ecommerce summit atlanta mountain media

Download eCommerce Summit Atlanta Mountain Media

Post on 23-Jan-2015




0 download

Embed Size (px)


From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit to find out more.


  • 1. PCI Compliance and the Online Merchant

2. PCI Compliance Explained Melanie BeamDirector, Business Development 3. What does PCI DSS mean?

  • PCI DSS =P aymentC ardI ndustryD ataS ecurityS tandard
  • The standards were developed by the founding brands of the PCI Security Standards Council: American Express, Discover, JCB, MasterCard and Visa, to assist in the broad adoption of consistent data security measures globally.
  • Its the set of security rules the card companies agreed upon after years of separate standards.

4. This is new, right?

  • The PCI DSS was introduced in 2004.
  • The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.

5. Do I have to be PCI Compliant?

  • PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
  • If customers pay you with credit or debit cards, then you need to be compliant at some level.
  • Acquirers (merchant account providers) are responsible for enforcing merchant compliance with the PCI requirements. If you have not yet, you will probablyreceive a letter from your merchant account provider detailing the what merchant level you are currently at. (with some exceptions; ie. Paypal)

6. PCI DSS Principles and Requirements Requirement 12: Maintain a policy that addresses information security Maintain an Information Security Policy Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Regularly Monitor and Test Networks Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder dataImplement Strong Access Control Measures Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Maintain a Vulnerability Management Program Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networksProtect Cardholder Data Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network Associated Requirements Principle 7. Whatare the merchant levels? These are based on your annual transaction volumes MOST ECOMMERCE MERCHANTS FALL INTOLEVEL 3 OR 4 Any merchant processing fewer than 20,000 ecommerce card transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M transactions per year. Level 4 Any merchant processing 20,000 to 1M ecommerce credit card transactions per year. Level 3 Any merchant -- regardless of acceptance channel -- processing 1M to 6M card transactions per year. Level 2 Any merchant -- regardless of acceptance channel -- processing over 6M card transactions per year. Any merchant that the card companies, determine should meet the Level 1 merchant requirements to minimize risk. Level 1 Annual Transaction Volume Merchant Level 8. How do I become compliant?

  • Every merchant is required to complete a Self Assessment Questionnaire (SAQ) to become certified as PCI compliant.
  • There are five SAQ validation types that determine which of the four SAQs to complete.

9. Self Assessment Questionnaire Validation Must comply with requirements in SAQ-D. and may require a Report on Compliance from a Qualified Security Assessor.These are the same the requirements that are required of PCI certified service providers and are typically out of the financial and technical reach of most small ecommerce retailers.Cost to comply is well over $50,000 and requires written policies and procedures.Requires the operating service providers are PCI-DSS certified. This includes the web hosting provider and data center. Not required to perform quarterly scans, but recommended. Must comply with SAQ-C. Does not require PCI compliant web hosting, but may be necessary to complete the SAQ-A. Not required to perform a quarterly vulnerability scan, but recommended. Hosting Environment Managed PCI compliant product like Rack Space PCI hosting and PCI Compliant Ecommerce application. Card holder data can be storedfor later use. Allows the customers to save cards for later purchases. Type 5 (The Hardest) Credit card payments are made at the merchants website. Using a shopping cart solution with is an example. Ecommerce merchants with shopping cart applications that transmit cardholder data via the Internet for processing.No cardholder data can be stored. Type 4 (Most Merchants) The purchaser must be redirected to the service providers website to complete the purchase.Using Paypal Payments Standard is an example.All cardholder data functions are performed by a PCI compliant third-party.No cardholder data can be stored or transmitted. Type 1 (The Easiest) Example Card holder Data SAQ Type 10. Now that you know, what do you do?

  • Fill out the SAQ that applies to your business.
  • If required ,( recommended for every level merchant )sign up for quarterly external scans with an approved scanning vendor.
  • * Both the SAQs and approved vendors can be found at*
  • Understand that that no single product or service will make you compliant-you have work to do too!
  • Be informed! Check your providers-hosting, ecommerce, and payment gateway
  • Ask for a copy of their ROC, CORA or check them against the CISP and PCI lists.
  • Within the standards of PCI does not mean compliant.

11. The Time Is Now

  • PCI Compliance applies to you, right now.
  • Waiting until your bank asks you to prove compliance can prove very costly.
  • Look for help from compliant vendors, but make sure you use several solutions. Theres no silver bullet!
  • PCI Compliance seemsdifficult but requires good, sound security policies and should be part of your business plan

12. Mountain Medias Ecommerce Platform and Data Centerare PCI Level 1 Compliant

  • Mountain Media is one ofonly a handful of ecommerce companiesto achieve thehighest level of PCI DSScertification.
  • *All technicians that manage systems must have background checks before starting employment as well as adhere to a host of HR procedures.
  • * Physical access to the data center must have robust authentication systems in place
  • * Video surveillance of data center access points with 3-month storage
  • * Firewall systems with stringent rule sets
  • * Intrusion detection systems
  • * Host Intrusion detection systems
  • * Data servers must be on a private network (behind a second firewall with strict access rules)
  • * Server maintenance and upgrades must follow strict procedures and policies

Please contact us for comprehensive PCI Compliant eCommerce at 877-583-0300 Or 13. PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS Source: October 2008.Statistics based on data gathered from 443 account data compromise cases investigated since 2001. ACCOUNT DATA COMPROMISE STATISTICS John JacobsMoneris Solutions Merchant Acquirer 14. ACCOUNT DATA COMPROMISE STATISTICS

  • Cases segmented by Payment Card Acceptance Channel
  • Majority of account compromises in North American occur atBrick & Mortar merchants
  • Brick & Mortar merchants are most commonly attacked in North America because unlike EMEA merchants are usingoutdated payment applicationandprocess their transactions over the Internet .


  • Cases Segmented by System Type
  • The majority of account compromises cases involvePC based POS software applicationsore-commerce shopping carts.
  • Hardware based POS terminals remain the most secure way to process transactions


  • Cases Segmented by Responsibility for Payment System Administration
  • In North America the majority of the account compromises occur in environments where merchants utilizesthird party payment applications and relies on third parties for support .
  • The result is outdated systems that are not configured and secured correctly.


  • In 2008 a notable new compromise trend surfaced in the industry data in transit .
  • In the past attackers were looking for stored cardholder data.
  • Many merchants were and still are storing full magnetic strip data.
  • Through the card brands efforts to eliminate storage of prohibited data, less and less merchants are storing full magnetic stripe data.
  • Due to this the attack vectors have evolved and attackers are not only looking for stored data but are also looking to capture data in transit.
  • Though many merchants may not be storing data, many have insecure networks which allow an attacker to gain unauthorized access to systems and start captu