PDA

View Full Version : Is PCI Compliance a growing barrier?



jimr451
06-19-2012, 04:14 PM
Hi all,

I work with a lot of clients that have online stores - e-commerce. A while back I started paying attention to the "PCI Compliance" rules, and learning more about what would be required of my clients. For a long time, it seemed that nobody was bothering the smaller merchants about it, and most of my clients just ignored the rules.

However, in the last few months, I'm hearing from more clients that are being asked to provide the SAQ and quarterly scans of their sites to prove PCI compliance. Some of the "scans" trigger a lot of issues, mostly with the hosting provider - and it becomes a real challenge to get the site compliant.

So my question is - do you think PCI compliance will change the online payment industry? I am thinking of 3 scenarios:

1. PCI compliance gets easier as hosting providers get up to speed, and it becomes a standard (sort of like SSL back in the early days) hurdle for ecommerce.

2. It remains a significant cost for ecommerce sites, and the really small merchants find other ways to sell their products (ebay stores, etc.).

3. Merchants migrate to other payment options - like paypal, or 2co, that send users offsite temporarily, in order to avoid the PCI issue and costs.

Or maybe there are other scenarios. I'm trying to get a handle on how to direct my clients. Of course, many will decide for themselves what to do, but I'm just thinking ahead so I can advise them appropriately.

Thanks for your input.

-Jim

OBGregg
06-19-2012, 04:23 PM
I am a big fan of scenario 3 for most e-commerce options. It mitigates the risk for the merchant (they aren't holding payment data) and the customer deals with recognized industry brand (like PayPal or Googl Wallet or whatever). That recognition helps reduce the likelihood that the customer will get cold feet right before they provide they CC information.

MyITGuy
06-20-2012, 08:43 AM
Some of the "scans" trigger a lot of issues, mostly with the hosting provider - and it becomes a real challenge to get the site compliant.
Unfortunately I don't see the hosting world creating much of a standard as there are hundreds of thousands of hosting providers with more starting every day. The majority of these providers are re-sellers or individuals who are looking to make a quick buck without learning about the infrastructure/software/service they are providing.

In my opinion, the challenges your clients are experiencing to get the site compliant is due to the type of plan your clients choose to pay for. I'm betting that they are relying on the basic/cheaper shared hosting plans which means that hundreds of customers are on the same server and every service needed (FTP, SMTP, POP3, IMAP, HTTP/HTTPS, SSH and more) is available and open to the internet, which is likely to be picked up during your quarterly scan as a vulnerability.

Additionally since this is a shared host the provider may not be staying up to date on all the services/patches as they should be. Either due to lax procedures, or in fear of breaking a bunch of stuff that their clients are using and having to deal with the support calls/tickets.

If you're clients were to use a VPS or Dedicated Server (Choosing the Managed options if they do not have the appropriate IT skills or staff), they will find it much easier to pass these compliance checks.


So my question is - do you think PCI compliance will change the online payment industry? I am thinking of 3 scenarios:

1. PCI compliance gets easier as hosting providers get up to speed, and it becomes a standard (sort of like SSL back in the early days) hurdle for ecommerce.

2. It remains a significant cost for ecommerce sites, and the really small merchants find other ways to sell their products (ebay stores, etc.).

3. Merchants migrate to other payment options - like paypal, or 2co, that send users offsite temporarily, in order to avoid the PCI issue and costs.

PCI Compliance has been around for years, so I don't see it changing anything more than it has. In all honesty, PCI Compliance isn't a significant cost in my opinion. Other than the reporting requirements, you should already have implemented the requirements that are being imposed such as implement a firewall, unique access control, store/dont store certain data, protect data that is stored, run antivirus software and keep things up to date. I believe that covers most of what I remember for PCI Compliance...and to me thats just the basics when it comes to running a business...

MyITGuy
06-20-2012, 08:47 AM
For what its worth, I just ran a compliance check on one of my shared servers and the only items that failed were related to the SSL Certificate which I will have to look into since one is present.

