UniteU Connected Commerce Platform and PCI
UniteU is a VISA and MasterCard certified PCI-DSS Service provider. Click Here to See the Visa/MasterCard List
For those searching for an ecommerce platform provider, be sure to carefully read the sections on PCI compliance below. Compliance is an invaluable asset when shopping for the right platform. Make sure that you are well informed about the correct ways to achieve full compliance, and avoid greater liabilities.
Why does PCI Compliance matter to you the merchant?
In very simple terms, it is about managing a merchants liability and risk to their overall business. Although getting the correct PCI coverage in itself does not guarantee that a credit card breach cannot happen, it does lower the likelihood and, more importantly, lowers potential fines that VISA/ MC and/or other state and federal governments may make retailers pay in case of a breach. These fines, in most cases, are so large for a retailer that has not managed PCI correctly that it would threaten their business viability. It would also raise the cost of merchants Cyber insurance.
The Myths and Mystery of Correct PCI Compliance
The PCI-DSS (Data Security Standard) covers 6 areas of security compliance and 12 top level requirements
that a merchant is ultimately going to be held responsible for (listed in the table below).
| Build and Maintain a Secure Network |
|
| Requirement 1: Install and maintain a firewall configuration to protect cardholder data |
This means that network access to ecommerce websites and databases servers are locked down to only allow for necessary and authorized access.
Firewall rules and Protective Web appliance confiurations are reviewed and updated regularly. |
| Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
This means that you have to NOT use default server setups so that potential hackers cannot guess how your servers are configured. |
| Protect Cardholder Data |
|
| Requirement 3: Protect stored cardholder data |
This has many levels but besides access also involves strong encryption and encryption key management so making CC numbers available to merchants for needed backend operations is not as simple as it could seem. |
| Requirement 4: Encrypt transmission of cardholder data across open, public networks |
This is normally solved by using SSL server certificates, SFTP and other encrypted protocols. As encrypted traffic is slow to decode for both the consumer and server sides, not all ecommerce traffic can be encrypted for performance reasons. |
| Maintain a Vulnerability Management Program |
|
| Requirement 5: Use and regularly update anti-virus software or programs |
This sounds simple but gets really complex when you get into the software and OS areas. You are forced to continually scan and install patches and reboot servers to keep them up to date with the latest security patches. Many of these patches may or may not conflict with your ecommerce code and hence need testing and robust backup strategies in case of problems. |
| Requirement 6: Develop and maintain secure systems and applications |
The Develop part is somewhat easier to manage and certify (PA-DSS generally gives you the rules and certification process). It is the maintain part that is really difficult to apply operationally. Once you make a change to the certified software you technically need to recheck and recertify. On ecommerce websites this can particularly difficult as website changes are made almost daily. Each website change has to be monitored and checked to make sure that no malicious script or addition can compromise the website and allow credit cards to be copied to the wrong people. |
| Implement Strong Access Control Measures |
|
| Requirement 7: Restrict access to cardholder data by business need to know |
This is both a technical and operational practice to ensure that only vetted and trusted people or systems get access to credit card data. i.e. there is no need for content managers for the website to be able to see shopper credit card numbers that a customer service rep. may need to issue a refund. The ecommerce management system needs to have these capabilities. |
| Requirement 8: Assign a unique ID to each person with computer access. |
NO shared login credentials. It is surprising how willing folk are to share their login and passwords with team members. It makes forensics difficult. |
| Requirement 9: Restrict physical access to cardholder data. |
Make sure your servers and databases are located in a secure and certified datacenter. This also applies to simple things like making sure that your workstation which may have access to your customers CC data has a password protected screen saver or automatically logs you out if you happen to leave your desk for a coffee or meeting. |
| Regularly Monitor and Test Networks |
|
| Requirement 10: Track and monitor all access to network resources and cardholder data. |
This means that EVERY login and access to things like backend managers and or systems is logged and is traceable. This sounds simple but becomes a very complex system and process, given the sheer volume of data involved. |
| Requirement 11: Regularly test security systems and processes |
External Website and system scans can usually be done by vendors such as ScanAlert or Security Metrics. UniteU merchants have external scans done and certified on all their websites once a quarter to meet the PCI requirement. What is often missed is the requirement for internal network scans that also need to be achieved once a quarter. |
| Maintain an Information Security Policy |
|
| Requirement 12: Maintain a policy that addresses information security for employees and contractors. |
Sometimes the weakest link in a security system are the people around it. Making sure that everyone involved actually knows and operates under those rules is a challenge. This also applies to ensuring that employees have the appropriate background checks, etc. to try and protect from the human security compromise threat. |
The confusion and mystery stems from three major areas:
- Some choose to more narrowly define the cardholder environment that the DSS covers. Many will try and narrow this only to external payment gateways. That is not the case. Using external gateways do externalize requirement 3 but many of the other DSS requirements still apply.
- Various vendors, providers and products map to these different elements and how specific PCI certifications are named and marketed.
