PCI Security: Small E-tailers Face Large Fines if Hacked

By Kerry Watson
September 1, 2009

Many small online merchants don´t understand much about the powerful technology behind their e-commerce store or how vulnerable this technology is to being hacked. We rarely read about a small merchant's computer system being broken into, because the large ones are so much more spectacular. But some security experts now say it's not a question of if you will be hacked, it's when.

The Pain of Non-compliance

Small merchants with on-site credit card processing who are hacked and have not put PCI standards in place can be fined $20 to $30 for each stolen card number (up to $500,000). If the breach is large, they may also be required to undergo a forensic audit (the cost of which starts at $10,000), be subject to more stringent standards than other stores of their size and may be sued. In addition to the horrors of dealing with the original breach, this is enough to effectively wipe out any small merchant.

By using off-site credit card processing, small merchants may avoid many of the hassles and security risks of on-site processing, because the merchant never touches the credit card information.

A Little Background Info

PCI (Payment Card Industry) Data Security Standards (DSS) are designed to be a baseline minimum standard for credit card security. The standard emerged in 2004 when five separate programs — Visa, Mastercard, Discover, American Express and JCB — were combined into a single standard. The group first turned its attention to large retailers processing many millions of transactions per year, dubbed Level 1 to Level 3 retailers.

Small Merchants Now in the Spotlight

Last year the standards council began addressing the Level 4 Merchants who represent the vast majority of online payment transactions. If your online store falls into this group, at a minimum you will be required to complete an annual PCI Self-Assessment Questionnaire and a quarterly network scan.

Level 4 small merchants are defined as those with fewer than 20,000 Visa transactions, and fewer than 1,000,000 total transactions per year. Most small vendors will fall into this category.

Beginning October 1, 2009, credit card processors and their agents who accept Visa will begin de-certifying all vulnerable payment applications. This means many small merchants will suddenly receive notices that they can no longer accept credit cards unless they have begun steps toward PCI security compliance. The de-certifications must be completed within one year. The time to take action is now, before your store is de-certified.

What is PCI DSS?

The PCI DSS or Payment Card Industry Data Security Standard is a security process to help you identify all parts of your business that are vulnerable to theft. This ranges from how you dispose of and retain paper records, how your network is set up, and how you transmit and store credit card and other personally identifiable information online.

The easiest way for small businesses to begin compliance is to switch to an off-site, third-party credit card processor and to store no personally identifiable information on your Web site.

Short-form Compliance for Small Businesses with Off-site Processing

In an off-site, third-party credit card processor scenario, your customers temporarily leave your Web site, enter their credit card information on the processor's site, and then automatically return to your online store afterward to complete the non-financial portion of the transaction. Third-party credit card processor companies include 2CheckOut, PayPal and the recent entrant, CRE Secure by the open source e-commerce maker CRE Loaded.

This group of businesses is required to complete a short, 11-question Self-Assessment Questionnaire A. This can be completed in about five minutes.

Questionnaire A is for merchants who do not store, process or transmit financial information on their premises. The risk of losing customer financial data on your Web site with this group is zero because you do not maintain that info, but the short questionnaire and affidavit is a formality that must be completed each year for record-keeping purposes. You must still maintain good practices with paper and other records.

Merchants who fall into this category also may or may not be required to do a quarterly PCI scan of their system, depending on their credit card processor.

Stiff Requirements for On-site Credit-Card Processing

For merchants who continue to use on-site credit card processing, the requirements are similar, but they must answer 195 additional questions on Questionnaire C or D each year, and begin quarterly or monthly security scans of their online store. They must also take active steps to fix any areas that are found to not be in compliance and specify dates by which their stores will be in compliance.

Questionnaire C is for merchants who use a Point-of-Sale terminal connected to the Internet with a program such as Quickbooks POS. Most of these are small retailers with a bricks and mortar storefront in addition to their online store. Questionnaire D is for everyone else.

These lengthy self-assessment questionnaires cover 12 security steps in great detail, including:

• Firewall password settings
• Use of secure encryption
• Quarterly scanning of wireless networks
• Anti-virus, anti-spyware and anti-adware programs
• Creation of a company Information Security Policy for employees and contractors
• Shredding, cross-cutting or pulping of paper documents that contain credit card information

If any item on your questionnaire is not in compliance, you must specify a date that you expect to be in compliance, and explain what actions you plan to take to achieve compliance.

Shared Hosting Versus Dedicated Hosting

No online store with on-site processing that is hosted in an inexpensive shared or "virtual" hosting environment will be able to pass PCI standards. You must control your server and all the programs on it.

Dedicated servers that you can control yourself are becoming cheaper all the time, but they still go for a minimum of $100 per month with $200-250 being more common. You also need to have the technical knowledge to maintain your own server. You don't have a technical support team to call on if your server goes down, because you are the technical support team.

For these reasons, it is most economical for most small businesses to outsource their payment processing and keep their Web sites at a low-cost virtual host.

Here we will review a few of the off-site processors for the many open-source commerce programs.

Offsite Processing for CRE Loaded, osCommerce and More

CRE Secure is the newest off-site credit card processor. Released just this year, it is built into all new CRE Loaded 6.4 stores, dubbed CRE PCI stores. A separate module is designed to be used with CRE Loaded stores in all versions including 6.15, 6.2 and 6.3.

There is also a CRE Secure Payment Module available for osCommerce, and the company plans to release more modules for other open-source commerce stores as they become available.

According to the manufacturer, "When used as directed, this payment module will take your site out of scope for PCI Requirements." This is because the Web host that they use, GSI Hosting, is the first managed-service provider in the world to obtain certification from Visa for their PCI DSS compliance and physical security.

CRE Secure Advantage

The advantage that CRE Secure has over the other offsite processors is that the customer does not visibly see that they have been moved from your online store to a third-party location for processing. This is because the CRE Clone technology effectively copies your store's header, footer and stylesheet to make it look just like your store.

The company does require additional steps during and after installation, including a new or existing valid SSL Certificate, and during installation you must purge or mask any existing credit card information in your existing store.

Standard gateway fees apply, and the fees vary depending on the merchant account you open. Integrated processors include First Data, Global Payments, Elavon, TSys, Chase PaymentTech and JetPay.

PayPal

PayPal has been in the off-site credit card processing business since 1998 and owned by eBay since 2002. Its PCI compliant programs include PayPal Website Payments Standard, E-mail Payments and Payflow Link. These programs do not allow you to customize the checkout experience, and it is clear to the customer that they have left your site to make the payment transaction.

If you use PayPal's Website Payments Pro, Payflow Pro or Virtual Terminal, you can semi-customize the look and feel of the checkout experience, but you must also use the company’s free guide to help ensure that your online store is PCI compliant. The guide deals with PCI disclosure requirements including a business description, privacy policy, shipping policy, return policy and contact information.

PayPal has transaction fees of 1.9 to 2.9 percent plus $0.30 per transaction.

2CheckOut

Established in 2000, 2CheckOut has a unique business model where each time a customer checks out of your store, 2CheckOut buys the product from you and resells it to the customer. The customer's credit card statement shows a purchase from "2CheckOut" and not your store's name. 2Checkout has invested resources into additional security technologies, training personnel and audits so you do not have to worry about it. You have only one customer — 2CheckOut.

2CheckOut charges a $49 one-time sign up fee plus 5.5 percent of the sale amount and $0.45 per transaction.