It goes something like this: (Client): I want to add a shopping cart to my site. I heard that xyz cart is free, can you add that for me? (Developer): Sure! That looks easy. (Months and a couple thousand dollars later): Okay, I think it finally works, and is all hooked up, ready to go. I put an SSL certificate on your $15/month GoDaddy account and so now you're all safe and secure. (Client): Great! I'll just check all the boxes on this PCI questionnaire and we're in business! A few orders come in here and there, and all seems fine. At first. The first sign of trouble came three or four months later. A customer complained about seeing the store come up in Google under Viagra. The developer checked into it and found that Google had a bunch of results pointing to the site that had nothing to do with the product. Puzzled, he followed the links from Google and the page had nothing like what Google showed -- the site looked completely normal. The developer shrugged, told the client it all looked fine, and he went back to his Xbox. Then the other shoe dropped. The client's merchant account provider notified the merchant of irregular activity they had matched up to cards used on his merchant account, and they were conducting an audit. A security company had to be hired to verify that the site was intact. Of course it wasn't. Fortunately for the client, he had not done much business, so there were only 76 credit cards stolen. The merchant account fined the client $1900, $25 for each stolen card number. Unfortunately, they entirely revoked his ability to accept credit cards until he could meet PCI level 1 compliance. When he went to do this, he found it would cost over $100,000 to reach this level of compliance, well out of reach of his budget. Two months later he closed his business. Ok. So this story is fiction, but all the elements are true. We have seen this level of negligence around security on dozens of e-commerce sites, have been brought in to clean up sites that have been hacked to feed Google completely unrelated results, and $25 per card is the low end of the fines imposed if you are not PCI compliant and have a breach. I attended a webinar yesterday by the Commerce Guys on PCI compliance. While we have been doing PCI compliance for ourselves and supporting the efforts of many of our customers for years, two things stood out from the presentation: the overall cost of compliance for the different types of processing, and some of the new online gateways that help keep compliance costs down.

Some definitions

Of course, being in technology, we have lots of acronyms. PCI = "Payment Card Industry", the group that creates "Data Security Standards" (DSS) merchants must comply with when accepting credit cards. Most merchants can do their own compliance and attest they are in compliance using a "Self Assessment Questionnaire" (SAQ). There are 5 different versions of the SAQ, and which one you have to use depends on exactly how you process charges. Three of those versions apply to e-commerce and shopping cart sites, SAQ-A, SAQ-C, and SAQ-D. There's another dimension that affects how rigorous you must be with transactions, besides the type of processing: the number of transactions, which puts you in a "Level" from 1 to 4. Process less than 20,000 transactions per month? You're level 4. Process more than a million? You're level 1. If you have a breach, are found to not be PCI compliant at your current level, and even a single credit card number was stolen, you get bumped to Level 1, SAQ-D regardless of how many transactions you do. One strike, you're out.

Compliance costs

SAQ-A is a really simple level to attain. Basically, you don't accept credit cards at all -- you send people to another site entirely to enter their credit card information. You can become compliant in an afternoon. SAQ-C is quite a bit more stringent. According to the Commerce Guys' presentation, this takes weeks to months. When we're doing e-commerce sites, we assume we need to meet this level, and we have set up provisioning scripts and environments to start out this way, but there is ongoing cost in maintaining this level of compliance. You also need to conduct quarterly security scans. SAQ-D is far more costly, mainly because you have to get outside audits done by a "Qualified Security Assessor" (QSA). Here's a summary of costs, from http://drupalpcicompliance.org/ : Type|PCI Controls to Meet|Estimated Time|Estimated Cost ----|----|----|---- A|13-15|Hours|$100 - $1000 C|80|Weeks to Months|$10,000 - $100,000 D|288|Months|$100,000 - $1,000,000+

