Now, we need to Maintain a Vulnerability Management Program. This comes in two parts. First, we need to use and regularly update anti-virus software. Then, we have to develop and maintain secure systems and applications. I know what anti-virus software is, so let’s start there.

Before we look into AV software, I want to give one bit of basic Internet advice. If you don’t know/trust a person or site – don’t download ANYTHING they send you if you don’t have AV protection. The most common method of catching a computer virus is still from opened email attachments. Most people have some anti-virus (AV) protection for their computers, but to be PCI compliant, we need to look into software that will protect every computer and device connected to the Internet through our network.

There are a number of companies that make anti-virus software, compile virus databases, and offer frequent updates. Most of these companies have PCI compliant versions of their software. The standard single-PC software will cost $50 – $75 for a year’s worth of automatic updates. Unfortunately, this level of protection, while typically excellent for home users, will not meet PCI compliance. Part of the reason for this is that PCI compliance requires that your AV software be able to monitor and generate reports detailing what viruses it has caught/contained. We need to look at the more robust offerings for business networks. The range of prices in this field is vast from $350 – nearly $3,000 yearly. The top end software is really more of an anti-virus “system” that protects mainframes and large networks, so we can breathe a sigh of relief and look a little lower on the price points. For covering a network with a few devices for one year, including unlimited updates, and support, the average cost settles in at about $500-$700.

The next standard, “Develop and Maintain Secure Systems and Applications”, requires a little more than picking anti-virus software that will meet your needs. Looking at the requirements to meet this standard, it becomes obvious that we either need to know our way around a network, or we need to get our networking expert back to test our network after each update, make sure that we have a separate part of the network used only for testing applications, and system monitors that watch our network. Because of the scope of this requirement, the next article will be devoted to addressing the various aspects of maintaining the security of our systems and applications.

“PCI DSS (Payment Card Industry Data Security Standard) is a security standard that applies to companies handling credit card numbers. The PCI level of enforcement differs based on the volume of transactions that a company handles.”

My purpose with this series is to provide the details involved in each requirement. I want to look at this from the point of view of a very small home-based business with a website selling tangible products.

The first requirement for PCI DSS is to have a secure environment to hold credit card data:

1) Install and maintain a firewall configuration to protect cardholder data
2) Do not use vendor-supplied defaults for system passwords and other security parameters

First, we need to make our connection to the Internet as safe and secure as we can. This involves using a form of protection. The most common example of this is a firewall. A router is probably the most common device used. This will protect a network from unauthorized connections as well as keep a log of network activity.

A basic home use router can cost roughly $50-100+. However, as we will see in future articles in this series, these routers will not be able to provide the level of protection required to collect customer information. Based on my research, the cost of a compliant router starts at about $200 and can run into the thousands of dollars. There are significant differences between routers, and some of the more costly routers come with additional security packages from the manufacturer that includes network/technical support. Researching what router is going to work for your business is important. The firewall you choose will depend on a number of factors that only you can determine. It is important to note that laptops require a separate security device when used away from the home, and Internet cafe’s will not have nearly the security required for PCI DSS compliance.

Along with the router, we will need to have it connected to the network. Networking is a highly specialized, highly technical field. When was the last time you could remember terms like “internal IP address,” “network diagram,” and “network segmentation”  used in casual conversation? Since this is something that is critical to the ability to process credit cards, we want to be sure that the router (and the rest of the network) is as secure as it can be. This means we will have to pay someone who can create and manage the network. Thankfully, there are a number of people who are willing to do so. Alternately, at an additional cost, most router manufacturers will provide support and security update services. The cost for an independent networking freelancer will vary greatly from area to area (In my case, I would need to make sure I had $800-$1,000 to cover this expense).

Once we have the network all set up we will have to reset the username and password of the firewall. During the initial setup and testing, the device will have a preset password and username. This allows for easy troubleshooting for the manufacturer’s technical support. Since all of the devices by one manufacturer will have the same defaults, it is very important that this is changed before credit cards are accepted.

Bottom Line for Step 1:

Time:

• Research on the best firewall for your individual needs.
• Research on availability of either manufacturer-provided or independent networking assistance

Costs:

• Router: $200 – $3000 for the router. ($500-$800 is the average for the device alone)
• Support: Additional security features/support (varies from company to company, $200 seems average)
• Networking: Free if you already know how to do this.
• $1,000 – $149 basic charge with $100/hour fee for additional support  (Varies from place to place, but $100 looks to be the low end of average) assuming a full day’s work minimum.

We have just bought a router, hired someone to make sure our network is secure and spent roughly $1,000-$2,000. Now we have 10 more standards to meet before we are PCI compliant. Over the next few weeks we will explore topics ranging from data encryption to network monitoring, as well as realistically detail the costs associated with meeting all twelve PCI standards.

To meet credit card association rules, the phrase “2Checkout.com is an authorized retailer for (your business name.)” must be included and logos must be displayed in a manner that accurately represents our relationship.

Please see the Can I have Credit Card logos on my Site or Cart? Knowledge Base article for more approved graphics.

We apologize for any concern or inconvenience that this may have caused you.

2CHECKOUT.COM*XXXXXXX 877-294-0273 (The XXXXXXX is the vendors soft descriptor.)

