What is PCI compliance and why should I care?

If you are selling online, you should be concerned with PCI compliance. The five major credit cards brands got together to create the Payment Card Industry Data Security Standard (PCI DSS) back in 2006. This security standard applies to all merchants and financial providers (banks), and is designed to provide robust protection for cardholder data.

PCI compliance means demonstrating that you meet the currently in-force standards for maintaining cardholder data security. All merchants that accept Visa, MasterCard, American Express, Discover and JCB credit or debit cards for ecommerce transactions must be PCI compliant.

Universal Standard

PCI standards apply to everyone involved in the customer data chain of custody, and specifically applies to merchants of all sizes. Your merchant account agreement requires you to participate in the PCI standards program. Furthermore, banks can be fined for merchant noncompliance and banks are known to pass on fines or even terminate the relationship with repeat offenders. PCI compliance standards also apply to merchants who just accept orders over the phone.

Merchant Levels

The specific PCI standard compliance requirements vary based on your merchant level. Your merchant level is established by your provider. For Visa, for example, a merchant processing less than 20,000 Visa e-commerce transactions per year is classified as a merchant level 4, between 20,000 and 1 million Visa e-commerce transactions per year is a merchant level 3, between 1 million to 6 million Visa transactions per year is merchant level 2 and more than 6 million transactions per year is merchant level 1.

Is Drupal PCI Compliant?

The short answer to this question is that nothing is PCI compliant out of the box. While drupal Commerce and Ubercart have many safeguards against malicious attacks, there are many elements that need to be addressed in implementation and hosting to assure full compliance. Here is a good article on the subject: http://soundpostmedia.com/article/lets-talk-about-pci-compliance-ubercart-and-drupal-commerce/

Merchant Self-Assessment

Fortunately, PCI compliance is usually pretty straightforward assuming you apply up-to-date IT security best practices in your networks. All you have to do is take the merchant self-assessment questionnaire, then take and pass a vulnerability scan from a PCI SSC Approved Scanning Vendor.

f you pass the scan, you just complete the attestation of compliance in the self-assessment questionnaire and submit the SAQ along with documentation of passing the vulnerability scan. If you fail the scan, you must take any steps required to remedy the deficiencies until you pass the scan.

Network Vulnerability Scans

Network vulnerability scans must be performed quarterly to maintain PCI compliance. The scan remotely reviews networks and Web applications based on the external IP addresses provided by the merchant or service provider. The scan is designed to  identify vulnerabilities in operating systems, services or devices that could be used by malicious parties to gain access to the merchant’s network.  Approved Scanning Vendors, who must be recertified every year, provide easy to-use scanning tools such as ControlScan that do not require the merchant or service provider to install any software.

PCI Compliance Guide’s PCI Frequently Asked Questions and Myths is a great resource that provides detailed information on PCI compliance, what it means to you and how to become compliant.