PCI for the Uninitiated – How to Accept Credit Card Payments Online
Any person or organization who accepts credit card payments online (or offline) is required to abide by PCI security standards. It doesn’t matter if you accept only one payment a year … or millions. Everyone who accepts, stores, or processes credit card information is required to be secure … no one is “too small”. Also, all “deadlines” for compliance are far past — everyone has to be secure now.
PCI (Payment Card Industry) security standards are a collection of very rigorous best practices for securing the flow of, storage of, and access to sensitive credit card information. In particular, this applies to: the credit card numbers, expiration dates, CCV validation codes (and other information in the magnetic stripe).
PCI is not a “law.” It is a requirement of the credit card industry. Non-compliance will not land you in jail; however, it may:
- Result in your ability to process credit card payments being suspended
- Result in significant bad publicity
- Significantly impact your customers (e.g. they won’t be happy if their data is compromised!)
Recommendation for Accepting Credit Card Payments Online
Everyone wants to accept credit card payments online, as it facilitates sales. However, everyone must be PCI compliant. Below, we will see, in a general sense, what it takes to be compliant — it is costly and not easy.
Simple ways to be PCI compliant and accept credit cards:
- Have all credit cards entered and processed at your Merchant Provider’s web site (which is likely already setup to be compliant). Your shopping card or forms would send the order details and amounts there, payment would be made, and they would come back to your site with a success page. You could be notified in various ways of the successful payment/order — email, posted URL, etc.
- Use PayPal. Paypal does allow people to pay you with credit cards, even if they do not have a PayPal account
- Never send or request credit card information over email.
- Never request credit card information over chat.
- Do not use web forms on your web site to collect credit card information.
- Web sites hosted on shared web servers will never be PCI compliant
- Web sites hosted on virtual private servers, and cloud servers will also NOT be PCI compliant unless the underlying host servers are also PCI compliant (and dedicated to you).
- Dedicated physical servers will not be PCI compliant unless many additional factors are met.
What it takes to make your server(s) PCI compliant
To get an idea of what is involved in PCI compliance, lets take the example of a company who has a web site and a database and would like to sell products via their site, accept credit cards, and store information in their database for future purchases. This is a pretty common scenario (and also describes LuxSci).
The following is an overview of only a small fraction of the requirements. In truth, there are 100s of individual items that must be met and certified before you can say that you are PCI compliant. Some of the most telling requirements, however, include:
- Use a hardware firewall, understand and document all of the rules and why they are in place.
- Encrypt card holder data any time it is transmitted over any public network (e.g. using SSL, TLS, PGP, etc.).
- Encrypt card holder data when stored in your database (e.g. using PGP or an encrypted database system).
- Vulnerability management: Use anti-virus software on all servers, perform system scans, maintain the security of all software installed.
- Access Control: Use strong access control for anyone with access to card holder data (including system administrators). This includes:
- Unique logins for every person (no shared root or administrator logins)
- Really strong passwords that change every 90 days and are not reused
- Two-factor authentication
- Monitor and Test: Perform regular scans of internal and external systems for vulnerabilities and security. This should be done by a certified third party organization.
- Maintain Policies: You must maintain security policies, perform regular audits and create reports, have security training yearly, etc. There is a lot of paperwork that must be managed by a security expert.
Additionally, PCI places a big emphasis on “scope“. Scope is all of the computers and servers that are on the same network including any devices that touch card holder data. All computers and servers in “scope” must be PCI compliant.
Let’s say you have dedicated web and database servers behind the same firewall on a dedicated server provider:
- All other servers behind the same firewall are also “in scope” and must be secured for PCI.
- All computers (e.g. your staff workstations or other servers) that can access those servers via VPN access or secure tunnels must also be secured for PCI.
- If these servers are “Virtual Machines”, then their host machines must also be secured for PCI.
- Any user, including data center support staff, who may have administrative access to the server must be under your purview in terms of security and compliance.
- Have a dedicated hardware firewall in front of the web and database server
- Have a dedicated web server for the web site
- Have another dedicated hardware firewall between the “public” web site server and the “private” database server (important to segment servers open to the public and those where the card data is being stored)
- Have a dedicated database server
- Use an encrypted file system or encrypted database
- Have a hardware intrusion detection system in place to cover both servers
- Setup 2-factor authentication for all administrative access to these servers
- Ensure that every user has his/her own unique administrative login which gives only the needed access; there should be no shared use of “root”.
- Access and activity should be logged and audited and reviewed frequently.
- Ensure your web site is well designed and secure and uses SSL for the collection of credit card information
- Setup anti-virus scanning of your servers
- Setup frequent vulnerability scans of your web site
- Setup frequent vulnerability scans on your internal systems (behind the firewall)
- Write up security policies and network diagrams covering why everything is setup the way it is, what the security issues are, what all the software running is for, what all your firewall rules are for and why, etc.
- Identify a Security Officer in charge of all of this whose job is to ensure the current and continued compliance of your network, to keep up with changes in PCI (as it does keep evolving) and to plan for and implement further needed enhancements in your environment
What does LuxSci Do for PCI Compliance?
- Using secure servers and web sites
- Using SSL for encryption
- Encrypting credit card data with PGP for storage
- We store all customer credit card data at Authorize.net in their PCI-compliant databases
- We keep only reference ID numbers for this data in our systems.
- When customers need to pay us with a credit card, we open a special window (an iframe) that loads a credit card and billing information entry form from Authorize.net. All information is entered and securely sent to Authorize.net, and stored there. We receive the success/failure status for the transaction.
- We can use the reference ID numbers to delete customer credit card information at Authorize.net when it is not needed, and to re-charge cards for a recurring payments (when authorized by our customers).
- We have no access to customer credit card information — there is no way for us to use the API to retrieve any of the sensitive card holder data.
- You can host your website(s) at LuxSci with a PCI-compliant implementation similar to LuxSci’s for your payment processing.
- There is no need to invest in a PCI-compliant server environment in order to process credit cards — you can save much time, money, and risk by allowing your Merchant Provider to handle all of that for you. We do!