How PCI Compliance Can Impact Your Web Design Company
In the course of the last four days, I’ve spent nearly 30 hours reading and reviewing blogs, articles, news items, videos and webinars in regards to PCI Compliance. I’m utterly shocked at the lack of knowledge and clear lack of concern most web design and development shops have for these important standards. While the large development teams handling large merchants are exposed to the PCI-DSS procedure, smaller teams and one man shops are alarmingly unaware of what PCI compliance means to them and their business. there are still small shops and one man web design businesses that are designing and building ecommerce sites based on insecure non-compliant ecommerce websites. They are building them using non-compliant open source and commercial versions of ecommerce shopping carts. I’ve even talked to some larger teams working on mid-sized client websites who are actually ignoring PCI-DSS as something that will not affect their business or their client’s businesses. Unfortunately, there are consequences to both the merchant and to the web design company.
What is PCI-DSS?
PCI-DSS stands for Payment Card Industry Data Security Standards which is managed under the PCI-SSC or Payment Card Industry Security Standards Council. The PCI SSC was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The main driver behind its inception and the resulting PCI-DSS was the increasing financial losses due to credit card fraud resulting from security breaches.
PCI DSS is a series of standards under 6 group areas with 12 sub areas and many sub requirements under those ares. It covers what is requried to maintain a secure cardholder data environment. The security standards range from network security, software and database security standards to physical location policies and procedures. Web applications represent only a portion of the requirements to be PCI DSS compliant. Your can review the full set of standards at http://www.pcisecuritystandards.org
While it may seem as though large companies are the target, they aren’t the only target. They are just the most visible. National news outlets do not focus on small businesses. Small businesses are often the hardest hit by fines levied by their associated merchant account banks when a security breach is found and cardholder data is lost. Not only are they fined, they have to pay forensic investigation costs and may additionally be sued for the cost of reissuing credit cards to consumers by banks who originally issued compromised credit cards.
Furthermore, experts say hackers are attacking small commercial website more rapidly. Criminals are able to access a website’s transaction process and credit card handling to steal credit card numbers. While small businesses have fewer transactions and therefor fewer vicitims, they are an easier target due to more frequent software and network architecture flaws. In many instances flawed software can be found through search engines using common version numbers and software brand references with known vulnerabilities.
How PCI Compliance can impact your business
If you don’t advise, build or implement ecommerce websites, PCI DSS will not affect your business. However, if you advise, build or implement ecommerce websites, PCI DSS will impact how you do business. There are a varying set of consequences that can affect your business as follows:
Acquiring Banks must ensure merchants and independent sales organizations are using PA-DSS or PABP compliant applications. (PABP is Visa’s application certification prior to PA DSS - Payment Application Data Security Standards complaiant) According to Visa, the deadline is July 1, 2010. While each card brand can and has set their own deadlines (and in some instances that varies by geographical location) and each acquiring bank can and has sent varying deadlines, July 2010 is a date to be aware.
What this mandate means is that acquring banks are going to take a harder look at their merchants and independent sales organizations, service providers (those providing merchant account services) and pass out fines for non-compliance and/or shut down merchant accounts due to non compliance. Where will you be when your clients are fined or shut down due to the use of non compliant shopping cart software. Will you be left behind for web design and development companies ready to help them navigate through PCI Compliance?
Lawsuits
Nobody likes to mention lawsuits. Right now most of the lawsuits over security breaches are directed at merchants and acquiring banks. These lawsuits are mostly being instigated by banks issueing credit cards to consumers whose card was compromised during a security breach. They are sueing for the cost of reissuing credit cards to their clients, the consumers. Right now, their lawsuits are a hit or miss. PCI DSS isn’t a get out of jail pass for merchants in regards to these lawsuits. Actually, it is no longer a safe harbor against fines. Visa changed their stance from “safe harbor” to “may waive fines” if the merchant was found to be compliant at the time of a security breach.
The tide may be changing. Merchants are getting tired of holding the bag over something they do not fully understand. Seven restaurants in Mississippi and Louisiana are sueing a software development company and one of its retailers over a security breach that has cost them tens of thousands of dollars. The Point of Sales system was hacked allegedly by a Romanian hacker. You can read more about the case at http://radiantsystemslawsuit.wordpress.com/
So what does this lawsuit have to do with web design and development? You are either in the position of writing or redeveloping a web application that stores, processes or transmits cardholder data or in the position of advising and implementing a prewritten web application that stores, processes or transmits cardholder data. Guess what, you’re in the same position as the software development company and/or the reseller. You’re a sitting duck for a lawsuit if these types of lawsuits become a trend.
So What Now?
Most small web design shops will need to either stop developing ecommerce websites altogether or make adjustments in the way they do business. You just cannot afford to sit back and ignore the situation. I currently advise my very small ecommerce clients to maintain a cash-only business where they accept things like PayPal using PayPal’s hosted solution. The other option is to use hosted payment solutions like Authorize.Net’s SIM and Element Payment Services Hosted Payment Solution. There are other options out there. My best advice is to get familiar with PCI Compliance.
Web Out
Des
Desirea Herrera is an amazing web development geek who does web design and specializes in technical training of web development through webinars. A twelve-year veteran of the field with vast experience, Desirea has forgotten more about web design than most people will ever know. You can find out more about Desirea and her projects at Inphotek.
Sarah Jones:
Very nice post. Keep up the good work.
What Do You Think?