solving pci compliance for ecommerce merchants
TRANSCRIPT
-
8/14/2019 Solving PCI Compliance for eCommerce Merchants
1/5
Business White Paperhttp://commercelab.ipcommerce.com
Solving PCI Compliance
for E-Commerce MerchantsPublished September 23, 2009 by IP Commerce
http://commercelab.ipcommerce.com/http://commercelab.ipcommerce.com/ -
8/14/2019 Solving PCI Compliance for eCommerce Merchants
2/5
Business White Paper Solving PCI Compliance for E-Commerce Merchants
http://commercelab.ipcommerce.com Page 2
IntroductionIn 2004, the payment card brands aligned their individual cardholder data protection programs to create the PaymentCard Industry Data Security Standard (PCI DSS). This alignment in standards provides an industry-wide framework thatforms the basis of each associations individual security programs. The objective of the individual programs is to compel
merchants and payment service providers to enact measures that protect cardholder information. The goal of the PCIDSS is to specify the security controls required to protect cardholder data in the transaction-processing environment fromend-to-end.
PCI DSS can be a complex and lengthy process for the merchant to complete with no knowledge of the total cost it willtake to bring a merchants payment processing in line with the PCI DSS to prevent decertification. While there is generalunderstanding and acceptance of the process for the largest of merchants, the smaller merchant is often left without aresource (or plan) or concept of cost for achieving and demonstrating compliance.
Merchant Level DefinitionThe merchant level indicates the complexity of PCI DSS compliance. As a card-accepting merchant, it is important todetermine (both individually and with the payment service provider) the appropriate merchant level to determinecompliance obligations. According to Visa, merchant levels are defined according to acceptance methodology andtransaction volume amounts.
Merchant Level Description
1 Any merchant regardless of acceptance channel processing over 6M Visa transactions peryear. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchantrequirements to minimize risk to the Visa system.
2 Any merchant regardless of acceptance channel processing 1M to 6M Visa transactions per
year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and allothermerchants regardless of acceptance channel processing up to 1M visa transactions per year.
FIGURE 1: VISA Merchant Level Definitions
http://usa.visa.com/merchants/risk_management/cisp_merchants.htmlhttp://usa.visa.com/merchants/risk_management/cisp_merchants.html -
8/14/2019 Solving PCI Compliance for eCommerce Merchants
3/5
Business White Paper Solving PCI Compliance for E-Commerce Merchants
http://commercelab.ipcommerce.com Page 3
PCI Data Security Standard OverviewThe PCI DSS is a combination of base principles and associated requirements covering security management, policies,procedures, network architecture, software design, and other protective measures. The high-level requirements anddetail as detailed by the PCI Security Standards Council (PCI SSC) are as follows:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
The litmus test for the applicability of PCI DSS guidelines to the merchant business can generally be categorized as
storage, processing, and transmittal of the Primary Account Number (PAN). If a combination of these categories, andmerchant level, define the scope of compliance, how can a small merchant limit, or remove, these items from theirenvironment while still accepting credit cards as a payment method?
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlhttps://www.pcisecuritystandards.org/security_standards/pci_dss.shtml -
8/14/2019 Solving PCI Compliance for eCommerce Merchants
4/5
Business White Paper Solving PCI Compliance for E-Commerce Merchants
Hosted Payments PageThe Hosted Payments Page provides a methodology by which the Level 4 merchant can leverage partnerships toprovide the storage, transmittal, and processing of cardholder data. Although this minimizes, greatly, the scope of PCIcompliance there are still components of the PCI DSS guidelines that must be addressed. In particular, sub components
of Requirement 9 and Requirement 12 must be addressed. Fortunately, in the scenario of a small e-commercemerchant, this compliance validation can be completed through the use of a much simpler and less-costly Self-Assessment Questionnaire (SAQ) Validation Type 1.
A Hosted Payments Page is a PCI compliant service that presents itself in the normal checkout process, calling themerchant shopping cart or website CSS for branding, to present a smooth and familiar experience to customers forpayment collection. In contrast to other offerings, there are no harsh or delayed transitions to other payment collectionpages.
