December 14th, 2011

PCI for the Uninitiated – How to Accept Credit Card Payments Online

Any person or organization who accepts credit card payments online (or offline) is required to abide by PCI security standards.  It doesn’t matter if you accept only one payment a year … or millions.  Everyone who accepts, stores, or processes credit card information is required to be secure … no one is “too small”.  Also, all “deadlines” for compliance are far past — everyone has to be secure now.

PCI (Payment Card Industry) security standards are a collection of very rigorous best practices for securing the flow of, storage of, and access to sensitive credit card information.  In particular, this applies to: the credit card numbers, expiration dates,  CCV validation codes (and other information in the magnetic stripe).

PCI is not a “law.”  It is a requirement of the credit card industry.  Non-compliance will not land you in jail; however, it may:

  • Result in your ability to process credit card payments being suspended
  • Result in significant bad publicity
  • Significantly impact your customers (e.g. they won’t be happy if their data is compromised!)

Recommendation for Accepting Credit Card Payments Online

Everyone wants to accept credit card payments online, as it facilitates sales.  However, everyone must be PCI compliant.  Below, we will see, in a general sense, what it takes to be compliant — it is costly and not easy.

Simple ways to be PCI compliant and accept credit cards:

  1. Have all credit cards entered and processed at your Merchant Provider’s web site (which is likely already setup to be compliant).  Your shopping card or forms would send the order details and amounts there, payment would be made, and they would come back to your site with a success page.  You could be notified in various ways of the successful payment/order — email, posted URL, etc.
  2. Use PayPal.  Paypal does allow people to pay you with credit cards, even if they do not have a PayPal account
Things that are NOT PCI Compliant:
  1. Never send or request credit card information over email.
  2. Never request credit card information over chat.
  3. Do not use web forms on your web site to collect credit card information.
  4. Web sites hosted on shared web servers will never be PCI compliant
  5. Web sites hosted on virtual private servers, and cloud servers will also NOT be PCI compliant unless the underlying host servers are also PCI compliant (and dedicated to you).
  6. Dedicated physical servers will not be PCI compliant unless many additional factors are met.

What it takes to make your server(s) PCI compliant

To get an idea of what is involved in PCI compliance, lets take the example of a company who has a web site and a database and would like to sell products via their site, accept credit cards, and store information in their database for future purchases.  This is a pretty common scenario (and also describes LuxSci).

The following is an overview of only a small fraction of the requirements.  In truth, there are 100s of individual items that must be met and certified before you can say that you are PCI compliant.  Some of the most telling requirements, however, include:

  • Use a hardware firewall, understand and document all of the rules and why they are in place.
  • Encrypt card holder data any time it is transmitted over any public network (e.g. using SSL, TLS, PGP, etc.).
  • Encrypt card holder data when stored in your database (e.g. using PGP or an encrypted database system).
  • Vulnerability management: Use anti-virus software on all servers, perform system scans, maintain the security of all software installed.
  • Access Control: Use strong access control for anyone with access to card holder data (including system administrators).  This includes:
  • Monitor and Test: Perform regular scans of internal and external systems for vulnerabilities and security. This should be done by a certified third party organization.
  • Maintain Policies: You must maintain security policies, perform regular audits and create reports, have security training yearly, etc.  There is a lot of paperwork that must be managed by a security expert.

Additionally, PCI places a big emphasis on “scope“.  Scope is all of the computers and servers that are on the same network including any devices that touch card holder data.  All computers and servers in “scope” must be PCI compliant.

