by Daniel Humphries, Managing Editor for IT Security research firm, Software Advice, August 27, 2014
PCI DSS compliance applies to any business that accepts credit cards, whether they’re e-commerce or physical merchants. After all, just because your storefront is made of pixels and not brick-and-mortar doesn’t mean the PCI council is any less interested in how you secure your customers’ sensitive data.
But PCI DSS is complex, and lots of businesses struggle with compliance. Recently, we explored common PCI DSS audit failure points. In this article, we’ll dig into some of the myths and misconceptions surrounding PCI and e-commerce specifically—and, with the help of five leading compliance and security experts, explore how businesses can remediate those issues as they arise.
Myth #1: I’ve Outsourced Data, So I’ve Outsourced Compliance
The PCI council recommends that you segregate sensitive cardholder data to reduce the scope of compliance. If your business is online-only, then you can take the principle of “reducing scope” much further than a physical merchant, by outsourcing a lot of the “heavy lifting” to a specialized e-commerce platform.
In this scenario, third-party solution providers supply you with all the PCI-compliant tools you need to build your site, including hosting and even processes payments for you. Since they’re handling all the sensitive information, the burden of compliance falls on their shoulders, and you, the merchant, can sleep easy—right?
Well, not quite, says Jeff VanSickel, a senior consultant at IT security consultancy SystemExperts: “Even though you outsource, you still have the responsibility, as the merchant, to make sure that the payment processing company is PCI-compliant, and to check every year that they continue to be PCI-compliant.”
Clauses in a contract such as, “‘Payment processor must demonstrate on an annual basis that they are PCI-compliant with respect to services’…are the bare minimum,” says VanSickel. “If I’m an [online retailer], I want them to demonstrate to me a little bit more than that.”
To read about the additional PCI DSS Compliance Myths, click here for the full article.