- As not all levels of merchants require external audits or auditors, self-assessments of the DSS are open to optimistic interpretations.
Example: A PA-DSS (Payment Application Data Security Standard) certified application only covers part of requirement 6 and it only applies to the tested application without ANY modifications. Many PCI certified hosting providers only cover requirement 1. Bottom line, a merchant needs to be certified and covered for ALL 12 requirements. Read more: https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
How do merchants’ manage and achieve PCI compliance?
Get educated on the PCI DSS and pick your partners and vendors very carefully is the basic answer.
Most E-commerce managers are already under pressure to have the next great feature or capability on their ecommerce systems to improve revenue and profit. This can cause managers to push PCI Compliance to the back burner, or take it lightly. Mention PCI to a CFO or CEO and it’s a whole different story; liability and card holder security are of the utmost importance. It may seem that maintaining PCI integrity conflicts with business goals, flexibility and upfront costs. For example, adding a simple script to your website to provide some extra feature or report sounds like a simple request but if it is from a non-vetted supplier, it can expose your whole website to security compromises and invalidate your PCI compliance status. PCI is a continuous requirement that needs to be maintained.
Merchants need to ask the right questions and see the real certifications of their partners, vendors or potential vendors as it pertains explicitly to their ecommerce system. They then need to map them against the 12 parts of the DSS to ensure that if and when you are audited and/or in a post breach forensic audit you have done what was required.
The most common myths we see here at UniteU are items such as:
a) A Merchant Prospects love the idea of an Open Source Platform (OSP). They say OSP professional level software platform is inexpensive AND is PA-DSS compliant and can be hosted in a PCI compliant hosting facility. The Plan is to use this software package hosted in an approved PCI hosting facility and uses a third party OSP web development company to implement their ecommerce.
Answer: Technically, as soon as the web dev company modifies the platform code it has invalidated the PA-DSS certificate. Note that the web development companies’ personnel and code has to be PCI certified. The new site would have to be assessed for all aspects of Requirement 6, including security scans and penetration testing, each time modifications are made. The hosting provider may cover parts of Requirements 1, 4 (SSL) and 9. The Merchant is still responsible and has to pay to meet all of the other requirements. Enterprise versions of OSP cost more than the professional and only add some coverage of requirements 7 and 10.
b) A request from UniteU merchant: Please insert this bit of code into our website; it’s a bit of JavaScript that Vendor X wants so that we can do Y. When asked for Vendor’s X PCI certification, Vendor X says I don’t have one and as I don’t directly collect credit card information I do not need to be PCI compliant.
Answer: the JavaScript code has access to CC data through the document object and could siphon them off. At UniteU we take this very seriously and always counsel our merchants about any potential risks to doing something like this.
c) All PCI certifications are alike.
Answer: No! We sometimes get a PCI certificate from Vendor X, but it is from Vendor X’s hosting company certificate. This does not cover vendor X’s code or environment. PCI-DSS certifications are different for different types of providers. If in doubt, you can ask your vendor for a copy of their certificate and its AOC or ROC (Attestation of Compliance or Report of Compliance). These documents summarize and mark out which areas of the 12 requirements a service provider has met. The most common ones are Hosting, Payment Gateway and/or PA-DSS. You also need a document from the service provider/vendor that states that your specific web site, ecommerce system is covered by their certification and under what situations you are or are not covered.
UniteU's Commitment to Merchants and PCI Compliance
In 2006, as the PCI standards and compliance (and fines) were being rolled out and enforced on Tier 1 retailers, UniteU stepped up and committed to comply and certify as a PCI-DSS accredited service provider under 2 classifications; Hosting and Payment Gateway. Under those 2 classifications as a platform and ecommerce service provider, this would enable UniteU to cover all 12 requirements on the PCI DSS for our merchants we brought on to our platform. This was initially a significant and expensive task and continues as part of UniteU’s daily operations to maintain and recertify each year.
What does this mean to UniteU merchants?
In terms of PCI compliance, it means that UniteU is in most cases able to cover with our certification each individually named merchant’s ecommerce site and backend processing systems. This means that a UniteU merchant can greatly reduce their liability and simplifies the whole PCI compliance process for ecommerce for that merchant. As all 12 requirements are managed and enforced by our infrastructure, systems, software, people and processes with a UniteU coverage certificate, a merchant is able to fully satisfy its PCI DSS requirements as it pertains to ecommerce.
Note: There are still a few aspects under the merchant’s self-management control that a merchant is responsible for ( E.g. like ensuring that their employees adhere to PCI standards. )
Merchant Benefits:
a) Simplified and included PCI DSS compliance.
b) No need to pay for a third party security scanning service as each UniteU merchants site is scanned by an approved security scanner once a quarter to satisfy requirement 11. UniteU takes care of all mandated security scans on our internal and external systems and contracts with an approved scanning security vendor to scan and report on each individual merchant’s website.