Let’s say you have dedicated web and database servers behind the same firewall on a dedicated server provider:

  • All other servers behind the same firewall are also “in scope” and must be secured for PCI.
  • All computers (e.g. your staff workstations or other servers) that can access those servers via VPN access or secure tunnels must also be secured for PCI.
  • If these servers are “Virtual Machines”, then their host machines must also be secured for PCI.
  • Any user, including data center support staff, who may have administrative access to the server must be under your purview in terms of security and compliance.
As you can see, limiting the scope of what computers need to be compliant is critical to making compliance manageable. So, if we were going to setup a compliant web and database site for our example business, we would need to:
  • Have a dedicated hardware firewall in front of the web and database server
  • Have a dedicated web server for the web site
  • Have another dedicated hardware firewall between the “public” web site server and the “private” database server (important to segment servers open to the public and those where the card data is being stored)
  • Have a dedicated database server
  • Use an encrypted file system or encrypted database
  • Have a hardware intrusion detection system in place to cover both servers
  • Setup 2-factor authentication for all administrative access to these servers
  • Ensure that every user has his/her own unique administrative login which gives only the needed access; there should be no shared use of “root”.
  • Access and activity should be logged and audited and reviewed frequently.
  • Ensure your web site is well designed and secure and uses SSL for the collection of credit card information
  • Setup anti-virus scanning of your servers
  • Setup frequent vulnerability scans of your web site
  • Setup frequent vulnerability scans on your internal systems (behind the firewall)
  • Write up security policies and network diagrams covering why everything is setup the way it is, what the security issues are, what all the software running is for, what all your firewall rules are for and why, etc.
  • Identify a Security Officer in charge of all of this whose job is to ensure the current and continued compliance of your network, to keep up with changes in PCI (as it does keep evolving) and to plan for and implement further needed enhancements in your environment
These are just some of the highlights of what is needed.  There is much more work to do than what is listed above. You will appreciate this if you look at the PCI Security Questionnaire that the credit card industry will force you to review — you have to sign that your organization meets every item of the 100s of requirements or you are considered “out of compliance”.
As you can see … unless you are a large organization with deep pockets and some well trained security staff, trying to make your own servers PCI compliant is likely to be impossible … or you may be less than truthful on the Questionnaire and hope that you don’t get caught — don’t be that guy!

What does LuxSci Do for PCI Compliance?

LuxSci accepts credit cards online and uses them for recurring payments.  Back in the day … before PCI … we used to handle the credit card data ourselves:
  • Using secure servers and web sites
  • Using SSL for encryption
  • Encrypting credit card data with PGP for storage
  • etc.
However, with the advent of PCI, we quickly realized that while our systems meet most of the PCI requirements, they do not meet them all … and to make the changes required for us to continue to be PCI compliant while processing and storing credit card data ourselves … would be cost prohibitive in terms of the additional hardware needed and in terms of the staff time required.
So, LuxSci chose to use the APIs provided by our Merchant Provider,, to solve the problem.
  • We store all customer credit card data at in their PCI-compliant databases
  • We keep only reference ID numbers for this data in our systems.
  • When customers need to pay us with a credit card, we open a special window (an iframe) that loads a credit card and billing information entry form from  All information is entered and securely sent to, and stored there.  We receive the success/failure status for the transaction.
  • We can use the reference ID numbers to delete customer credit card information at when it is not needed, and to re-charge cards for a recurring payments (when authorized by our customers).
  • We have no access to customer credit card information — there is no way for us to use the API to retrieve any of the sensitive card holder data.
As a result of this implementation, no credit card data ever is transmitted through, processed by, or stored on any of LuxSci’s servers.  This makes our “PCI scope” effectively “zero” and makes certification of our compliance almost trivial.
LuxSci offers many secure solutions like:
Equally important:
  • You can host your website(s) at LuxSci with a PCI-compliant implementation similar to LuxSci’s for your payment processing.
  • There is no need to invest in a PCI-compliant server environment in order to process credit cards — you can save much time, money, and risk by allowing your Merchant Provider to handle all of that for you.  We do!
If you do not feel yourself to be “technical enough” to implement a PCI compliant solution for your business, we recommend that you contact your Merchant Provider — they typically have a list of consultants who can intelligently assist you.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.