What is PCI Compliance?

by Mathew Beane

Mathew has been fascinated with building and programming computers since his early days of upgrading an 8086 to an 80386. Working initially in the video game industry building servers and managing server rooms, Mat shifted his focus to PHP programming in early 2000. With over a decade of experience in eCommerce, Mat is now Director of Systems Engineering at Robofirm and Magento Certified developer. Because of his frequent presenting at PHP conferences, Magento recognized Mat as a Magento Master Mover in 2016. Mat has also contributed to Zend Server as part of the Z-Team with Zend where he has helped build the Magento plugin for Z-Ray. When he's not programming, you will find Mat spending time with his family, making music, tabletop gaming, or tinkering with some random project.

Accepting credit card payments has been a standard for many businesses for years and is a necessity for e-commerce. However, the credit card processing technologies in use today are worlds away from those of yesteryear. Over time, the technologies and security measures used to process credit cards have evolved with developments in the processing technology itself and the vulnerabilities that have been exploited in previous systems. In other words, credit card processing has had to keep pace with new technology and create new safeguards as identity thieves and hackers have developed ways to beat security systems.

The newest step in the evolution of credit card payment processing is PCI compliance.

Defining PCI Compliance

PCI is an acronym for Payment Card Industry. PCI compliance is essentially adherence to a set of guidelines called the Payment Card Industry Data Security Standard, or PCI DSS. These guidelines are "intended for organizations that store, process, or transmit cardholder data and that may or may not have deployed wireless technology, as well as assessors performing PCI DSS assessments pertaining to wireless," explains the PCI Security Standards Council. Essentially, "all organizations should have these controls in place to protect their wired networks from attacks via rogue or unknown wireless access points (APs) and clients," and "all organizations that transmit payment card information over wireless technology should have these controls in place to protect those systems."

Where Did PCI Compliance Come From?

The PCI DSS was established by the Payment Card Industry Security Standards Council (PCI SSC). The PCI council is an independent body that was established in 2006 to oversee the evolution of security standards in the payment card industry. It was created through a joint effort between the world's major credit card companies, including American Express, Discover, JCB, MasterCard and Visa. While these payments brands are the ones responsible for ensuring compliance among their users, the PCI SSC sets the standards to which those companies will be held responsible. In fact, any company that accepts, stores or transmits credit card payments or cardholder information is required to follow the PCI DSS, regardless how many (or how few) transactions it processes or what the amount of those transactions is.

What Should a Business Do to Be PCI Compliant?

The exact measures a business must take for PCI compliance will vary by the merchant level to which the company belongs. There are four basic levels, defined by the number of Visa or MasterCard transactions they process in a given year.

Most small companies will fall under merchant level 4, which includes those businesses that process fewer than 20,000 transactions annually. This figure includes both debit and credit card transactions, as well as prepaid cards and Visa- or MasterCard-endorsed gift cards. Merchant level 3 allows up to 1 million transactions, merchant level 2 allows up to 6 million transactions, and merchant level 1 allows more than 6 million transactions annually.

PCI DSS Overview

While the exact measures your company needs to take to achieve PCI compliance will vary somewhat by transaction volume, several elements are standard across all companies. The Payment Card Industry Security Standards Council has established a baseline series of 12 requirements.

Your company is required to build and maintain a firewall to protect credit card processing data, as well as avoid using any default or vendor-supplied user names and passwords for protecting cardholder data. In addition, you need to have measures in place to protect any data related to credit card processing that you store, and you need to encrypt any data that will be transmitted in an open network.

The vulnerability of your company's cardholder data must also be managed. For instance, you need to have updated malware and anti-virus software. You will also need a maintenance system for overseeing the security of any systems or applications your company develops or uses. Part of this includes implementing access control measures so that only the employees who need to access cardholder data would have access to that information, requiring authentication so that any access is tracked, and securing any physical cardholder data.

In order to be PCI compliant, your company is also required to monitor network access, as well as test any security systems or processes you have in place. Finally, you need to establish a policy within your company that spells all of this out.

Good Business Practices

Following PCI standards for cardholder security is not just a requirement -- it is also good business. If you're not PCI compliant, you risk your customers losing confidence in your company's ability to process payments securely, your sales go down, and you have to endure fines and other legal costs.

The credit card companies are also hit. They have to absorb fraudulent charges and take on the cost of issuing new payment cards. In the end, when everyone works together to protect cardholder data, everyone wins.

You can tie e-commerce security and PCI compliance into your Magento development. Robofirm can help. We offer a range of e-commerce development services, perfect for whatever level of security your business requires. Contact us today to learn more.

