customer, requiring an interface to enter the PIN, this method of payment is less common on the Internet.

One of the benefits of PIN debit, is a reduction in fraud and disputed charges. Customers authorize their purchases with PINs, the risk to merchants of chargebacks is virtually nonexistent. 2Checkout, along with Acculynk, allows your customers to buy products using the safety of their PIN debit cards. Your customers get one more way to make purchases, while merchants get the ability to accept even more sales. Sales that are much less likely to be fraudulent.

“Compliance is not something that’s bought; it’s a process. It never ends, and it needs to stay in lock step with the changes happening in a dynamic business. Understanding direct costs will probably require additional headcount to pull proper reports and document the program. It also may require investment in some software tools to mine through all the data that is generated by systems, networks and applications.”

One goal of this article series was to provide a reliable “bottom line” financial investment in becoming and maintaining PCI compliance. The more I learned about the industry that specializes in compliance the more difficult it was to find solid, or even estimated, pricing. What I found easliy matched the research that was released by Gartner and reported in the PCI DSS Compliance Blog.

“Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment.”

In doing this article series, I gained a better understanding for both our internal security procedures (electronic keyed entry, guests signed in, frequent password changes, etc.) as well as the job that Warner and his team does to make sure that every transaction that passes through our network is as secure as current technology allows. Warner was an amazing resource for this series. When I came to the point where the PCI regulations seems beyond comprehension, or a solution was difficult to find, they were able to clarify the instructions or give direction to products or services that would help. I likely would have given up the series at the 3rd article if I didn’t have access to a group that manages these details daily.

Even though I am finished with this series, and will not have to actually become PCI compliant personally, PCI compliance doesn’t actually ever end. If we were really starting a business with a traditional merchant account, we would just be getting started at this point. As the PCI DSS Compliance Blog perfectly states :

“PCI compliance is dynamic, requiring ongoing adaptation.  PCI compliance starts with a set of 12 basic requirements, it continues with vigilance and adaptation, and it ends with….well, it doesn’t end.”

Further Reading:

Clearing the Mystery of PCI Compliance (Part 1)
Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 5)
Clearing the Mystery of PCI Compliance (Part 6)
Clearing the Mystery of PCI Compliance (Part 7)

Requirement 12: Maintain a policy that addresses information security

This part of the standard lists more policies we have to implement and more procedural documentation to write. A complete list of specific policies and documentation we need is here. Given the scope of this requirement, I can give some general information about complying with this standard, but I cannot cover every portion of the requirements. Some examples of policies that require documentation are:

• Formal Risk Assessment and Risk Management Program
• Security Awareness Program
• Usage Policies for all end-user technologies and company resources
• Incident Response Plan

This standard, more than any other forces us to think about what we will do in the event of an attack on our network, or when our security is compromised either externally or internally. We need to know what to do in the event an attack is identified. How do we respond? Who is in charge of our response? What response capabilities do we have internally? Do we need to involve outside experts?

This also includes company directives such as the establishment of a security team, security education for all employees, and pre-employment screening. At this point in our small company of one, we still need to have these policies and procedeures in place and documented. As we grow we can spend more time revising them in the future(since we already have to review and update our policies regularly).

Reading the PCI DSS requirements, we see many areas calling for documentation for various systems and procedures relating to the use and storage of our customers’ information.  Among the requirements are the following:

• Data Retention and Disposal Policy
• Anti-Virus Policies and Procedures
• Password Management rules
• Firewall Policies and Procedures
• Change Management Guidelines

The documentation directly above will be useful in complying with this final PCI requirement, but they do not replace it. This is, in essence, the culmination of the previous eleven standards. Requirement 12 establishes how all of the above work together to create our over-arching security policy. In addition to formalizing established policies and their interaction, we need to establish daily, quarterly and annual audits of our users, our system updates, and a formal risk assessment. For example, checking our logs for potential employee security violations and purging users/employees who no longer require access.

In a few weeks I will recap what I learned during this exercise in meeting PCI DSS compliance. I will be extending this article series to provide more details on just how much time is involved in meeting the PCI standards. While there are significant hardware and software investments in meeting the requirements, time, I found, was my greatest investment.