Not bad in my opinion since I don't claim or strive to be PCI compliant...I just keep things secure out of basic practice.

Harold Mansfield
06-20-2012, 10:58 AM
3. Merchants migrate to other payment options - like paypal, or 2co, that send users offsite temporarily, in order to avoid the PCI issue and costs.

It's faster, cheaper and easier.

MyITGuy
06-20-2012, 11:18 AM
It's faster, cheaper and easier.
Faster and Easier, sure.
Cheaper, this would depend on the volume IMO. PayPal/2CO and others charge approximately 2.5% through 5%+ of the transaction (in addition to a monthly fee), compare this to a standard merchant account where they charge approximately 1.5% through 2.5% of the transaction (also in addition to a monthly fee). So if you process anything north of 1K a month with an e-commerce site, avoiding option 3 would be in your best interest.

Harold Mansfield
06-20-2012, 11:25 AM
Pay Pal doesn't charge a monthly fee unless you are using additional services.
Retailers have been using 3rd party payment companies for years. I've never seen a resturant decide to run thier own credit cards to try and save the 3% processing fees.
You add it to your expenses and cost of doing business and adjust your pricing accordingly.

I don't see the big inconvenience myself.

Obviously an Amazon will be different. But I think a 3rd party solution is the easiest and cost effective way for a Mom and Pop or one man (or woman) show.

MyITGuy
06-20-2012, 11:49 AM
Pay Pal doesn't charge a monthly fee unless you are using additional services.
You are correct, looks like they recently (Last year or so) changed that though...however if you don't have the fee you will be redirecting the user to PayPal to complete the purchase, where the Paid options allow you to keep them on your site and integrate with your billing system.


Retailers have been using 3rd party payment companies for years. I've never seen a resturant decide to run thier own credit cards to try and save the 3% processing fees.
That's the point I'm trying to make, restaurants (And others) aren't paying 3% in fees, they are paying closer to 1.5% or even less. You don't see these locations forcing you to pay them through PayPal or 2CO so they can avoid their own PCI compliance guidelines.


You add it to your expenses and cost of doing business and adjust your pricing accordingly.
Sure, which then has an impact on your business as your pricing is now slightly higher than your competitors who are paying less in fees than you are.


But I think a 3rd party solution is the easiest and cost effective way for a Mom and Pop or one man (or woman) show.
As I mentioned, all depends on volume. Just because a business is a one person show or Mom and Pop type location doesn't mean they have a low amount of income.

I.E. At $100 a month, PayPal would collect $29.30 in fees versus a standard merchant account at $27.50...not a big deal right?
At $1,000 a month, PayPal would collect $290.30 in fees versus a standard merchant account at $275.00...still not a big deal right?
At $10,000 a month, PayPal would collect $2,900.30 in fees versus a standard merchant account at $2750...$150/month adds up and might make a merchant account worth investigating.

Harold Mansfield
06-20-2012, 11:53 AM
You point is well taken. At a certain point, just like everything in business, you readjust based on what works best for you.

By the way, you can use Pay Pal and still have customers check out without leaving your site.

jimr451
06-20-2012, 01:33 PM
Thanks for all the feedback!

It seems to me like hosting providers are all over the place - some keep up their server software, others do not. Also the "scanners" all seem to pick on different things, some of which (like DOS vulnerabilities) don't directly relate to credit card security.

My experience is that store owners want the "transparent" experience for their customers, so as much as #3 might make compliance easier, #1 is what would be ideal.

I suppose maybe it's a matter of seeking out hosting providers that advertise "PCI compliant" plans, and moving stores there.

Anyway - great discussion.

-jim

MyITGuy
06-20-2012, 06:47 PM
It seems to me like hosting providers are all over the place - some keep up their server software, others do not. Also the "scanners" all seem to pick on different things, some of which (like DOS vulnerabilities) don't directly relate to credit card security.

Absolutely! There was a discussion recently with another host who was running Windows 2003 and IIS6 who recently failed their PCI Scans (Their OS is almost a decade old and general support has been discontinued). The host had the perspective that they shouldn't be forced to update their server since they can still receive critical updates (PCI pretty much requires you to keep things up to date as I mentioned)...but they didn't get it...


