Apr
27
Written by:
Charlie
4/27/2010 12:31 PM
You may have heard the term “PCI compliance” quite a bit as of late. Often, “PCI compliance” has been referred to as a way to boost your members' confidence in the security of your website. For many, it seems to have been as much a marketing program as a security compliance effort, especially since there has been no significant drawback or limitation associated with non-compliance. This is, however, about to change in a significant way.
PCI is short for PCI-DSS, which in turn is short for Payment Card Industry Data Security Standards (PCI-DSS). This standard was created by the Payment Card Industry Security Standards Council (PCI-SSC), a consortium that represents Visa, MasterCard, American Express, Discover and JCB, to provide a framework and set of best practices to protect credit card data from security breaches. To be “PCI Compliant” means that your organization has validated that it meets all of the applicable requirements of the PCI-DSS (more about the requirements shortly).
In July of 2009, the PCI-SSC updated the PCI-DSS specifications to mandate that, as of July 1, 2010, in order to be PCI compliant, all merchants that “process, transmit or store cardholder data” must use payment processing software that meets the new Payment Application Data Security Standards (referred to as PA-DSS certified software). If your organization is not PCI compliant as of the July 1, 2010 deadline, your acquirer (the bank or merchant account provider that processes your transactions) may stop you from processing credit cards. Furthermore, if you continue to process credit card transactions without being PCI compliant (even if your acquirer allows it), you risk being subjected to fines. This represents a major change to PCI compliance enforcement. Note that these are guidelines (albeit enforceable by fines) and not “laws” passed by Congress, and that the acquirers are responsible for enforcing these guidelines. You should contact your acquirer to get the exact requirements and verification methods. My understanding is that many acquirers are doing verification on “cycle” - that is, during the annual period when you renew your merchant account agreement.
The requirements that must be met for PCI compliance vary by merchant; the applicability of the individual requirements are determined by a) how many transactions your organization processes, b) the way the transactions are processed (e.g., in person, card not present, using an internet connection versus a dial-up phone connection), and c) whether or not credit card data is stored at your organization (e.g., the credit card number and the expiration date). Depending upon the combination of the aforementioned factors, your organization will have to complete one of the four Self Assessment Questionnaires (SAQ A, SAQ B, SAQ C or SAQ D) provided by the PCI-SSC.
The requirements for the SAQs range from a few basic requirements for an SAQ A to over 220 exceptionally difficult-to-meet requirements for an SAQ D. As far as we know, all of Euclid's current clients are considered “Class IV” merchants that process credit cards via an internet connection, and therefore will need to complete an SAQ C, which consists of 41 reasonable and common sense requirements. It is your responsibility, however, to confirm this with your merchant service provider. The difference between having to complete the straightforward SAQ C and having to complete the exhaustive SAQ D comes down to [basically] whether or not credit card data is stored at your facility after authorization. Storing encrypted credit cards for later use is an option that is currently available in ClearVantage. However, this option, along with the existing encrypted credit card data itself, will no longer be available in subsequent “PA-DSS” compliant versions of ClearVantage. This is not because ClearVantage is unable to meet the stringent requirements for storing credit card data, but rather because it is virtually impossible for any of our clients (or any mid-sized company) to meet the exhaustive SAQ D requirements, as they are designed primarily for large-scale data centers. Please note that for most of our clients, storing credit card data is unnecessary. For those that do require storage, for example, to enable “Easy Pay” functionality, the PA-DSS certified version of ClearVantage is designed to integrate with outside services for secure credit card storage and access.
So what does this mean for your organization? It means that, as of July 1, 2010, in order to be PCI compliant, you must have upgraded to a PA-DSS certified version of ClearVantage. Note that using PA-DSS certified software does not make your organization PCI compliant - however, you cannot be PCI compliant without it. You should check in with your acquirer to get their exact requirements, but it is probably a good idea to plan on completing an SAQ C, getting a “perimeter” scan (a scan of your internet enabled ports) by a PCI Approved Scanning Vendor (ASV), and upgrading ClearVantage to the PA-DSS certified version.
The good news for our clients is that Euclid is ahead of the industry and has been investing heavily in getting its software PA-DSS certified in advance of the compliance deadline. PA-DSS certification is a very difficult, time-consuming and expensive task - to date, only 218 out of the hundreds of thousands of in-scope applications have been certified, and most of these are payment gateways or standalone credit card processing applications. However, the Euclid team has been working diligently and is on schedule to have ClearVatage ready for PA-DSS certification review by June 1, 2010, ensuring that it will be officially PA-DSS certified in advance of the July 1 deadline. The roll out process for the PA-DSS compliant version of CV will begin on Tuesday, June 1st, 2010 and will continue throughout the month of June. As with all updates and upgrades, the updated ClearVantage software license is included with your annual maintenance plan, while the installation, configuration and client-specific testing will be billed hourly. Depending upon how recently you upgraded and the configuration of your technical environment, you should budget between four and twenty four hours of billable time for the upgrade. Your customer support representative will be in touch shortly to discuss the upgrade process, to gather the information needed to create an upgrade quote, and to schedule a time for delivering the upgrade.
Please note that because of this major change brought by the PCI-SSC and Euclid's commitment to minimizing its impact on our clients, the support staff will be exceptionally busy during the months of May, June, and July and support work will be prioritized and delivered accordingly.
In the coming weeks, we will provide additional information about getting your organization PCI compliant and detailing any potential impacts of the switch to the PA-DSS certified version of ClearVantage. To facilitate the sharing of ideas and experiences regarding PCI compliance and to answer PA-DSS/CV upgrade related questions, we have created a new forum on our support site that we will be monitoring daily. You can access it here (you will need your website login and password):
Euclid PCI Compliance Forum
Copyright ©2010 Charles Vinal