on-line payments and pci dss compliance
DESCRIPTION
High level overview of how on-line payments work and the compliance you need to be aware of. Presented at WordPress Sydney meetup July 2013.TRANSCRIPT
![Page 1: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/1.jpg)
![Page 2: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/2.jpg)
The usual model
(Gateway)
![Page 3: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/3.jpg)
A merchant account sits in the middle between you and the bank
• PayPal, Google Wallet, WorldPay, Realex, NAB
• Annual/monthly fee
• Transaction fee % + fixed amount /transaction
• Multiple currencies?
– May require multiple merchant accounts
– Higher exchange rate (interbank rate + extra %)
![Page 4: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/4.jpg)
Connects your site to the merchant account
– Collects personal information: name, address etc.
– Collects payment card information
– Validates input (hopefully)
– Passes information to merchant account
– Waits for a response from merchant
– Acts on the response: success/fail/badger???
![Page 5: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/5.jpg)
High level – collect, validate and process user & payment information
Type 1 = Merchant collects transaction info – This is done on the merchants own site
– Usually cheaper merchant account
– PCI compliance is *mostly* merchants responsibility
Type 2 = You collect transaction info – This is done on your own site
– Usually more expensive merchant account
– PCI compliance is your own responsibility
![Page 6: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/6.jpg)
Payment Card Industry Data Security Standard “a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.”
Who does this apply to? “PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data*. ” *not just card data
Ref: http://www.pcicomplianceguide.org/ Ref: http://www.cio.com.au/article/400300/what_pci_compliance_/
![Page 7: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/7.jpg)
Are you PCI compliant if you just have an SSL certificate installed? i.e. HTTPS://
Even if I a fancy shmancy 1024-bit military grade SLL certificate?
![Page 8: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/8.jpg)
Are you PCI compliant if you just have an SSL certificate installed? i.e. HTTPS://
HELL NO Not even close!
PCI compliance is a lot more than just an SSL cert.
![Page 9: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/9.jpg)
• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters. Always change vendor-supplied defaults before installing a system on your network
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols
• Use and regularly update antivirus software. Make sure that your antivirus software remains current and actively running
• Develop and maintain security systems and applications
• Restrict access to cardholder data by business employees on a need-to-know basis only
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security
Ref: http://www.cio.com.au/article/400303/pci_compliance_checklist/
Ref: http://www.cio.com.au/article/400306/pci_compliance_requirements_aussie_businesses/
![Page 10: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/10.jpg)
Stripe – US & UK/Europe
– “Payments for Developers”
– No need for merchant or gateway
– API access for payment transactions
– 2.9% + 30¢ - no monthly fees
– https://stripe.com/
![Page 11: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/11.jpg)
Pin Payments – Australia
– No need for merchant or gateway
– API access for payment transactions
– 3% + 30c + $50/month
– Flat exchange rate of 4% + interbank rate
– https://pin.net.au/
![Page 12: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/12.jpg)
Both Stripe and Pin means YOU need to be PCI compliant.
You are storing/transmitting/processing cardholder data.
![Page 13: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/13.jpg)
http://www.examiner.com/images/blog/wysiwyg/image/bankteller.gif (1)
http://blaze1.findmyhosting.com/display/img/elements/ecommerce-diagram.jpg (2)
http://stripe.com/ (9)
http://pin .net.au/ (10)
![Page 14: On-line Payments and PCI DSS Compliance](https://reader034.vdocuments.site/reader034/viewer/2022052505/5556d692d8b42ad94d8b56fc/html5/thumbnails/14.jpg)