My experience is that store owners want the "transparent" experience for their customers, so as much as #3 might make compliance easier, #1 is what would be ideal.
Agreed! Sending people to another merchants page is tacky in my opinion...plus it takes the visitor away from your site with no guarantee that they will come back after paying to browse more.


I suppose maybe it's a matter of seeking out hosting providers that advertise "PCI compliant" plans, and moving stores there.
That (Be sure to validate and/or read their TOS to confirm), or look for a VPS and either pay the host or a third party to manage everything for you and your clients.

As a note, I do provide hosting as well (Cingular Hosting (http://www.cingularhosting.net)) and if you want to work out something for your clients I would be interested in discussing this further with you.

CD2 Solutions
02-25-2014, 09:00 AM
PCI compliance can be fine, but it can also be just plain wrong. for example, centos 6.5 uses a slightly older version of openssh. this version of openssh had a certain security hole in one particular feature. a feature un-used by centos, but the creators of centos back-ported the security fix anyway, in case somebody used the feature. certain pci compliance checkers don't bother to check this, and will simply assume that your openssh is vulnerable because it isn't the most recent version.

so even though your site is perfectly secure, the PCI compliance checker will mark you down for it. convenient that certain PCI compliance checking companies also offer PCI compliance services.......

which in my opinion is why external/offsite payment services are picking up.

Brian Altenhofel
02-25-2014, 08:11 PM
My experience is that store owners want the "transparent" experience for their customers, so as much as #3 might make compliance easier, #1 is what would be ideal.

This.

I don't recommend #3 to any of my clients, but my e-commerce clients are actually in business to make money. They understand that the customer does not want to be redirected to an external site and that it confuses many customers. They also understand the difference between using a cookie-cutter processor like PayPal at 2.5%+ and a custom processor that can go below 1% (I've personally seen 0.65% before).




I suppose maybe it's a matter of seeking out hosting providers that advertise "PCI compliant" plans, and moving stores there.

You've still got to be careful. Anyone can advertise "PCI compliant", and their raw infrastructure may in fact be PCI compliant while their client accounts are not. It is impossible for a shared host to be PCI compliant, and not all virtualization methods used by VPS/cloud providers are PCI compliant. You should be able to get information from your provider on what parts they are responsible for and their compliance status. Under shared responsibility arrangements, the website owner is only responsible for the parts under their direct control (ideally just the website).

jimr451
02-25-2014, 08:24 PM
All valid points - I've seen a lot of "false positives" in PCI scanning. But I've also seen some clients who, after passing a PCI scan, proudly proclaim "Oh it's good to know my site is secure, and won't be hacked." (or something similar) I try to explain that PCI compliance doesn't mean that, but I don't think it really sinks in. So in some ways the scanning is giving people a false sense of security.

-Jim

Brian Altenhofel
02-26-2014, 02:13 AM
All valid points - I've seen a lot of "false positives" in PCI scanning. But I've also seen some clients who, after passing a PCI scan, proudly proclaim "Oh it's good to know my site is secure, and won't be hacked." (or something similar) I try to explain that PCI compliance doesn't mean that, but I don't think it really sinks in. So in some ways the scanning is giving people a false sense of security.

Same here with FISMA and HIPAA audits.

Compliance and security are definitely two different ballparks. Too many are comfortable with securing to the level of "compliance" and not to the level of "secure".

And as with any compliance standard, it all depends on your auditor as to whether or not you meet the standards because the standards leave a lot of room for interpretation.

JohnF
02-28-2014, 08:21 PM
PCI compliance causes payment options to narrow, as payments get taken by a few payment specialists rather than everyone selling stuff. And that's good, since it leaves payment data in the hands of more secure companies. I don't think it's a huge hurdle, since you can always find a plug and play solution like Shopify. My last job was with a consulting firm that worked on this stuff, and it does become a huge hurdle if you just have to implement your own customized soltuion- choosing to do so is usually a mistake IMO.