What is PCI Compliance?

What is PCI Compliance?

by Mathew Beane

Mathew has been fascinated with building and programming computers since his early days of upgrading an 8086 to an 80386. Working initially in the video game industry building servers and managing server rooms, Mat shifted his focus to PHP programming in early 2000. With over a decade of experience in eCommerce, Mat is now Director of Systems Engineering at Robofirm and Magento Certified developer. Because of his frequent presenting at PHP conferences, Magento recognized Mat as a Magento Master Mover in 2016. Mat has also contributed to Zend Server as part of the Z-Team with Zend where he has helped build the Magento plugin for Z-Ray. When he's not programming, you will find Mat spending time with his family, making music, tabletop gaming, or tinkering with some random project.

Accepting credit card payments has been a standard for many businesses for years and is a necessity for e-commerce. However, the credit card processing technologies in use today are worlds away from those of yesteryear. Over time, the technologies and security measures used to process credit cards have evolved with developments in the processing technology itself and the vulnerabilities that have been exploited in previous systems. In other words, credit card processing has had to keep pace with new technology and create new safeguards as identity thieves and hackers have developed ways to beat security systems.

The newest step in the evolution of credit card payment processing is PCI compliance.

Defining PCI Compliance

PCI is an acronym for Payment Card Industry. PCI compliance is essentially adherence to a set of guidelines called the Payment Card Industry Data Security Standard, or PCI DSS. These guidelines are "intended for organizations that store, process, or transmit cardholder data and that may or may not have deployed wireless technology, as well as assessors performing PCI DSS assessments pertaining to wireless," explains the PCI Security Standards Council. Essentially, "all organizations should have these controls in place to protect their wired networks from attacks via rogue or unknown wireless access points (APs) and clients," and "all organizations that transmit payment card information over wireless technology should have these controls in place to protect those systems."

Where Did PCI Compliance Come From?

The PCI DSS was established by the Payment Card Industry Security Standards Council (PCI SSC). The PCI council is an independent body that was established in 2006 to oversee the evolution of security standards in the payment card industry. It was created through a joint effort between the world's major credit card companies, including American Express, Discover, JCB, MasterCard and Visa. While these payments brands are the ones responsible for ensuring compliance among their users, the PCI SSC sets the standards to which those companies will be held responsible. In fact, any company that accepts, stores or transmits credit card payments or cardholder information is required to follow the PCI DSS, regardless how many (or how few) transactions it processes or what the amount of those transactions is.

What Should a Business Do to Be PCI Compliant?

The exact measures a business must take for PCI compliance will vary by the merchant level to which the company belongs. There are four basic levels, defined by the number of Visa or MasterCard transactions they process in a given year.

Most small companies will fall under merchant level 4, which includes those businesses that process fewer than 20,000 transactions annually. This figure includes both debit and credit card transactions, as well as prepaid cards and Visa- or MasterCard-endorsed gift cards. Merchant level 3 allows up to 1 million transactions, merchant level 2 allows up to 6 million transactions, and merchant level 1 allows more than 6 million transactions annually.

PCI DSS Overview

While the exact measures your company needs to take to achieve PCI compliance will vary somewhat by transaction volume, several elements are standard across all companies. The Payment Card Industry Security Standards Council has established a baseline series of 12 requirements.

Your company is required to build and maintain a firewall to protect credit card processing data, as well as avoid using any default or vendor-supplied user names and passwords for protecting cardholder data. In addition, you need to have measures in place to protect any data related to credit card processing that you store, and you need to encrypt any data that will be transmitted in an open network.

The vulnerability of your company's cardholder data must also be managed. For instance, you need to have updated malware and anti-virus software. You will also need a maintenance system for overseeing the security of any systems or applications your company develops or uses. Part of this includes implementing access control measures so that only the employees who need to access cardholder data would have access to that information, requiring authentication so that any access is tracked, and securing any physical cardholder data.

In order to be PCI compliant, your company is also required to monitor network access, as well as test any security systems or processes you have in place. Finally, you need to establish a policy within your company that spells all of this out.

Good Business Practices

Following PCI standards for cardholder security is not just a requirement -- it is also good business. If you're not PCI compliant, you risk your customers losing confidence in your company's ability to process payments securely, your sales go down, and you have to endure fines and other legal costs.

The credit card companies are also hit. They have to absorb fraudulent charges and take on the cost of issuing new payment cards. In the end, when everyone works together to protect cardholder data, everyone wins.

You can tie e-commerce security and PCI compliance into your Magento development. Robofirm can help. We offer a range of e-commerce development services, perfect for whatever level of security your business requires. Contact us today to learn more.