|
I have recently been made aware of an issue concerning the storage of credit card numbers that may affect your ability to continue using the Mal’s E-Commerce Shopping Cart. One of my clients had his banker request that he no longer use Mal’s because it is not PCI compliant. “What’s that?” you ask, let me try to explain.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS), which was introduced in 2005 and updated in 2006 by industry heavyweights such as American Express, Discover, MasterCard, and Visa, calls for retailers of all sizes to ensure their transaction and data storage systems are secure. If they fail to comply and customer information is compromised, retailers face fines from the credit card companies, and may also be liable to banks and other financial institutions for customer notification and card reissuing costs. (http://www.microsoft.com/midsizebusiness/industries/payment-card-industry.mspx)
FYI, the banks can be fined up to $500,000.
Merchant Compliance
There are four levels of “merchants,” or retailers. I’m guessing that the majority of my clients are Level 4, which is the following:
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. (http://usa.visa.com/merchants/risk_management/cisp_merchants.html)
If you are Level 4 you would probably need to do the following:
- Annual PCI Self-Assessment Questionnaire Validated by Merchant
- Quarterly Network Scan (if applicable) provided by an Approved Scanning Vendor [such as ScanAlert – see below]
Validation requirements and dates are determined by the merchant's acquirer. The PCI DSS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
Merchant/Banker Relationship
If you have a merchant account with a bank to accept credit cards, your shopping cart is probably set up so that Mal’s stores the credit card numbers until you delete that customer’s transaction. If you have this merchant account, your banker is going to be checking your website to make sure you are using a certified payment gateway or that your website passes the PCI Self-Assessment Questionnaire (SAQ) (http://www.pcisecuritystandards.org/saq/instructions.shtml
). There is a timeline that has been established for accomplishing this. The following quote is from the VISA website, http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html
:
Beginning January 1, 2008, Visa has implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers [I think this means the banks] to ensure that their merchants and agents [I think this means your business] do not use payment applications known to retain sensitive cardholder data elements data (i.e. full magnetic stripe data, CVV, CVV2 or PIN data) and require the use of payment applications that adhere to the PABP [Payment Application Best Practices].
Outlined below are each of the five mandates, which will take effect over the next three years. …
The last Effective Date says this:
Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications*** 7/1/10
Mal’s E-Commerce and You
So let’s get back to Mal’s. This is what he has to say about his security:
At Mal's e-commerce your customers' payment information is encrypted and then saved to the database. You can download this information only by using an SSL enabled browser from within the Admin area.
Once you have downloaded the payment information we would prefer it if you deleted the record from the server. (http://www.mals-e.com/security.php)
But customer information is only stored on Mal’s server if you are not using a payment gateway, such as Pay Pal. If your cart is set up so that a client goes directly to Pay Pal, you shouldn’t have to be concerned about using Mal’s because credit card numbers are entered on Pay Pal’s site, not Mal’s.
In the Security section of his website he states:
We've setup a special deal with ScanAlert so that users can obtain full PCI compliance for their store if they need to. (http://www.mals-e.com/pci.php)
McAfee’s ScanAlert
ScanAlert is a McAfee program. It looks like you get the first year free, after that it's $319/yr but the scuttlebutt on one forum is they'll work with you on the price. So ScanAlert makes your website PCI compliant.
McAfee's full-service PCI certification program starts at just $319 per year. Working directly with Visa and MasterCard McAfee has developed a unique, accurate and easy-to-use online "PCI Wizard" making PCI compliance more affordable and more reliable for merchants of all sizes. This service is only available through McAfee and includes expert step-by-step guidance allowing you to quickly meet all PCI requirements, including the annual PCI self-assessment questionnaire and unlimited security scans. Our full-service program starts with 4 IP addresses. Additional IP address plans are available. Full telephone technical support is included, along with the ability to file your compliance reports directly to your bank.
Our user-friendly web-based PCI Wizard allows you to quickly complete all requirements with confidence. The program provides step-by-step guidance, real time analysis of your compliance status and alerts when requirements are due. You will also receive unlimited online and telephone support from our staff of certified security professionals. (http://www.mcafeesecure.com/us/pci-intro.jsp)
Summary
The credit card industry has created uniform standards that eventually all online retailers will be impacted by, whether you, or your shopping cart, become PCI compliant or not. After reading about this issue, I have determined that you can safely continue to use Mal’s if you are using Pay Pal, which some of you are. If you take the client’s credit card number off of Mal’s and process it yourself through your merchant account, you will eventually have to either stop using Mal’s and set up a shopping cart that uses a bank approved payment gateway, such as Authorize.net, or have your website become PCI compliant through programs such as ScanAlert.
I have tried to explain this complicated issue to you as best as I can. Please follow the links I’ve given you to educate yourself further. I will be reviewing everyone’s shopping carts to determine their status and will not make changes until I contact you. In the meantime, if you need to chat with me about this, please don’t hesitate to call me at 747-2860 or 738-2888. |
