Back in the late 1990′s when the Web was just starting to gain widespread adoption, there was a great deal of distrust in putting sensitive information online. Clearly we are in a different era of risk tolerance today with people voluntarily posting all kinds of private information online via Facebook, LinkedIn, Twitter and other social media sites. The current environment is one in which e-commerce sites are flourishing and more and more personal information (medical, financial, etc.) is available securely through the Web. The trend is only going to continue, and that is fantastic news for entrepreneurs with a passion for technology. There is a ton of opportunity for enterprising individuals to start their own ventures like e-commerce sites or Software as a Service (SaaS) firms that deal with personal health or financial data. The rub is compliance and the costs associated.
Compliance is your friend
The nice thing about compliance is that if you are reading this you are probably one of the people whose sensitive data is being stored online. So in that way, compliance really is your friend. If you are knowledgeable about security, standards like PCI DSS should make you feel good about putting your data online. The PCI Council does a thorough job of updating the PCI standard on a regular basis with input from real security experts. If an e-commerce site is PCI DSS compliant, you can be very confident they are taking every reasonable measure to protect your private information.
Alternatives to taking credit card numbers – the most budget-friendly solution
How you approach PCI compliance depends on how you are processing credit card payments and the resources at your disposal. For example, if you have a small e-commerce site it is actually possible to by-pass the need for PCI compliance almost entirely by using Google Checkout, PayPal or a similar service. These services work in way that you direct your visitor to those providers for the actual credit card transaction and then they get routed back to your site when the transaction is complete. You should still fill out a Self-Assessment Questionnaire and you should document that it is your policy not to take credit card numbers directly, but the vast majority of the PCI compliance burden is on PayPal/Google in that case. Depending on the size of your online store and your target audience, that may not be acceptable as the sole method of accepting online payment. If your budget is truly tight though, it is not a bad way to get started; you can always upgrade once the money is flowing in.
If utilizing a third party to handle payment card transactions is not an option, then you need to address compliance. This means you need to make sure that your application is handling transactions securely and that you are hosted in a PCI compliant infrastructure.
Does do-it-yourself hosting make PCI compliance cheaper and easier?
If you are on a tight budget and are starting up, there are shared hosting options that including a shopping cart and purport to be PCI compliant both on the application and infrastructure layers. If this option appeals to you, make sure they have addressed all 12 PCI requirements in their shared hosting setup as part of your due diligence before signing up.
If your e-commerce venture is successful and growing, you may not want to be restricted by the limitations a shared hosting environment. In that case, you may be looking at managed hosting, cloud hosting or a do it yourself option like collocation or in house hosting. PCI compliance can be tremendously cost-prohibitive to those looking to host in-house as the fees just to have a QSA assess your internal network run upwards of $25,000/year… and that doesn’t include any costs you may incur in remediating any issues they find. Adding this to the burdens of managing your own server farm in-house makes an even more compelling case to outsource. We have spoken to a number of e-commerce companies who have hosted internally for more than a decade finally move the e-commerce site to managed hosting or cloud hosting due to the increased burdens placed on their internal staff by PCI compliance.
If you don’t store the credit card numbers, you can save some money
If you need to store credit card numbers on your servers, doing PCI right on a budget gets more difficult. In short, you want employ core security principals like defense-in-depth, principal of least privilege, and segregation of duties – to name a few. Your web/app and database tiers should be segregated via network segmentation. A firewall should be implemented to control network access to/from your environment and between your network segments. It’s easier to start with a policy of denial and grant privileges as needed – compared to giving full privileges and trying to take them away later on. A firewall will also allow you to utilize a VPN tunnel to encrypt administrative and other duties. External vulnerability scanning and internal vulnerability scanning is a must. Remember that external vulnerability scanning must be performed by an ASV (Approved Scanning Vendor). Other necessary items are (security) log monitoring, intrusion detection and file integrity monitoring.
Rather than re-invent the wheel and describe how each of those services plays a role meeting the 12 PCI requirements, I will point you to Jason B’s How INetU Helps You Achieve PCI Compliance Bliss article where Jason summarizes all of the components needed in a PCI compliant hosting infrastructure better than I could.
You can remove some of the cost burden of PCI compliance by only transmitting credit card numbers and not actually storing them. That means you don’t have to worry about encrypting any data at rest and the key management issues that go with it. You still need the other PCI compliance components in place but since the data won’t actually reside on your servers except in a transient state you will reduce your actual risk of a security breach considerably.
An emerging technology that may help meet PCI compliance on a budget easier in the future and still allow for the customer convenience of not having to enter payment information in repeatedly in the ordering process is tokenization. With tokenization, a unique non-credit number identifier called a token is created for a credit card account. You still take the credit card information from the customer on the first transaction, but instead of storing the credit card information you store the token and transmit that along the payment chain, until it is decoded later in the process. For merchants, tokenization means a decreased scope of PCI compliance since you are not actually storing a credit card number… the burden is passed onto others in the payment process.
Conclusion
If you are starting a business in the post dot-com bubble world, you probably have money to invest but not money to burn. You have to be smart about how you allocate resources while the business gets up and running. However, if you are running an established e-commerce site or the e-commerce face of a well-respected brick-and-mortar brand, then paying to do PCI compliance right is worth your while because it will put you in a strong position security-wise to avoid embarrassing headlines and it assures your clients that your company is doing everything it can to protect their private information.