Further Reading:

Clearing the Mystery of PCI Compliance (Part 1)
Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 5)
Clearing the Mystery of PCI Compliance (Part 6)

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

The reason we need to have individual logins mentioned in last week’s article is so that we can limit, monitor, and track access to network resources and cardholder data. In the event of a security breach, these records allow us to find whose account was used to compromise the data and mitigate the damage done to our customers. We need to audit all accesses to customer data, review audit logs each day, and be able to reconstruct events that touch cardholder information. We also need to be able to provide detailed audit trails for all administrative events. An attempt to change system configuration for malicious purposes will be captured and can be traced back to the user. A central logging solution along with the policies we developed previously will allow us to track internal access to our network and record actions that take place.

Auditing of network access attempts and tracking of access logs is a critical aspect of this requirement. Most operating systems have very basic utilities that monitor and record events. For the most part, the event browsing and filtering capabilities provided by these utilities are restricted and will not meet PCI standards. For instance, unauthorized access to a customer’s information will not, by default, alert anyone that the event has been logged, it will only be discovered later when someone does an audit. Because of these limitations, we will need to look for some companies to provide us with some assistance.

Thankfully, we can find a number of Security Information Management (SIM) products that maintain comprehensive log management. These tools can automate collecting data, issue needed alerts, and give very detailed reports. SIMs will will also help give us a baseline of normal network activity. We can use this information to establish rules to categorise events. When an event happens that falls outside of these rules a SIM can trigger an alert letting us know of potential security violations. Many security information management products also provide default rule sets that classify events according to PCI requirements.

Now we need to plan to test our network and security measures at least once each year. It is important to note that we cannot use actual customer data for these tests. While your computer may be safe now, new ways to compromise your computer and new vulnerabilities are constantly being developed or discovered. It is important to test your systems and your network to make sure your customers’ information is as safe as it can be. This is not the same as testing new applications as discussed previously.

When it comes to scanning our systems for vulnerabilities, we need to use the right tools and techniques to expose vulnerabilities in devices on both wired and wireless networks. There are a number of security risks linked to wireless devices, weak encryption methods, and the lack of employee security awareness. Therefore, we need to test everything that touches customer information – from how easily our network can be compromised to how we access the data. The Payment Card Industry requires that we have a “PCI approved” company perform an external scan of our system to determine our general safety.

It is important that our software and hardware gets regularly patched with the latest security updates. In addition to the regular patching process, our network and applications can be protected from security threats by the consistent use of vulnerability scanners that can see all of the applications and devices on the network, identify vulnerabilities, and supply information to resolve these vulnerabilities. However, scanning our network will not reveal every potential vulnerability. To be aware of our ability to detect and counter any unwanted access to our systems, we need to perform a penetration test that measures how well we can respond to and withstand an attack. This test exploits vulnerabilities so we can determine the actual risk to our specific system of any particular vulnerabilities. PCI requires an annual external penetration test. This test is in addition our regular scanning and audits of our security logs.

To comply with these particular PCI requirements, we will need to provide some financial investment in a Security Management System and a vulnerability scanner. We will also need to invest time finding a specialist to perform a penetration test correctly. Thankfully, we decided to  have our firewall and software applications automatically update with security fixes. This lets us be sure that what we are testing is the most up-to-date security for our particular system.

Costs:

Central Logging Solution – Starts $5,000
Security Information Management – I found many companies willing to offer quotes, but no baseline costs.
Quarterly external scan – As above, due to the complexity and variety of networks, pricing will be highly varied
Vulnerability Scanner – Roughly $1,200 per year
External penetration tests minimum $10,000 per year, likely much more than that

Further Reading:

Clearing the Mystery of PCI Compliance (Part 1)
Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 5)
Clearing the Mystery of PCI Compliance (Part 7)

1. Requirement 7: Restrict access to cardholder data by business need-to-know
2. Requirement 8: Assign a unique ID to each person with computer access
3. Requirement 9: Restrict physical access to cardholder data

Here we look over who has access to customer’s information and the computers that store this information. Like many people starting an Internet business, our business computer is also used for recreation. This can pose a problem if friends or family also use our computer. The safest measure is to have a dedicated system used for processing and storing cardholder information. Let’s look at using our existing computer and how we can make this compliant.

We need to investigate who needs access to customer information. In our example, I will be the only one who needs to access customer information, so it will be simple. In some cases we may have a business partner or, if we expand as I hope, an employee or two. These people will probably need some access to customer information, so we need to figure out who needs what data to perform their job. The person answering customer service questions may need to know our customer’s name and address, but do they need to know any part of the credit card number? What information will be needed for accounting or systems administration? This is the time to decide who has access to what information. We need to record these policies and keep written authorization for individual access to specific data.

