Banks and PCI Compliance

There have been recent reports of Banks or Merchant providers informing their clients that they must use a certain “ASV” or Approved Scanning Vendor. Some have even gone as far as to deny PCI Compliance Pass reports from other ASV’s.

This is improper and you should not be bullied into using a specific ASV that your bank suggests. If this has happened to you the best defense to this is to simply remind them that this is not allowed and ask to speak to their supervisor. As an end user you have the right to choose any ASV from the PCI Standards Council Approved List and you ARE able to submit the results to ANY bank and they MUST accept it.

Store owners must understand that Security and PCI are one of the largest growing aspects of the online world and as such introduces unqualified, untrained and unknowledgeable people into the industry.  Ask to speak to a supervisor if you do not think what you are hearing is correct.

You may also contact your scanning company or ASV as they will most likely have contacts within your bank already. Most times they can clear up any confusion or problems like this for you.

In some circumstances and only if it is extremely urgent or if all other avenues have been exhausted, ask to speak to their CISSP. This is the person in charge of everything Security and PCI related. A portion of their job is somewhat neutral as they are in charge of interpreting PCI and Security Practice Standards for the good of the bank, credit card company as well as the client.

 

Understanding SSL

We are asked all the time what is SSL?

It stands for Secure Socket Layers. It is an encryption of a data stream of information from  server to server or from server to home computer.
You will often see websites that redirect to a secure location, the address bar may turn colors or a padlock may show in the browser in the top right hand corner or bottom right hand corner. If you click on the padlock it will give you the security information about the website you are on. The easiest way to know is if the address bar shows https instead of http.

Zen Cart store owners need to run SSL mainly to protect credit card transactions and user data so that people or “bots” can not intercept the information in plain text form. Getting more technical this is called “man in the middle” attacks or packet sniffing.

As a store owner you may have heard that you will need to buy an SSL Certificate. Now there are a lot out there and I am going to explain what the differences are for the main commercial types.  You may have heard types named 128 bit and 256 bit. All certificates are able to do both and all browsers now recognize both. When you create a server key on your hosting account make sure it is 256bit and if you don’t have the ability request this from your hosting company to do it for you. Lets start with the basic and move our way up to the more complicated.

You may be confused about what type of certificate you need to buy and there are many to choose from. Below is a list:

1) Standard SSL – usually priced between $30-$100 per year. (supports 1 domain) Ie. RapidSSL, Godaddy etc. This is a good option for a new store owner. It has the basics and $10,000 in insurance. Shows a lock and provides the bare minimum.

2) Business Validation SSL– usually priced between $149-$400 per year. (supports 1 domain and makes you go through a business verification check. This also shows on the certificate) This is for the company that wants their customers to know they are a legitimate company and not a fly by night operation. It has a mandatory company verification process where they have to prove who they are. Insurance is usually $100,000 on this type of certificate.

3) Business Validation SSL with EV – usually priced between $400-$1200 per year. This is the same as the certificate above with additional features such as “green address bars” and extended validation of the business. Insurance is usually $150,000.

4) UCC Certificate – usually priced between $50-$500 per year. (supports multiple domains 5 to unlimited.) This is a great option for web store owners that have multiple stores under the same hosting account and one dedicated ip address. This is a new type of certificate as it fixed the problem for multiple domains under one dedicated IP.

5) Wildcard Certificate -usually priced between $199-$2000 per year. (supports unlimited sub-domains and can be used on multiple servers.) This type of certificate allows the unlimited use of domains such as sub1.domain.com, sub2.domain.com, sub3.domain.com etc. These types of certificates are used by companies to secure their server’s services such as SSH, FTP, Email, Webmail, Server Hostname etc.

I have had some people ask me why are these Certificates, if they offer the exact same thing, different prices? The prices are based strictly on the Brand Name and Insurance offered. Sort of how people are willing to spend $150 for a designer pair of jeans. It is no different for SSL Certificates. Let me make one statement absolutely clear:

THERE IS NO DIFFERENCE TO ANY PART OF THE ENCRYPTION OF ANY CERTIFICATE.

All certificates function the same way and provide the exact same output, are all exactly the same quality and are equally secure. You get the same out of a $30 certificate as you do a $2500 certificate as far as the encryption goes. Again, what you are paying for is brand, flashy green bars, additional insurance,  validation of your company and this information added to the certificate itself for customers to view.

PCI Compliance – A Store Owners Perspective

A lot of people ask me about what PCI Compliance is and why they need a PhD to decrypt the wording or try to understand it. PCI stands for “Payment Card Industry” and was founded by the major credit card companies to bring the whole e-commerce industry to a certain security standard. I feel what people need to know is easiest to understand if we look at it from a store owners perspective. Lets start with a brief overview of how someone starts a web store right through to the point of operating successfully.

