Insights

A Look at PCI Compliance & Self-Assessment

With Contributor Nathanael Tombs; edited by Kaitlin Kamp

From Macy’s to Target, even the biggest retailers aren’t immune to data breaches. The result is lost revenue, furious customers, poor publicity, and a nightmare of technical updates. The current frequency of data breaches has forced ecommerce merchants to constantly look for new security solutions, not all of which are successful. Thankfully, new industry standards have paved the way for implementable solutions that can minimize the risk of a data breach.

Defining the Challenge

Forty percent of organizations have experienced a data breach resulting in the loss or theft of more than 1,000 records in the past two years. These numbers are critical for e-commerce merchants, who are prime targets for cyber-attacks due to their processing of valuable credit card data. A credit card breach has wide ranging implications, which can not only increase a company’s immediate costs, but also meaningfully impact their brand reputation. A merchant’s average cost, per-record lost, was $149 in 2017.

The Challenges of Achieving Cyber Resilience

Merchants can put a number of measures in place to lower the impact of a breach, thereby minimizing the per-record cost of a breach. However, tracking, understanding and implementing these ever evolving measures can be costly and time consuming for merchants. That’s why industry standards have been implemented, in order to provide a security framework for merchants.

Industry Standards

 

Introduction to the Payment Card Industry’s Data Security Standard

The Payment Card Industry’s Security Standards Council (PCI-SSC) represents major credit card brands including Visa, Mastercard and American Express. It’s Data Security Standard (PCI-DSS) encourages merchants to adopt consistent data security measures globally and provides a baseline of requirements designed to help merchants protect their account data.

Overview of the Self Assessment Questionnaire

The Self Assessment Questionnaires (SAQ) are published by the PCI and intended for merchants or service providers, which are not required to submit a formal report on compliance. These self-validation tools consist of a series of yes-or-no PCI-DSS compliance questions and informally assess security protocols. There are several SAQs for the different ways a merchant can accept and process payment cards.

The Use of Payment Gateways

Gorilla Group recommends implementing a fully outsourced payment page to limit attack exposure and lower potential risk, while allowing merchants to send payment to third parties. This can exist as a URL redirection to the third-party service provider’s payment page, or as an inline iFrame, which displays the service provider’s payment form embedded in the merchant’s checkout page.

This limits the PCI scope of the merchant’s website to SAQ-A EP[1], in contrast to the more extensive SAQ-D[2]. To be considered in this certification the ecommerce website must adhere to the following guidelines:

▪ Your company accepts only e-commerce transactions
▪ All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor
▪ Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor
▪ If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider)
▪ Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s)
▪ Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions
▪ Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant
▪ Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically

Payment solutions that either redirect to a hosted payment page (like Paypal Express), or that use IFRAMES for the payment section (such as Braintree, Authorize.net Accept.js) will aid in this endeavour.

Sources

[1] SAQ-A EP self assessment questionnaire: https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-SAQ-A_EP.pdf?agreement=true&time=1536603261153
[2] SAQ-D self assessment questionnaire:
https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-SAQ-D_Merchant.pdf?agreement=true&time=1536603261195  
[3] SAQ guidelines:
https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2_1.pdf?agreement=true&time=1536603261132  
[4] The Third Annual Study on the Cyber Resilient Organization. IBM / Ponemon Institute. March 2018.
https://www.ibm.com/account/reg/us-en/signup?formid=urx-32352 
[5] 2017 Cost of Data Breach Study. IBM / Ponemon Institute. June 2017.
https://www.ponemon.org/library/2017-cost-of-data-breach-study-united-states