Ways to keep compliance costs down

The basic rule of thumb is the less you have access to a card number, the easier it is to be compliant. If you ever store it, that puts you into SAQ-D territory. If your web site takes the card number, immediately forwards it to a gateway, and never stores it to disk, you're in SAQ-C. If you send the user to another site entirely and your site never even sees the number, you can do SAQ-A. The catch, however, is that even with what could be an SAQ-A site, is that if your code is not kept in a secure environment, and an attacker modifies it to send it to a spoofed gateway, you could still be responsible for credit card theft. For that reason, the Commerce Guys strongly recommended maintaining the SAQ-C level of environment, even if you are using one of the payment methods that entirely bypasses your server. There are two very common practices out there that basically cannot be done while maintaining a secure environment:

  • FTP. This has long been the standard way designers and developers copy code to servers, and it's horribly insecure. If one of your team members connects via FTP to your site in a public wifi setting (like a coffee shop), the password can be very easily intercepted by anyone else on that network. We won't even install FTP on any server running a shopping cart.
  • Using a shared server. If you're doing any e-commerce on a server that allows people you don't know to log in, you are putting your whole business at risk. You really need a dedicated server of some kind to do e-commerce (virtual servers are usually fine). With those out of the way, there are basically 3 techniques shopping cart sites can use to send the actual card data to a different service entirely, and stay in the SAQ-A range of compliance:
  • Hosted page. This used to be the only real way to use a shopping cart and stay in the SAQ-A range. You collect all the product/payment info on your site, and then send that with the customer to an entirely different site, on an entirely different domain, to enter their credit card details and when they are done, bring them back to your site. Some Paypal and Authorize.net options do this, as well as services like 2Checkout, Amazon payments, Google checkout, etc.
  • Direct Post. The form that collects the card info gets posted directly to the payment site, instead of your site, and the user gets seamlessly redirected back. This approach is slightly easier to attack than the others, because the user does not see what's actually happening, but it does make your compliance easier. This is also supported by Paypal and a few others, and is a newer technique.
  • Embedded Iframe. In this version, you actually embed a page coming from the payment gateway right into your checkout page. This is harder to attack than direct post, but it can have some confusing behavior if the integration isn't quite right. Newer services like Stripe use this technique. At Freelock, we still largely use and recommend the SAQ-C type of processing, where the site actually does collect the credit card number and passes it straight on to the gateway -- we think it provides a better, more consistent user experience, and if you start from a secure environment, compliance doesn't have to be that costly (though it is definitely in the $10K a year range). You just need to be aware of this cost, and budget for it. If you're accepting credit cards online, don't be that client who is oblivious to PCI and security issues. Would you leave cash in the till and the door unlocked at night? These are basic, fundamental things you need to understand to safely do e-commerce, and if your developer isn't coaching you on these issues, find one who can. For more on the costs of doing e-commerce, be sure to read this post from a couple years ago. (Update: the webinar is now live, and you can view it here: http://commerceguys.com/webinars/archive/pci-compliance-drupal )
Permalink

Nice article! I've gone thru lots of PCI stuff with a very large ($500Million) company and a smaller company. This was a good reminder though, I just checked our server and realized FTP was open and severely outdated! A third-party POS company maintains our system and does a great job with the router security and network security, but this seems overlooked so I just notified them to see what their plan was or their liability if WE get hacked on their server that we're leasing from them.

Likewise, our website on a VPS has FTP open, which I never use (I use SCP) but could be vulnerable so I filed a ticket with the host to close that off.

Thanks!

Hi John, Remember that the vast majority of merchants and service provider can certify against the PCI DSS standards via the Self-Assessment Questionnaires (SAQ), but the bigger challenge is often determining which of the many – and growing – SAQ’s to actually use. SAQ-EP was just added, further creating more complexities in which SAQ to use. Here’s a word of advice – read the brief overview of the SAQ’s which clearly state in the beginning of the text if you are in scope for being able to use the specific questionnaire. Simply keep reading until you find the one that matches your needs. Unfortunately, the PCI Council does not provide much help with this issue, so you’ll need to tackle it on your own. As a PCI-QSA, you can call me directly at 214-298-8532 and I’ll be happy to guide you to the correct SAQ.

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <blockquote cite> <cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h1> <h2 id> <h3 id> <h4 id> <h5 id> <p> <br> <img src alt height width>
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.