In the world we live in today, having a website and server that's secure is necessary. If you're running a website that has e-commerce, then you're going to need to provide proof that the servers you are using are updated and secure. This is where PCI Compliance comes in. It's all done to protect the end customer and their card data / privacy (think identity theft and fraud).
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually - by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Your merchant services company (credit card provider) will often charge you higher fees if you can prove PCI Compliance. To prove you are PCI Compliant, you'll need to hire a third party company or they might do it for you. One common provider is Trustwave. They will scan the server that you are on and provide you with a report. That report, if you pass, will be what you can provide to your merchant services company to reduce your processing fees.
If they say you're not compliant, you might actually be compliant - we'll explain that in a minute. Sometimes you have to jump through a few hoops to show that the web server you're using is compliant. If you do not provide the information that the PCI Compliance agency wants, then you will continue to fail the scan. It can sometimes be a bit of work and some back and forth but it has to be done.
If you have passed PCI Compliance in the last 90 days and receive a scan that says the scan failed, then you're still compliant. Once you get a passing scan, it's good for 90 days. There is no need to prove that you are compliant if you have had a passing scan in the last 90 days. Just ignore it, you're fine.
Our servers are always up to date because of something called back porting. Back porting is much like getting automatic updates to your own computer. This process happens on our servers in the background and is automatic. They are constantly checking for updates and applying them. The trick with those updates is making sure that an update to one thing doesn't break something else but we have a support team for that.
One problem with back porting software and PCI Compliance is that a piece of software (like the FTP service, for example) can be up to date but the "banner" or version that's being shown to the world might look out of date. This is the usual cause for a scan failure and why you may actually be up to date while a scan shows that you're not compliant. In this case, all that's needed is to show the PCI auditor that the software is indeed up to date / provide proof.
What software your web server is running is only a portion of PCI Compliance. Other parts include your own computers and network. You will be required to do an in-house type of evaluation as well. Things like using a wireless network to login and check on credit card purchases might cause you to fail PCI Compliance. What you do with cardholder data on your end is a factor and is included in the full realm of PCI Compliance.
Here's a sample of what that questionnaire might look like - it takes about 10 minutes to complete:
This is the easy one. You may be required to do a lot more in certain situations.
If you enter credit cards in at your business location, you will have a lot more work to do. You will need a complete scan done on your network. This includes you entering credit card information for your customers on your website at your location. Even though you're using your website and not a credit card terminal, because it's at your location, you will need this extra scan done and there is a cost ($250 or so - maybe more the first time). If you don't want to pay this and deal with it, then we suggest you have your customers enter their own credit card information on your websute using their computers.
You have two options. If you want to be the middleman, then we'll complete the server side of PCI Compliance for you for no charge if you host with us. If you want us to deal with your PCI Complaince company, then this is a service we charge for. Here are more details:
- If you, as a Webstix hosting client, can provide us the PDF file of the scan that has failed, we will get you the proof you need. You can then send this evidence back to them - the PCI Compliance auditor that you have hired. Sometimes there's a little back and forth. You will need to be involved. We will just help you with our side of things (not the in-house evaluation that you do). This is done at no charge if you provide us with the PDF file of the full scan.
- If you host with us and do not want to handle all the back and forth, then you can hire us to do that for you. You will provide us with the login for your account with the PCI Compliance vendor that you have hired. We'll charge for all our time used to prove to your vendor that the web server you use is PCI Compliant. We can charge you hourly or you can use our convenient Maintenance Blocks system, which saves you some money by pre-paying for the work. You can expect to typically have us do 1-3 hours of work (2-6 Maintenance Blocks). It'll depend on what needs to be done, who your vendor is and how picky they are. We've seen some take 1 hour and some take 3 hours or more.
- If you do not host with us and you want us to handle dealing with your website host and PCI Compliance company, then the charges double. This would cost between 8-12 Maintenance Blocks and is based on availability.
If you're a Webstix hosting client, then do what we say above and get us the PDF report. We'll send you the necessary proof to present.
If you are not a Webstix hosting client, then you'll need to work with your web host or we can help at a much higher cost.
Here is the process that you typically go through:
This isn't really a fun process. You're seeing technical things go by that you probably don't understand. Just do exactly what you're told (do it carefully) and things should work out fine. If all else fails or if your website hosting company isn't responsive, then maybe it's time to choose another website host that will work with you to make sure you are PCI compliant.