PCI DSS is a security standard that applies to anyone who stores, processes or transmits cardholder data. This includes Payment Service Providers and merchants. I know most of the readers of this blog fall into the latter category. Merchants can approach PCI DSS in a number of different ways such as using in-house expertise, outsourcing PCI Compliance to an external party (more of a checkbox approach in my opinion) or using a PCS DSS solution from a third party.

If you are a small merchant you may not be able to afford any of these options but you still need to be compliant. In that case the best option is to limit the risk and thus reduce the scope for PCI DSS. To begin with you should not store cardholder information under any circumstances. If the storage of cardholder information is a requirement for your business then we recommend you find a Payment Service Provider who can do this for you. The RealEFT service from Realex Payments and the SecureCard service from WorldNet TPS are two services that are designed specifically to meet this requirement.
 
If you want to reduce your risk even further then you can use a hosted payments page integration option so you ensure that cardholder information never comes in contact with your website or server. The customer will enter their card details on the secure hosted payment page provided by your payment service provider. With this option the sensitive cardholder information does not come in contact with your website or server. For more information on PCI DSS you can read our PCI DSS Guide, look at the PCI Councils website or ask a question on our PCI DSS forum.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• PCI Compliance is not a big deal?
• Who cares about PCI DSS?

Related Articles:

• PCI Compliance Resources
• PCI DSS Forum
• PCI DSS Guide

The PCI DSS is a set of minimum requirements that are designed to reduce the likelihood of a data breach occurring. The emphasis being on 'minimum set of requirements' and 'reduce the likelihood'. In order to prevent attacks from sophisticated attackers a much higher standard of security is needed. In our recent blog post surrounding the Heartland Court filing documents we gained an insight into how PCI Compliance was viewed by Heartland. Since publishing this post two reports have emerged that give further insight into how PCI DSS is viewed by the wider community.

Imperva, specialists in data security and the Ponemon Institute carried out a survey across more than 500 U.S. and multinational IT organisations. I will not go into detail on the survey findings as you can read a detailed analysis of the findings at darkreading.com or the iTWire. Importantly, the survey findings reveal that roughly 30 percent take PCI security seriously and the others see it as a check box. Had this survey taken place prior to the Heartland data breach then I suspect Heartland would have been included in the 70% of organisations that viewed PCI DSS as a checkbox routine.

The Web Application Security Consortium has published their Web Application Security Statistics report for 2008. The report includes data about 12,186 web applications with 97,554 detected vulnerabilities of different risk levels. The report has some interesting findings but the one relevant to this discussion is that that 99% of web applications were not compliant with PCI DSS standard requirements. We do not have any information on the nature of the web applications included in the survey i.e. were they in the financial services industry but even so this is still a rather shocking statistic.

PCI DSS is a minimum set of requirements but realistically a much higher level of security is required to protect cardholder information. If the industry continues to struggle to implement a minimum set of requirements then the data breaches occurrence will continue to increase.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• PCI Compliance is not a big deal?

Related Articles:

• PCI Compliance Resources
• PCI DSS Forum
• PCI DSS Guide