PCI DSS compliance for ecommerce

Events happening in the community are now at Drupal community events on www.drupal.org.
stevestaso's picture
Posted by stevestaso on May 28, 2009 at 5:30am

As a follow up from a question at the May 26 meeting, I looked into what it takes to become PCI DSS compliant.
I thought I'd share what I learned. (PCI DSS = Payment Card Industry Data Security Standard)

Summary:
I don't think Ubercart needs to be PCI DSS compliant. However, if you use a partner like Authorize.NET to process the card, you can be considered PCI DSS compliant if you perform and attest to a self assessment.

More info below:

It is is very common to develop a site that needs to accept credit cards; seemlessly use a partner to securely collect the card data and process the transaction; then return the results and control back to the original site for logging and record keeping.

Authorize.NET is frequently recommended as the partner to use for internet payments.

Good News!

By designing your e-commerce site in this manner, PCI compliance is reduced to a Type A SAQ
(Self Assessment Questionnaire) for merchants processing less than 6,000,000 annual
transactions. The current version of the Type A SAQ can be obtained at:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml. To achieve compliance when
all cardholder information is handled by a partner, you only need to address two of the
twelve sections of the complete PCI-DSS (Payment Card Industry – Data Security Standard) and
only a subset of the controls in each of those sections. The two sections are (9) Restrict
physical access to cardholder data and (12) Maintain a policy that addresses information
security.

The section 9 requirements are designed to protect any cardholder information stored at your
office locations. If possible configure the relationship with your payment partner so that it is
impossible for you or your employees to obtain complete cardholder information. When
logging into the partner portal you should see at most the last 4 digits of a card number.

The section 12 requirements are designed to ensure you’re working with PCI compliant
partners to handle the cardholder information for you and that you have a process in place to
ensure those partners remain compliant. VISA publishes a list of compliant service providers
on a monthly basis at:
http://usa.visa.com/merchants/risk_management/cisp_service_providers.html
Authorize.NET it on this list.

(BTW, PDG Software — www.pdgsoft.com is one of a very few validated shopping carts and storefront payment systems that integrates with your existing software systems and infrastructure (e.g. accounting software, POS systems, order managers, etc.).

Steve...

Categories: , , , ,

Comments

Thank you!

Posted by highermath on May 29, 2009 at 3:57am
highermath's picture

This issue is much discussed and little understood. Thanks for shining some light on it.

This is also being discussed

Posted by christefano on June 25, 2010 at 9:06pm
christefano's picture

This is also being discussed at http://groups.drupal.org/node/68888

video about basic PCI compliance info

Posted by Chris Charlton on July 23, 2010 at 8:51pm
Chris Charlton's picture

Authorize.net has a video that helps explain the basics. http://www.authorize.net/videos/?id=22

Chris Charlton, Author & Drupal Community Leader, Enterprise Level Consultant

I teach you how to build Drupal Themes http://tinyurl.com/theme-drupal and provide add-on software at http://xtnd.us