2CO meets PCI requirements so you don’t have to!

When considering the best way to sell your products over the internet, one of the most important aspects to look at is the security of customer data. Credit card companies require all merchants to follow extensive security guidelines, called the PCI DSS, which describe every aspect of how the customer’s information is handled. Meeting the requirements set forth in the PCI DSS can be an expensive and time consuming endeavor. 2Checkout takes on the responsibilities of PCI DSS compliance for our suppliers, saving you time and money.

If you are a 2Checkout supplier, you are already enjoying the benefits of working with a PCI Compliant reseller. You don’t need to worry about complying with the strict security guidelines required in order to accept credit card transactions, because we do it for you!

What is PCI Data Security Standard?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of computer security standards designed to reduce security breaches involving credit card data. It effects every department of a company and includes policies, procedures, anti-virus, firewalls, network architecture, data encryption, software design, auditing, reporting, vulnerability scanning, physical security, network monitoring and more.

PCI DSS was originally created by aligning Visa’s Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard’s Site Data Protection (SDP) program. Merging these standards created the more comprehensive and cohesive standard that is now used by all major credit card companies.

Who is in charge of the PCI DSS?

On September 7, 2006 the PCI Security Standards Council was created by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International with a mission to enhance payment account security by fostering broad adoption of the PCI Data Security Standard. You can find more information on them at pcisecuritystandards.org.

Who must comply with the PCI DSS?

All retailers, online merchants, data processors and other businesses that handle credit card data must comply with the PCI DSS. This includes hospitals, restaurants, insurance companies, software vendors, even government agencies. There are no federal laws mandating it, but Michigan now has a Plastic Card Security Act which incorporates part of the PCI DSS. Texas and California also have similar proposed bills.

When a company signs up as a payment card merchant, they are contractually obligated to comply with PCI DSS and can faces fines of up to $500,000 per incident. Additionally, if a merchant is compromised, they will lose credibility and must pay for extensive forensics, will be charged higher fees and may be sued. It is far cheaper to invest in compliance than to risk the consequences of not complying.

What are the PCI DSS requirements?

Here is an overview. There are many checkpoints under each required section. You can download a PDF containing the full list of requirements at pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.

Build and Maintain a Secure Network
• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management program
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications

Implement Strong Access Control Measures
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data

Regularly Monitor and Test Networks
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

Maintain an Information Security Policy
• Maintain a policy that addresses information security

How does a company become compliant?

First, a preliminary assessment is made to discover the areas that need improvement. This may include network design, firewalls, policies and procedures, encryption, and the hiring of additional personnel. A remediation plan is then composed detailing what needs to be done, how the goals will be met, and the timeline on that project. Finally, the company needs to actually carry out that plan.

A company handling a large number of transactions could easily spend millions of dollars to become compliant.

So why doesn’t the PCI DSS apply to 2Checkout suppliers?

Simply put, because 2Checkout suppliers are not merchants and they do not handle credit card data, suppliers do not need to comply with the PCI DSS. By allowing 2Checkout to resell your product, you avoid all hassles with PCI DSS. 2Checkout has invested resources into additional security technologies, training personnel, audits, and other required steps so that you don’t have to!

Related Article: Extended Retail Solutions: Security Made Simple