You chose the store script that you want to use and for this example we will use Zen Cart. You purchased a Domain, SSL Certificate and quality Hosting. Let me touch on the last thing “Hosting” and you may be asking what is quality hosting? What I consider quality hosting is a company that has the following attributes:

1) A toll free number with 24/7 tech support

2) The hosting company however big or small owns their own servers. Do not do e-commerce business with companies that rent servers from the data center or run virtual servers.

3) Talk to the company representative and ask the technical questions and make sure you are comfortable with dealing with them. Make sure they know their stuff.

4) Make sure the hosting company can provide a certificate of PCI Compliance. This proves they are in the e-commerce game and they have their servers scanned and their security practices are superior.

5) Does the hosting company support the software application you are using. In this case Zen Cart?

6) How many accounts are run on each server? What you want on a shared server is as little as possible. Remember cheap hosts will jam pack severs (thousands of accounts) to fulfill their financial requirement and more expensive hosts will limit the number of accounts per machine to 100-200. Ask the host what they run for a server environment. If they are not running quality servers, they are not worth the money. Quality servers can run upwards of $10,000. Ask your questions. A good example is GeekHost.ca

Now that we have the “how to choose a host” out of the way we will assume you have your Zen Cart site up and running with your domain and SSL. So what is next? You need to take payment from your customers so you will need to give a few options. Not every customer is going to have a credit card so give them the option of paying by Paypal. This will increase business you would never have had before. Now it is time to choose a company to provide you with credit card processing.

There are two types of processing out there and they are the “Aim” method where the customer never leaves your online store to process the transaction. The credit card information is sent encrypted to the “gateway” or “processor” and an approved or denied response is sent back while your customer waits and the order is processed accordingly. This is the best way.

The second method is called the “Sim” method. When the customer clicks to pay for the products, they are transferred to the payment processor to complete the transaction on their website. Once the transaction is approved, they are transferred back to your store where the order is completed. In my experience, I have seen more customers abandon their orders this way.

It is very important to note that in both of these cases, the customer’s credit card details are not stored by you using Zen Cart. The only details that are stored are the shipping details and the transaction number.

Make sure you choose a processor that has a payment module to use with Zen Cart. There are many of them to choose from. Call a few and ask the rates. Normally a professional “Gateway & Merchant account” will charge you a one time setup fee of about $100. There is also a monthly fee that will run you $15-$20 per month. Lastly and based on your personal credit and the amount of transactions you do there is a percentage fee usually anywhere between 1.9-3.2%.

If you do not qualify for any of these you may be able to get Paypal’s Web Payments Pro Service. They are a bit pricier but they do accept new businesses and owners with a few dents on their credit history.

Now that you have found the “Processor / Gateway” they are going to litter you with a bunch of PCI paperwork to do. This is that fun part and what this whole article is about.

PCI Compliance is the standard in which you manipulate credit card data and user information from the time your customer enters their card number on your website, tells you the number over the phone, manually input it into a POS terminal or swipe a card on a terminal. It does not stop there, it illuminates the manner in which you conduct business, the people you hire and the way you dispose of your trash.

The question I hear the most is who needs to be PCI Compliant?

The answer is (most don’t like to hear it) every business that accepts a credit card no matter the dollar amount and no matter how few transactions they process.

Since this is based on running an online store with Zen Cart, I will bypass everything but the requirements for an online web store owner.

It is a PCI requirement that you must have the server and your website scanned at least quarterly. You must retain the services of an ASV (Approved Scanning Vendor). Scanning companies or ASV’s (Approved Scanning Vendors) will scan your server and website once a week and send you a vulnerability report based on it’s findings. I favor Controlscan because of their prices and customer service. They are a lot cheaper than the more popular “Hackersafe” etc. After you have passed the scan it is time to fill out what is called the SAQ forms. The SAQ or “Self Assessment Questionaire” is a written declaration that you are following the security guidelines set forth by the PCI Security Council and Credit Card companies.

Fill this out truthfully as this is the document that the credit card companies retain from your merchant services to conduct an investigation in the case of a breach. If you blindly check ok to all requirements, you may be opening yourself up to liability. Be sure to check “yes” to things that you are positive about, contact your host for the rest of the answers regarding their services and environment. If something doesn’t fit with your company or doesn’t apply to you, then state that. That is the reason why there is a “N/A” check box.

