What do I need to do to be compliant and where do I begin?
The first thing a merchant needs to do is to fully understand how card payments are processed in your organisation. In particular if your e-commerce environment is capturing, storing, processing or transmitting card data then think very carefully whether this is really necessary?
The most secure approach to processing e-commerce transactions is to outsource your card data to a Payment Service Provider. When the card data is outsourced it is totally segregated from your environment and consequently the capturing, processing, storage and transmission of card data is totally removed from your e-commerce environment. This is commonly known as a ‘fully hosted solution’.
If you are using a fully hosted solution:
- Document the payment transaction journey illustrating all systems, applications and environments that card data touches
- List the various service providers who provide the hosting environment, shopping cart, and payment application.
- Please verify that you are not unknowingly storing or transmitting any card data therefore making you non-compliant. There are various products on the market that can help you validate this. A simple PEN Test (Requirement 11.3) will help provide the evidence that card data does not touch your environment when the payment is being processed.
- Conduct regular checks of your website to ensure that new or unknown web pages or files have not been added.
- Regularly check the IP address that redirects customers to the third party hosted payment page to ensure that the IP address has not been changed and redirecting the card data to another site before the data is received by the hosted payment page.
When you utilise a web hosting provider or a third party payment provider that stores, processes and/or transmits cardholder data the 3rd party is classes as a 3rd party service provider and particular rules apply:
- The contract must require the supplier to handle card data securely and must maintain on-going compliance to the Payment Card Industry Data Security Standard (PCI DSS) and evidence the compliance with the standard to the merchant on an annual basis.
- The 3rd party service provider must be using a PA DSS certified payment application
- The 3rd party service provider must be registered as a third party service provider on the PCI SSC web site or Visa Europe web site.
- The contract should clearly identify roles and responsibilities for how cardholder data should be protected.