While we have reason to be aware of external threats, we need to be just as secure internally. We need a system of access control that identifies which users have access to information, systems, resources, and which identifies the user who accessed or changed the information. This allows us to protect our customers’ data from internal security leaks. Employee theft and fraud are very real crimes and Internet businesses are certainly not immune.

In order to be able to track who is accessing our resources, we need to assign unique logins for everyone who will use our computer. Using the access control we implemented above, these logins will allow different access to stored data. In our case, I have full access while other logins have no access (until I get a partner or employee). We can’t have any group or general logins. My initial idea of having a “Me” login with full access and a “You” login with no access will not work. Strict compliance means that each person who uses the computer needs to have a distinct username and password.

Speaking of passwords, we need to change the passwords every three months, a password cannot be reused for a year, the password needs to be at least seven characters long, and needs to a combination of numbers and letters (special characters increase the security of a password). Our passwords also need encrypted and we need to limit the number of user login attempts. Let’s set this to 5 attempted logins. If a login is failed 5 times we need to lock the username for at least 30 minutes, or administrator reset.

Physical access to credit card information needs to also be restricted and monitored. We need to have cameras recording any area that hold sensitive data, like our office. These recording need to be kept for a minimum of 3 months. Physical access to the office will need to be restricted. In our situation, we can use a locked door and a key. Access to the key will need to closely monitored and logged. Physical documentation of card holder data needs to be secured. This is independent of other security, so a safe or locked file cabinet. When the information is not needed for business purposes, it must be destroyed. Paper shredders are probably the most common and safest method of destroying the documents, but burning and pulping the data is compliant. Electronic data will need to be purged from our systems as well.

As we work on this portion of PCI DSS compliance, I found that we are making a number of small purchases to meet the requirements. There are a number of companies that sell computer access control programs for a reasonable amount of money for one or two computers. The larger expenses are going to be a new key less lock for the office door, a closed circuit camera set, a file cabinet. I guess I’m off to the local office supply store.

Bottom Line for Step 5:

Cost:

• Key less locks $200-$350
• Locking file cabinets $200-$500
• Camera system with 3 month storage $300-$600
• Security software $50-$75 per computer renewed each year.

Further Reading:

Clearing the Mystery of PCI Compliance (Part 1)
Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 6)
Clearing the Mystery of PCI Compliance (Part 7)

First, we need to make sure that our computers, firewall, and any other devices we have are all updated with vendor-supplied security patches. We also need to make sure that we install any future updates within one month of release. In our example, we have agreed to a contract with our firewall  and anti-virus manufacturers for a years worth of free updates. Our web browser and operating systems will also provide us with security updates. So this is already covered. Good thing we think ahead! It is our responsibility to make sure we are aware of new security threats and take steps to counter them. It isn’t a good idea to rely on one source of information, one example of a free threat alert is from Bugtraq. Your anti-virus vendor should also provide you with updated threat reports. There are others, and I recommend checking at least two alerts every day.

Now, we need to make sure that our new updates, or any other new applications for that matter, will work on our network. Unless you are comfortable working on your network alone, you will need to hire a system admin for this. We need to have a completely separate environment to develop and test all security patches and system and software configuration changes before deployment. We need this separation because we cannot use or endanger our customers’ information. If a new piece of code for our shopping cart ends up being a security risk, it’s best to find that out before our customers use it. So, separate environments for all development, new programs, everything except processing the live sales.

After testing the updates, creating a back out plan and verification process (assuming they all work with no security risks) we are ready to move them over into the “live” environment. While you have your network admin available you will want to establish a variety of procedures for when you need to make changes using your new development environment. Essentially, you need documentation stating what is being developed/tested, who recommended the development, and what testing is being done to make sure it’s safe.

If we develop or use web software and applications we need to make sure they are based on secure coding guidelines such as the Open Web Application Security Project guidelines. We have to review custom application code to identify coding vulnerabilities for each new piece of code or application we use/update. This requirement also covers the prevention of common coding vulnerabilities in software development such as buffer overflows, improper error handling, insecure storage, and the dread denial of service. This is by no means a complete list of what we need to cover, but it gives a good place to start.

I have already established my limited knowledge regarding networking, so I looked for estimates on how long it will take for a network admin to complete this project. Unfortunately, different networks and needs make estimating this job particularly difficult. The minimum estimation I have is roughly 60 hours, but they can easily go as high as 300 – 500 hours.