Ok so what forms do you fill out? To Identify yourself as a particular merchant consult the following:

Merchant Level Criteria Onsite Security Assessment Self-Assessment Questionnaire Network Vulnerability Scan
1 At least 6 million transactions annually from any acceptance channel Required Annually N/A Required Quarterly
2 1 million to 6 million transactions annually from any acceptance channel At Merchant Discretion* Required Annually* Required Quarterly
3 20k to 1 million ecommerce transactions annually N/A Required Annually Required Quarterly
4 Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel annually N/A Required Annually Required Quarterly

All store owners starting a new business are a Level 4 Merchant. As you can see above it is based upon how many cards you process per year. Now it is time to determine what SAQ or “Self Assessment Questionaire” you should be filling out and below I have another table categorizing the SAQ Level A-D.

SAQ Validation Type Description SAQ
1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced.  This would never apply to face-to-face merchants. A
2 Imprint-only merchants with no cardholder data storage B
3 Stand-alone dial-up terminal merchants, no cardholder data storage B
4 Merchant with payment application systems connected to the internet, no cardholder data storage. C
5 All other merchants (not included in descriptions for SAQs A – C above) and all service providers defined by payment brand as eligible to complete an SAQ. D

SAQ “A” is reserved for merchants who outsource the billing to a company. For example Paypal IPN (Paypal Standard) or Paypal Express or any processing company that uses the “SIM” method as I explained above. You as a store owner do not handle the credit card numbers at all and all billing is done separate from your website.

SAQ “B” is for the store owner that still uses the manual credit card imprint machine that are still used as backup to the electronic POS terminals. This also applies to POS terminals that are connected via  secure “Dial-up”. This connects directly to the gateway services or credit card company (note this does not mean dial-up internet.)

SAQ “C” will apply to all merchants that process on their website using the “Aim” method and do not get credit card numbers over the phone.

SAQ “D” is reserved for merchants that do a combination of  the above such as processing on their website and accepting credit cards on the phone, which they process via a POS terminal or via Virtual Terminal. A virtual terminal means that you open a browser window on you computer and connect securely with the gateway company on the internet and type in the credit card numbers on their website.

Now that you understand what merchant you are and what SAQ you fill out (in our example case 4-C) we can safely fill out the forms. Once the forms are submitted back to the scanning company, they will produce what is called a Certificate of PCI Compliance. This is the document that you will submit to your merchant services, gateway or bank.

What happens if you get a scan that does not pass? You will need to do one of two things. If it is server related, contact your host, they may be rectifying the issue or it may be a false positive. If it has something to do with your store software, you may need to update or it may be a false positive. In any case stay on top of it.

Congratulations you have completed the PCI process, all you now need to do is maintain it.

The biggest failure an e-store owner can make

Every day I see new store owners pop up excited and full of that vibrant energy to start their new enterprise online. They spend countless hours installing, configuring and beautifying their new online store and they just put it online for the first time. I hear people say, “I am glad that I am done and that is over with.”  That statement alone has proven how much time and hard work they have put in.

At the time a new version of their shopping cart is released, you can just feel the shutter of having to upgrade. The normal view from most shop owners is that “I can’t upgrade right now because I am too busy” or  “I have too many custom modules that don’t work with the new version.” The store owner just finds excuses not to upgrade rather than spend that little bit more time and energy to secure their site. The general rule in upgrading is to do it right away. The reason why upgrades are released is because there are new vulnerabilities in the code that could cause your store to be hacked. The store owner must be vigilant and keep up to date.

Most hackers turn their attention to sites that have value or in essence have something to steal.  E-commerce stores are the gold mine and criminals know it. This may be a shock to a lot of store owners, but most vulnerabilities are found by the software communities that help create it. The bugs are reported and fixes made available. Most coders want the recognition of finding the bug so they post the bug in the community forums and on a security reporting site.  The biggest problem about the security reporting sites is that they show what is called “proof of concept.”  This means how the vulnerability can cause damage or infiltration. They are so detailed that actual examples of exploit are shown openly to the public.

Take a person with a bit of programming knowledge, a whole lot of time on their hands, a need for glorification and you have yourself what “today” you call a hacker. These people sit in-wait of these “proof of concepts” to appear and they begin hacking on sites that are still vulnerable. I do not really consider these people hackers. I refer to them as criminal opportunists and they tend to do a lot of damage. They leave a wake of destruction in their path because hiding their tracks is frankly beyond their ability.

Now on the other hand a real “hacker” does not want a trail and they have the technical ability to hide themselves very well. They do not cause a wake; they steal what they want and if they are successful no one will know. These are not the type of people that will be on your small “mom and pop” shops. These people risk everything for a large bounty or a political gain.

The only way that a store owner can combat against this is to educate themselves on site security and to keep their stores up to date. This is a never ending war and the store owner must be vigilant.