Jump to content

PCI Compliance and Credit Card Security Regulations


M2

Recommended Posts

With the ongoing changes in Credit Card Security (specifically regulations regarding the storage and transmission of CC data) I am curious to learn from others what steps they are taking to ensure that they are PCI Compliant. Eventually this will affect all of us and I would like to learn whether anyone factors this into their systems.

 

More information can be found at this link: http://www.pcicomplianceguide.org/

 

All US Credit Card companies are involved with the initiative and soon as a hosting provider that retains credit card information we will be as well.

 

Any thoughts?

Link to comment
Share on other sites

Thank you for the link - certainly appreciated and I will definitely take a look.

 

Because the regulations are a bit "unclear" (considering the various PCI DSS Vendor Levels) one thing that I was concerned with was the suggestion to maintain any database that holds credit card info on a separate server than the web server handling the transaction process. Has anyone implemented this type of functionality?

 

From the site mentioned above:

 

"By the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards."

 

There is a veritable laundry list of requirements including monthly audits, security scans etc. that will be required (mainly for companies that "retain" credit card info - which WHMCS users do).

 

Any thoughts/ideas are certainly appreciated!

Link to comment
Share on other sites

I thought I had read somewhere that PCI only applied to companies with either 6 million $ or £'s annual turnover. Maybe I'm wrong on that though. We had a customer request a PCI SCAN for his e-commerce site on our shared servers and I'm sure that was the outcome. It wasn't needed.

 

Si

Link to comment
Share on other sites

Well, I knew 6 million had something to do with it.

 

Here's the lowdown:

 

Level 1 Merchants and Level 2 Merchants are 'REQUIRED' to Validate

 

Level 3 Merchants must use a Qualified Independent Scan Vendor

 

Level 4 Merchants must also use a Qualified Independent Scan Vendor but Note: While compliance is mandatory for Level 4 Merchants, validation is optional

 

LEVEL QUALIFICATIONS

 

Level 1 Merchants = Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year

 

Level 2 Merchants = Any merchant - processing 1 million – 6 million Visa or MasterCard transactions per year

 

Level 3 Merchants = Any merchant processing 20,000 – 1 million Visa or MasterCard e-commerce transactions per year

 

Level 4 Merchants = Any merchant Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year.

 

My guess is that for most WHMCS users PCI doesn't figure for the foreseeable future as a 'must do', and for those that use the services of a service like Worldpay etc, it never will.

 

Si

Link to comment
Share on other sites

  • 3 weeks later...
My guess is that for most WHMCS users PCI doesn't figure for the foreseeable future as a 'must do', and for those that use the services of a service like Worldpay etc, it never will.

 

Si

 

 

I think even if using a service like Worldpay as your gateway you would still need to follow PCI compliance rules as WHMCS would still be storing the card details?

Link to comment
Share on other sites

As far as I'm concerned, if you handle people's CC data you must be fully PCI compliant. If you just pass it straight off to paypal/2co then PCI isn't a issue for you.

 

Exactly, if you're storing cc numbers (as you do in whmcs) then you'd be foolish not to follow the PCI compliance rules. Would hate to think what kind of fines you'd be looking at if you didnt follow the advice and had a security breach.

Link to comment
Share on other sites

I think even if using a service like Worldpay as your gateway you would still need to follow PCI compliance rules as WHMCS would still be storing the card details?

 

If using worldpay, you don't store customers card details in your WHMCS or server.

 

Si

Link to comment
Share on other sites

If using worldpay, you don't store customers card details

Not correct :P

Worldpay is just a processor for most of us.

They have a product (world-direct) for people to utilise the WP merchant account rather than your own, but there are other products like bank-direct, wp invisible, and several unpublished/co-branded solutions where you take the card details on your site, and just pass them to WP to process.

 

If you're storing client card numbers you need to be PCI level1 compliant or (in the UK since Dec 2007) you're in breach of your merchant agreement. Reading the small print on some of the card-processors shows that you should also be using a certificate warranted to the value of your largest single transaction amount, so expect to be paying circa $300 for your SSL certificate not $10 for a "domain" cert etc.

Link to comment
Share on other sites

With the ongoing changes in Credit Card Security (specifically regulations regarding the storage and transmission of CC data) I am curious to learn from others what steps they are taking to ensure that they are PCI Compliant. Eventually this will affect all of us and I would like to learn whether anyone factors this into their systems.

 

More information can be found at this link: http://www.pcicomplianceguide.org/

 

All US Credit Card companies are involved with the initiative and soon as a hosting provider that retains credit card information we will be as well.

 

Any thoughts?

 

Whichever processor you use should be giving you a break-down of what's required of you.

Link to comment
Share on other sites

Hello all,

 

We're just in the process of applying for a merchant account and have been doing quite some digging upfront to be sure we're not making any mistakes before offering CC payments as an option to our customers. While the following might not be accurate for any country, I am pretty sure it applies to most EU countries:

 

As long as you choose to store CC details, you are required to comply with the PCI DSS. You might also (depending on transaction volume) need a quarterly security scan/certification performed by a 3rd party qualified security assessor/approved scanning vendor. Smaller companies might get away with a self assessment test instead of a full network certification, but - and at this point I am not completely on solid ground - I do think they would still need to be scanned/validated at given intervals (quarterly/yearly?).

 

Anyway, the demands for the smaller webhost might be tough, especially at startup, as there are some network requirements which can be a little costly. Here I'd like to mention the demand for a separate firewalled database server, separated from the webserver. It's unclear to me if this database server will have to be behind a hardware firewall, or if it's enough with something simple as running APF, Bastille etc.

 

Also, running other sites on the webserver where the customer interaction takes place can be problematic, as this can potentially be a security issue in itself (part of the PCI DSS states that you should have routines for software security and upgrades etc, and - again, I might be wrong, since this was not an issue for us I didn't put much reading into this part - but I believe that any other site run on the same server will also have to be scanned?).

 

So, the solution for us is to let the gateway company store our customers' CC data. They offer the ability for us to register the CC with them, retrieve a CC identifier and trigger charges towards that CC with the identifier whenever needed, we just need a custom module for WHMCS to handle this specific part. I assume this service can be offered by other gateway companies as well - probably for a fee - but choosing this path might require some custom module development, not sure if the current WHMCS modules handle this.

 

Our gateway provider required 3d secure implemented too, btw.

 

For those of you interested in more info, you'll find it here:

http://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp

https://sdp.mastercardintl.com/

 

And the self-assessment questionnaire:

http://www.visaeurope.com/documents/ais/PCI_DSS_self-assessment_questionnaire.pdf

https://sdp.mastercardintl.com/doc/758_pci_self_assmnt_qust.doc

 

Regards,

Bjorn

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated