Clearing the Mystery of PCI Compliance (Part 2)

October 30th, 2009, by: bion 2CO Staff

Last week I wrote an article detailing how to comply with the first two PCI DSS Standards. In this article, I will show what is involved in complying with the two requirements in the “Protect Cardholder Data” standard.

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

We have provided a secure network to collect and store our customer’s information. Now, we need to turn our attention to the data itself. To fulfill requirement 3, we need to come up with a policy detailing how we will store card holder data. This sounds easy enough, just make a few decisions and stick with them. However, this is actually a bit more complicated as the PCI-DSS FAQ explains. There are 20 different criteria to meet. While I suggest reading the linked FAQ some highlights are:

  • 3.1 Keep cardholder data storage to a minimum.
  • 3.2 Do not store sensitive authentication data after authorization (even if encrypted).
  • 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.
  • 3.3 Mask PAN (Personal Account Number) when displayed (the first six and last four digits are the maximum number of digits to be displayed).

Continue reading…

Tagged With: , ,
Posted in E-Commerce

No Comments »

Small eCommerce Sites Facing Fines if Compromised

September 9th, 2009, by: warner 2CO Staff

PCI DSS (Payment Card Industry Data Security Standard) is a security standard that applies to companies handling credit card numbers. The PCI level of enforcement differs based on the volume of transactions that a company handles. The lowest level is level 4, which applies to eCommerce sites processing less than 20,000 transactions annually. The highest and most stringent is PCI level 1, which applies to merchants processing over 6 million transactions a year. Ultimately, the goal is to increase security for all Web sites accepting payment via credit card. 2Checkout completes an annual audit for PCI compliance, which we take pride in maintaining consistently.

Level 4 merchants are typically subject to completing an annual self-assessment questionaire, which contains approximately 220 questions. Furthermore, annual external quarterly scans are a common requirement. The exact requirements are typically set by the merchants’ bank.

Smaller eCommerce sites that have credit cards compromised can be fined between $20 and $30 dollars per each stolen credit card up to $500,000 dollars. Additionally, depending on the size of the breach, the site could be required to hiring an external forensic investigator. The cost of an external audit typically begins around $10,000.

A report published recently by ECommerce-Guide.com identifies increased scrutiny that PCI Level 4 eCommerce sites are being subjected to.

The cost of becoming PCI compliant can be substantial. Especially if your Web site was not initially designed with security being a focus. The requirements cover all aspects of business: technology utilized and how it is implemented as well as business processes and workflow.

Becoming a 2Checkout supplier can quickly enable PCI compliance for your eCommerce site, while keeping the cost of doing business lower in the long term. A 2Checkout supplier will not be required to complete any PCI compliance forms. No changes to your servers or business processes will be required! This is one of the many areas where 2Checkout provides more value to you, our customers and suppliers.

Article was updated on 9/21/2009 clarifying requirements for “PCI Questionnaire A.”

Article was updated on 11/9/2009 to eliminate possible ambiguity in supplier obligations.

Tagged With: , , , , ,
Posted in 2Checkout Blog, E-Commerce

3 comments »

What type of compliance disclaimer must I put on my site?

December 30th, 2006, by: knowledgebase

It is important to the credit card associations that the relationship between vendors and 2CO is not misrepresented. Vendors should represent 2CO as an authorized retailer or out-sourced vendor solution, not as a “credit card processor”, a “third party processor”, or “payment gateway.” Vendors do have artistic license to incorporate this depiction into the context of their site provided they do not misrepresent the relationship.

Terminology for buttons or links to 2CO that is acceptable:

“Add to Cart”
“Buy Now”
“Buy from 2CO”
“Continue ->”

Terminology for buttons or Links to 2CO that is NOT acceptable:

“Click Here to Pay”
“Process Payment Now”

Language that should be contained on your site (preferably as early in the shopping process as possible):

2Checkout.com, Inc. is an authorized retailer of <Supplier>
2Checkout.com, Inc. is an authorized retailer of goods and services provided by <Supplier>

Language that should NOT be contained on your site includes indicating 2CO is a:

“Credit Card Processor”
“A Third Party Processor”
or “A Payment Gateway”

It is important to note that failure to comply with 2CO or credit card association requirements can jeopardize your relationship with and ability to use 2CO.

Supplier may click on the following link for additional information and to determine if any updates to the requirements contained have occurred. https://www.2checkout.com/language_guidelines.html

Tagged With: , ,
Posted in Policies & Compliance

No Comments »

Recent Posts from the Community:

Get Payments

posted by: dspzaman

Referring URL

posted by: hipdev

Cheapest VPS only for 2checkout customer. Instant Setup and get 60% discount

posted by: krul411

Buy VPS servers for all your hosting need's at www.subhosting.net

posted by: subhosting

SPP suggestion

posted by: brakkar

changing hosting and domain name

posted by: obione1964

customize 2co form

posted by: dspzaman

Create a new account for online university fees

posted by: shakeel

Getting started with fresh new 2CO vendor account

posted by: nsybs86

How to configure my new 2CO account?

posted by: nsybs86

4 all 2co Friend. Lets join DM Affilation with your 2CO account

posted by: mikehandy

Once for all: allow us to set product price in any currency !!

posted by: brakkar

Visa Prepaid Debit Card

posted by: alkimisti

No sales record in my 2CO vendor account.

posted by: nsybs86

Does 2CO shopping cart have a "price calculator"?

posted by: risingsuns

invoice in swiss franc

posted by: richipy

Getting started with 2CO !

posted by: nsybs86

How to make a test/trial credit card transaction in 2CO?

posted by: nsybs86

One account, two sites?

posted by: homeart

Approval URL - How to stop it from Cloaking

posted by: surfacewatch

Is CO2 Available for Pakistan?

posted by: zeeshanraees

API Beta

posted by: cliff

URL not found

posted by: tommyemmanuel

Awesome New Transaction pages!

posted by: manus19

Does 2CO support direct payments?

posted by: maxifex

is there any destory

posted by: rojan

session destroy

posted by: rojan

1. Changing release level easily. 2. name...email...ip instead of name...ip...email

posted by: dolores

How can i get API code of the Website ?

posted by: zlf026

Account Verification Process Number 2?

posted by: darrylp
More from the community »

Now a faster, easier way to get paid – the 2CO reloadable MasterCard®.

Spotlight Supplier

Spotlight Supplier

Feng Shui Products


Popular Tags