October 23, 2009

Clearing the Mystery of PCI Compliance (Part 1)

Posted by 2Checkout Category Icon2Checkout Category IconTechnology

This is the first is a twelve-part series detailing what is involved with PCI compliance. Earlier, Warner gave a very good overview of PCI DSS compliance.

“PCI DSS (Payment Card Industry Data Security Standard) is a security standard that applies to companies handling credit card numbers. The PCI level of enforcement differs based on the volume of transactions that a company handles.”

My purpose with this series is to provide the details involved in each requirement. I want to look at this from the point of view of a very small home-based business with a website selling tangible products. The first requirement for PCI DSS is to have a secure environment to hold credit card data:

1) Install and maintain a firewall configuration to protect cardholder data

2) Do not use vendor-supplied defaults for system passwords and other security parameters

First, we need to make our connection to the Internet as safe and secure as we can. This involves using a form of protection. The most common example of this is a firewall. A router is probably the most common device used. This will protect a network from unauthorized connections as well as keep a log of network activity.

A basic home use router can cost roughly $50-100+. However, as we will see in future articles in this series, these routers will not be able to provide the level of protection required to collect customer information. Based on my research, the cost of a compliant router starts at about $200 and can run into the thousands of dollars. There are significant differences between routers, and some of the more costly routers come with additional security packages from the manufacturer that includes network/technical support. Researching what router is going to work for your business is important. The firewall you choose will depend on a number of factors that only you can determine. It is important to note that laptops require a separate security device when used away from the home, and Internet cafe’s will not have nearly the security required for PCI DSS compliance.

Along with the router, we will need to have it connected to the network. Networking is a highly specialized, highly technical field. When was the last time you could remember terms like “internal IP address,” “network diagram,” and “network segmentation” used in casual conversation? Since this is something that is critical to the ability to process credit cards, we want to be sure that the router (and the rest of the network) is as secure as it can be. This means we will have to pay someone who can create and manage the network. Thankfully, there are a number of people who are willing to do so. Alternately, at an additional cost, most router manufacturers will provide support and security update services. The cost for an independent networking freelancer will vary greatly from area to area (In my case, I would need to make sure I had $800-$1,000 to cover this expense).

Once we have the network all set up we will have to reset the username and password of the firewall. During the initial setup and testing, the device will have a preset password and username. This allows for easy troubleshooting for the manufacturer’s technical support. Since all of the devices by one manufacturer will have the same defaults, it is very important that this is changed before credit cards are accepted.

Bottom Line for Step 1:Time:

  • Research on the best firewall for your individual needs.
  • Research on availability of either manufacturer-provided or independent networking assistance
  • Router: $200 – $3000 for the router. ($500-$800 is the average for the device alone)
  • Support: Additional security features/support (varies from company to company, $200 seems average)
  • Networking: Free if you already know how to do this.
  • $100 – $149 basic charge with $100/hour fee for additional support (Varies from place to place, but $100 looks to be the low end of average) assuming a full day’s work minimum.

We have just bought a router, hired someone to make sure our network is secure and spent roughly $1,000-$2,000. Now we have 10 more standards to meet before we are PCI compliant. Over the next few weeks we will explore topics ranging from data encryption to network monitoring, as well as realistically detail the costs associated with meeting all twelve PCI standards.