Not every company who needs to be PCI certified even knows of the requirement. However, if you handle credit card storage or transactions in your applications/e-commerce then you are required to be PCI certified.
If you are a software vendor, and selling software to enable credit card functionality you need an additional certification called PABP. I’ll talk a bit about these two certifications and tell you a little bit about the process of becoming PCI certified; why it’s good, and what completely sucks about it!
What is PCI?
PCI, or Payment Card Industry is a required certification for all critical points of credit card storage and transmission. It is the result of the major credit card companies to develop a standard in security, specifically concerning electronic transactions (E-Commerce).
VISA has an additional certification called CISP (Cardholder Information Security Program) which follows the PCI Data Security Standard.
What’s the Worst that Could Happen?
From the customer’s point of view, their information is hijacked and several credit card charges are ran up, possible identity theft, and several other invasive and frustrating repercussions.
From the vendor’s point of view, you can lose customers, bad publicity… oh, and monstrous fines per credit card exposed in the infraction.
Becoming PCI Compliant
Becoming PCI Compliant really depends on where you are now, what type of business you do, and under what classification you fall into. I would recommend consulting a PCI auditing company to assess your business. This auditing company will most likely also provide you a track for becoming PCI compliant and will actually perform the audit which you will need to pass to gain certification. This is not cheap! The cost of the audit is determined primarily on the size of your operation; that includes the software created from your side, the networking environment it is housed in, and the number of transactions you deal with.
From my experience with PCI certification, the vast majority of the requirements centered around physical and network security. Software security and storage was important as well of course, but most of the heavy lifting falls onto network administrators. If you have a datacenter, this will be where most of your work falls to; as well as possible a large portion of money for additional physical security devices if you do not already have them.
As far as software goes, the majority of requirements fall under qualified encryption of credit card data, encryption of encryption keys (DEK/KEK, as outlined in the PCI requirements), monitoring/logging of access to credit card systems, and specific credit card data, as well as much more.
Please see below (at the end of this post) to access a short list of resources to help you in learning more about PCI/PABP compliance and certification.
Why It Can Suck?
Well, inherently it’s a very good thing. Credit card and identity security is extremely important and has been taken too lightly during its’ infancy. That doesn’t mean the process isn’t an extreme pain to go through. PCI implementations can and usually do take several months for existing systems; but again this all depends on the size of the implementation.
Major issues from the software development side is that it adds a layer of complexity for the end-user’s of credit card systems; by end-user, I don’t mean people purchasing product, but instead those people who need to manage orders, develop reports, etc. If the system has access to credit card data, they need to be restricted in activity, time constraints (based on activity), the use of strong passwords (this can be a huge pain for users), and much more. Additionally, all data that is credit card specific must be housed in a separate server in an extremely isolated method. This means very limited access to that server (db) after it is set up and slows development/debugging down extremely. Simple retrieval of that isolated data become a much greater task because it can not readily be joined to normal user data that may be housed in your do-everything-else database(s).
From a purely non-technical perspective, PCI certification adds a barrier to entry for software developers who may want to work with credit card transactions but do not feel comfortable putting out the money, and effort, of becoming PCI certified. This limitation has the potential to stunt the growth of many e-commerce platforms.
PCI Security Standards Council: https://www.pcisecuritystandards.org/
VISA CISP Program: http://usa.visa.com/merchants/risk_management/cisp.html?it=h4|/merchants/risk_management/cisp_tools_faq.html|Cardholder%20Information%20Security%20Program
Security Metrics (PCI Auditors): http://securitymetrics.com/