Shifting card security responsibility to a third party provider is not a novel idea. In fact, familiar market solutions, likePayPal, have allowed merchants to leverage outsourced payment and processing services for some time --but, notwithout a cost. These traditional redirect services disrupt the checkout flow and surrender branding control to theoutsourced partner often resulting in confused customers, increased cart abandonment, and fewer items per ticket.However, a hosted payments page implements a cloning technology that supports the look/feel of the merchants website
during the redirect process for a seamless experience for the end user. Even better, the integration process isimpressively simple. The deployment and implementation can be completed same day.
http://commercelab.ipcommerce.com Page 4
FIGURE 2: Normal checkout activities occur at the merchant site FIGURE 3: Hosted payment page using HTML clone technology
Seamless branding
and Checkout flow
occurs across
merchant and secure
payment
environments
http://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspxhttps://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructionshttp://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspxhttp://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspxhttps://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructionshttp://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspx -
8/14/2019 Solving PCI Compliance for eCommerce Merchants
5/5
Business White Paper Solving PCI Compliance for E-Commerce Merchants
Deployment and Implementation
FIGURE 4: CHPP secure punch through adds secure paymentprocessing
1. A customer begins to create their order on your site asnormal
2. They proceed to checkout where the CHPP module isinstalled; they checkout in a normal fashion via thesecure CHPP powered payment method and chooseCheckout.
3. CHPP servers receive the order and payment request.In a patent-pending process called HTML Clonetechnology we retrieve a template file from your site inreal time, scrub it for any malicious code then combineit with our securely stored credit card collection form.
4. CHPP presents to your customer a secure hostedpayment page that looks just like your site. With HTMLClone, the customer still has access to all links and live
navigation of the merchants site because our patentpending technology dynamically matches themerchants unique template design.
5. The cardholder data and payment transaction isprocessed in our PCI Compliant data center andconnects directly with the payment gateway andbanking payment networks.
6. Once the payment transaction is complete the customer is connected directly back to your shopping cart application,where the order status is updated.
The implementation of the workflow shown above involves leveraging a secure form post to pass a series of required
fields to the Hosted Payments Page servers. The transaction itself, including the collection and routing of all sensitivedata, is then managed via the servers hosted in a PCI compliant data center. Upon successful completion of thetransaction, a response is returned as key/value pairs in an HTTP POST (postback) to the supplied return URL. Anexample of a successful transaction (where return.aspx is the return URL):
https://mydomain.com/return.aspx?order_id=6&code=000&msg=Success&error=&mPAN=XXXXXXXX
XXXX1234&name=Joe%20Shopper&type=Visa&exp=1012&transID=&osCsid=ddc2e76644e8dde7308d42
606f7f7e74
As referenced earlier, the majority of PCI Compliance requirements are addressed, as the merchant e-commerceshopping cart is not collecting, transmitting or storing cardholder data. This punch through of security to the shopping
cart, powered by a Hosted Payment Page, greatly reduces compliance scope without sacrificing branding and customerexperience.
Leveraging a PCI Certified Commerce Hosted Payment Page can place a sense of relief with many e-commercemerchants that the handling of cardholder data is secure and that the majority of what was once their PCI complianceobligation is being handled by a known certified service at a highly reduced cost compared to go it alone securitycompliance or, worse yet, the unbearable fines of a data breach.
Visit CommerceLab to learn how setting up a Commerce Hosted Payment Page in a day can get you on the path to PCICompliance.
http://commercelab.ipcommerce.com Page 5
http://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspxhttp://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspxhttp://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspx?cid=wpsc1http://commercelab.ipcommerce.com/http://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspxhttp://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspxhttp://commercelab.ipcommerce.com/http://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspx?cid=wpsc1http://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspxhttp://commercelab.ipcommerce.com/Integration/Integration_Tools/Hosted_Payment_Page.aspx