If a customer selects to pay by PayPal, and uses a Credit Card as the funding source the transaction, their statement will show the following:

PayPal*2CHECKOUTCO 877-294-0273

If you have any questions about a transaction you have found on your statement please contact 2Checkout directly so we can assist you.

When considering the best way to sell your products over the internet, one of the most important aspects to look at is the security of customer data. Credit card companies require all merchants to follow extensive security guidelines, called the PCI DSS, which describe every aspect of how the customer’s information is handled. Meeting the requirements set forth in the PCI DSS can be an expensive and time consuming endeavor. 2Checkout takes on the responsibilities of PCI DSS compliance for our suppliers, saving you time and money.

If you are a 2Checkout supplier, you are already enjoying the benefits of working with a PCI Compliant reseller. You don’t need to worry about complying with the strict security guidelines required in order to accept credit card transactions, because we do it for you!

What is PCI Data Security Standard?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of computer security standards designed to reduce security breaches involving credit card data. It effects every department of a company and includes policies, procedures, anti-virus, firewalls, network architecture, data encryption, software design, auditing, reporting, vulnerability scanning, physical security, network monitoring and more.

PCI DSS was originally created by aligning Visa’s Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard’s Site Data Protection (SDP) program. Merging these standards created the more comprehensive and cohesive standard that is now used by all major credit card companies.

Who is in charge of the PCI DSS?

On September 7, 2006 the PCI Security Standards Council was created by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International with a mission to enhance payment account security by fostering broad adoption of the PCI Data Security Standard. You can find more information on them at pcisecuritystandards.org.

Who must comply with the PCI DSS?

All retailers, online merchants, data processors and other businesses that handle credit card data must comply with the PCI DSS. This includes hospitals, restaurants, insurance companies, software vendors, even government agencies. There are no federal laws mandating it, but Michigan now has a Plastic Card Security Act which incorporates part of the PCI DSS. Texas and California also have similar proposed bills.

When a company signs up as a payment card merchant, they are contractually obligated to comply with PCI DSS and can faces fines of up to $500,000 USD per incident. Additionally, if a merchant is compromised, they will lose credibility and must pay for extensive forensics, will be charged higher fees and may be sued. It is far cheaper to invest in compliance than to risk the consequences of not complying.

What are the PCI DSS requirements?

Here is an overview. There are many checkpoints under each required section. You can download a PDF containing the full list of requirements at pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.

Build and Maintain a Secure Network
• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management program
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications

Implement Strong Access Control Measures
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data

Regularly Monitor and Test Networks
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

Maintain an Information Security Policy
• Maintain a policy that addresses information security

How does a company become compliant?

First, a preliminary assessment is made to discover the areas that need improvement. This may include network design, firewalls, policies and procedures, encryption, and the hiring of additional personnel. A remediation plan is then composed detailing what needs to be done, how the goals will be met, and the timeline on that project. Finally, the company needs to actually carry out that plan.

A company handling a large number of transactions could easily spend millions of dollars to become compliant.

So why doesn’t the PCI DSS apply to 2Checkout suppliers?

Simply put, because 2Checkout suppliers are not merchants and they do not handle credit card data, suppliers do not need to comply with the PCI DSS. By allowing 2Checkout to resell your product, you avoid all hassles with PCI DSS. 2Checkout has invested resources into additional security technologies, training personnel, audits, and other required steps so that you don’t have to!

Related Article: Extended Retail Solutions: Security Made Simple

Many 3rd party cart systems are configured by default to prompt buyers for their credit card information, before they are directed to 2Checkout.com. Because of this, some new suppliers/vendors may violate this important regulation without their knowledge. Due to the seriousness of this issue, this can often lead to the immediate disabling of sales ability on an account, until credict card information is no longer collected.

If your 3rd party cart is accepting credit cards and you need assistance removing this input you will want to contact that 3rd party cart’s support team. One of the most popular online cart systems is osCommerce. By default, this cart will ask for credit card information. If you wish to use osCommerce with your 2Checkout.com account, you will need to download and install the “pm2checkout” module that was created for OSC. More information about setting up osCommerce to work with your 2CO account can be found in the Knowledge Base article How can we set up the osCommerce Shopping Cart?

Credit card association rules state that only a merchant account holder may display credit card logos on their websites. 2CO does not provide you with a merchant account. You can continue to display these logos, as long as immediately above, beside, or below the logos, there is a clear statement that 2CO is your authorized retailer.

Alternatively, you can display the logos shown here. Right click on the image of your choice below and choose “Save Picture as…” to save as a file on your computer.

Please also see 2CO Certified for “2CO Certified Seller” buttons.

Suppliers have the option to set up a 9 character descriptor that will appear on the CC statement of your buyers. It will follow the 2CO descriptor, and also list our toll free number to call for assistance.

To set up this function:

1. Login to the Suppliers’ Admin Area;
2. Select on “2. Additional Site Information”;
3. Make the desired changes to the soft descriptor;
4. Click save.

Please note that some financial institutions may not display the soft descriptor to the customer on their credit card statement.

You may also want to clear the cookies in your browser and also ensure that your pop up blocker is turned off while you are placing your order. Click here for information on clearing cookies and disabling pop up blockers.

If the problem continues, please contact your credit card company for additional information.