Now that we have our network protected with AV software and a testing/development environment to make sure that everything is secure for our customers, we should be just about finished meeting the PCI standards. Well, we are half way through – the end is in sight.

Bottom Line for Steps 5 and 6:

Time:
Networking – 100 – 500 hours

Cost:
Business level Anti-Virus Software: $500-$700 (Includes one year’s worth of updates)
Network Admin $1,000 – $5,000 minimum. People who specialize in PCI Compliance often charge $250+ each hour of work.

Further Reading:

Clearing the Mystery of PCI Compliance (Part 1)
Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 5)
Clearing the Mystery of PCI Compliance (Part 6)
Clearing the Mystery of PCI Compliance (Part 7)

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

We have provided a secure network to collect and store our customer’s information. Now, we need to turn our attention to the data itself. To fulfill requirement 3, we need to come up with a policy detailing how we will store card holder data. This sounds easy enough, just make a few decisions and stick with them. However, this is actually a bit more complicated as the PCI-DSS FAQ explains. There are 20 different criteria to meet. While I suggest reading the linked FAQ some highlights are:

• 3.1 Keep cardholder data storage to a minimum.
• 3.2 Do not store sensitive authentication data after authorization (even if encrypted).
• 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.
• 3.3 Mask PAN (Personal Account Number) when displayed (the first six and last four digits are the maximum number of digits to be displayed).

I have to admit, after reading what is involved with this portion of PCI compliance, I nearly gave up. This part of PCI compliance doesn’t really have a cost that can easily be measured in money. The cost is in time – hours and hours of time spent looking over what information is stored, where it is stored, how long it should be stored, what systems are used to backup that data, etc. it gets exhausting.

As you become familiar with the standard, you will need to figure out what data you must keep on hand and how long would be a reasonable amount of time to keep that data. The longer you keep the data, the more risky and potentially costly it becomes in the unfortunate event the data becomes compromised. Generally, to comply with requirement 3, you need to understand that all information you collect from your customers must be protected. This means that you can only store a limited amount of the data, and the data you do store must be encrypted (see below).  A simple overview of the requirements for card data storage encryption can be found here.

Requirement 4 is a little more straightforward. While most people recognize the need to encrypt sensitive information during transmission over networks that are easily accessed by malicious individuals, few recognize the importance of encrypting information sent between back-end systems. This also means that stored information needs to also be encrypted.

Encryption is the most effective way to achieve data security by translating data into a secret code. Essentially, both stored and transmitted data must be made unreadable. The most common method used by credit card processors to protect high speed transactions is a network security protocol called Secure Socket Layer(SSL).

To get an SSL certificate you will first need to choose a certificate that matches your specific needs. Then you need to generate a Certificate Signing Request (CSR) for the site. For example, I found a site selling a certificate for a single domain for $600.00/year. This is on the low end for SSL pricing considering that it comes with a warranty, re-issuance, and provides features I like (priority phone support and regular security audits). I should also note this is a 2Checkout supplier.

If someone were to access our network from the previous article, we want to have protections in place that both limit their access to our customer’s information and makes any information they may access unreadable. Complying with the second set of requirements provides another layer of security for our customers.

Bottom Line for Step 2

Time:
Hours and hours – Literally HOURS and HOURS

Cost:
SSL Certificate: $250-$700+/ year

Further Reading:

Clearing the Mystery of PCI Compliance (Part 1)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 5)
Clearing the Mystery of PCI Compliance (Part 6)
Clearing the Mystery of PCI Compliance (Part 7)

“PCI DSS (Payment Card Industry Data Security Standard) is a security standard that applies to companies handling credit card numbers. The PCI level of enforcement differs based on the volume of transactions that a company handles.”

My purpose with this series is to provide the details involved in each requirement. I want to look at this from the point of view of a very small home-based business with a website selling tangible products.

The first requirement for PCI DSS is to have a secure environment to hold credit card data:

1) Install and maintain a firewall configuration to protect cardholder data
2) Do not use vendor-supplied defaults for system passwords and other security parameters

First, we need to make our connection to the Internet as safe and secure as we can. This involves using a form of protection. The most common example of this is a firewall. A router is probably the most common device used. This will protect a network from unauthorized connections as well as keep a log of network activity.

A basic home use router can cost roughly $50-100+. However, as we will see in future articles in this series, these routers will not be able to provide the level of protection required to collect customer information. Based on my research, the cost of a compliant router starts at about $200 and can run into the thousands of dollars. There are significant differences between routers, and some of the more costly routers come with additional security packages from the manufacturer that includes network/technical support. Researching what router is going to work for your business is important. The firewall you choose will depend on a number of factors that only you can determine. It is important to note that laptops require a separate security device when used away from the home, and Internet cafe’s will not have nearly the security required for PCI DSS compliance.

Along with the router, we will need to have it connected to the network. Networking is a highly specialized, highly technical field. When was the last time you could remember terms like “internal IP address,” “network diagram,” and “network segmentation”  used in casual conversation? Since this is something that is critical to the ability to process credit cards, we want to be sure that the router (and the rest of the network) is as secure as it can be. This means we will have to pay someone who can create and manage the network. Thankfully, there are a number of people who are willing to do so. Alternately, at an additional cost, most router manufacturers will provide support and security update services. The cost for an independent networking freelancer will vary greatly from area to area (In my case, I would need to make sure I had $800-$1,000 to cover this expense).

Once we have the network all set up we will have to reset the username and password of the firewall. During the initial setup and testing, the device will have a preset password and username. This allows for easy troubleshooting for the manufacturer’s technical support. Since all of the devices by one manufacturer will have the same defaults, it is very important that this is changed before credit cards are accepted.

Bottom Line for Step 1:

Time:

• Research on the best firewall for your individual needs.
• Research on availability of either manufacturer-provided or independent networking assistance

Costs:

• Router: $200 – $3000 for the router. ($500-$800 is the average for the device alone)
• Support: Additional security features/support (varies from company to company, $200 seems average)
• Networking: Free if you already know how to do this.
• $100 – $149 basic charge with $100/hour fee for additional support  (Varies from place to place, but $100 looks to be the low end of average) assuming a full day’s work minimum.

We have just bought a router, hired someone to make sure our network is secure and spent roughly $1,000-$2,000. Now we have 10 more standards to meet before we are PCI compliant. Over the next few weeks we will explore topics ranging from data encryption to network monitoring, as well as realistically detail the costs associated with meeting all twelve PCI standards.

Further Reading:

Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 5)
Clearing the Mystery of PCI Compliance (Part 6)
Clearing the Mystery of PCI Compliance (Part 7)

Instructions on how you can manage usernames can be found here.

It is true that if a vendor defines an approved URL that allows access to the downloadable product/service they are selling, and the vendor takes no further security precautions, someone could download the product/service by including the ‘demo=Y’ parameter.

The ability to control the demo parameter is available from inside the 2Checkout system. You can choose from the following 3 options inside of your 2Checkout account to control the use of the Demo parameter. Those choices are:

• On: Using this setting all sales will be treated as demo, regardless of any parameter value.
• Off: Using this setting all sales will be treated as live, regardless of any parameter value.
• Parameter: Using this setting a demo parameter sent to the purchase routine will control the demo setting.

To access the Demo setting in your account you will need to log in to your account and then click the Account tab. On the Account page click the Site Management sub-tab. After you have selected the Demo setting that best fit’s your current need and then click the blue Save Changes button at the bottom of the page.

It is not recommended to provide a downloadable product/service to a customer immediately after a sale completes by means of a return to the Approved URL. It is recommended to allow the fraud review process to complete before providing your customer with the product/service.

We realize that some vendors may not wish to wait for the fraud review process to complete before providing their customer with a downloadable product/service. For such vendors, the MD5 hash is provided to help verify the authenticity of a sale. We intentionally break the hash code that is passed back if the ‘demo=Y’ parameter is used. You can compare the value of the hash we pass back with the value of what the hash should be (this needs to be calculated on your end). This will allow you to determine whether or not to provide the customer with the downloadable product/service. It should be noted that when using this method to provide a downloadable product/service immediately, you do run the risk of having your product/service stolen by someone placing a fraudulent order with a stolen credit card.

For full details on using the MD5 hash please refer to the article How do I use the MD5 Hash?

If you choose to provide a downloadable product/service immediately after a sale using the Approved URL, and do not check the MD5 key which is passed to the Approved URL to verify the validity of the sale before providing a customer with a product, then you are accepting the risk that your product may be taken without being paid for by someone who includes the ‘demo=Y’ parameter.