I recently worked on the PCI DSS certification process and did some research, vendor analysis, contract negotiation and technology task integration for getting certified through an audit (it is still a WIP). It was a daunting task that highlighted some interesting lessons that I thought can be shared for the benefit of the community. As a Product Manager, my role was limited after a certain extent as pure technical tasks around software and hardware took over and I merely worked on coordinating things to successfully work towards certification. All this is being presented largely in the context of an Indian e-commerce setup.
The Payment Card Industry is an interesting game changer in a World of money-driven over-consumption. First, they introduced the addiction with credit through plastic cards and their heavy abuse. Then, they got all merchants (non-consumers) to play along with the high fees and cost structure required as a prerequisite to forcibly do business with them. Unhappy with all this, they then introduced the concept of a data security standard (DSS) and the subsequent audit that follows it. This last change was surprisingly done finally for the benefit of the consumer! That benefit is now being reaped by a host of boutique IT firms around the World selling their version of PCI rules and certification as a service to merchants who cannot get it done on their own.
So, what is PCI DSS certification and why am I angry with it?
Well, for starters, I am not angry with anything although I have a very cynical tone. It is just that there is a website called the PCI security standards council (www.pcisecuritystandards.org) where a bunch of people employed to write wonderful content have baked up a set of rules and regulations around PCI DSS certification and why we need it. The problem is none of that is useful although everything written in it is very helpful. The website tries to address every question you may have in your mind about PCI certification to the point where you no longer understand what the certification is needed for.
Frustration apart, PCI certification was mandated by the payment card industry as a set of security rules required to keep customer data safe within the environment in which you as a merchant is doing business. It covers all aspects of an IT and company set up where customer credit card information is captured, stored or transmitted internally or externally within a networked environment- both physical and virtual. It has about 12 or so mandatory checks that need to be satisfied by a merchant so that they are considered as security compliant in the eyes of the PCI. The only problem is that it is the merchant’s headache to make sure that they are compliant in every manner possible and the PCI never signs up for any risk that the merchant is exposed to post getting certified. Getting the certification, maintaining the certification and protecting consumer data is all the merchant’s problem with PCI nowhere in the picture except for levying fines in case a “noticeable” security breach has occurred at the merchant’s end.
So, why is this important in the context of the e-commerce industry in India?
The answer is obvious. E-commerce as a business transacts on the internet and thanks to very smart hackers who love the internet, an e-commerce business is prone to severe security issues where customer data can be compromised. While several e-commerce players in the developed world have just taken this up as yet another target in a yearly roadmap of technical tasks, the upcoming players in the Indian e-commerce space have been slow in working towards PCI certification.
One big impediment is the cost associated with getting a full audit done and getting certified. The cost can run from anywhere between Rs. 8-12 lakhs depending on the level of technical expertise or consulting help you take from a PCI certification vendor. This is followed by quarterly scans and yearly audits that soon add up to the costs. Just so that money is not lost in this unique business model of conducting audits for PCI, scans are done by an approved scan vendor a.k.a ASV. The ASVs are approved by the PCI to conduct scans. Why? Who knows! Those scans can as well be done by a good engineer in a merchan’ts technology team too. Much more painful than the cost of getting the initial certification though is the investment that needs to be made in hardware, software and network infrastructure to get things right for the PCI audit. This can be a huge dent on resources and cost depending on how big an e-commerce player you are and what are your data needs around customer card information.
So, how do I know if I am not complying with PCI security standards?
If you are not certified, then you are largely in violation of some rule or the other around DSS and hence run the risk of being hacked and as a result penalized. A quick check as a merchant can be done by one-talking to your payment processor or two-checking the checkout stage on your website.
Talking to your payment processor or payment gateway (CCavenue, TPSL, EBS, ICICI Payseal, HDFC, PayU etc.) is needed in the case you have your checkout integrated with a payment gateway to process customers payments and finalize the transaction. This is needed as the payment gateway (which is always PCI DSS certified) shares the risk of non-compliance in case there is a security breach on the merchant’s side due to an improper security practice that led to a hack. Hence, the gateway usually mandates and ensures that the merchant is PCI DSS certified in order to process customer transactions. The rumor (!) is that gateways and banks are rewarded for enforcing PCI DSS certification mandates on merchants (Hmm…). However, the point to note is that the actual compliance need or mandate comes from the merchant acquiring bank rather than a payment gateway. However, the process works in tandem and hence talking to your payment gateway helps get an answer.
Looking at the checkout stage on your website by far is a quick and dirty check when it comes to realizing whether PCI DSS certification is necessary or not. Many Indian e-commerce websites do not collect any credit card information of the customer. If a customer chooses “credit card” as a payment option and proceeds to complete checkout, they are redirected to a payment gateway’s payment page (e.g. CCavenue) where a customer completes a transaction by entering all the card details. In this scenario, the e-commerce merchant is not really bearing any risk of being hacked nor running into any PCI risks. A basic PCI certification (will be explained later) is recommended but is not really necessary (the unofficial opinion!).
If the checkout stage has a provision for allowing customers to enter their credit card number following which you are directly integrating with a payment gateway to process the customer transaction, then you fall under the purview of a PCI audit. You are required to be PCI DSS certified in order to collect credit card information even if you are merely holding it in temporary memory and not storing it after the transaction is complete. Direct integration is the method by which a seamless checkout experience is created for the customer by not taking him away from the merchant e-commerce site to a payment gateway site to complete the payment. This can be achieved through a special custom integration with payment gateways/banks or through a proper API-based integration with them.
I am still confused?
Great, because if you weren’t then you understood nothing. Having a seamless checkout experience is usually the desired experience an e-commerce merchant likes to provide to a customer. Also, holding on to a reasonable amount of customer credit card information helps you with building a one-click checkout experience wherein a customer who comes back again to make a purchase on a website already has his basic credit card information stored and made available for quick selection. Drop out rates in checkout hurt an e-commerce business especially if the reason is due to a transaction completion process that a customer is not comfortable with. In order to do all these things for the customer, one has to be compliant with PCI DSS.
So, what should I do to get certified?
There are two different ways in which you can get PCI DSS certified depending on the annual number of transactions you generate on your website. The transaction limits are defined individually by the credit card companies into four levels of classification. Level 1 for VISA is considered as any merchant generating 6 million or more in annual transactions on the website using the VISA card. Check this link to get the scoop on how VISA looks at merchant levels – http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2
As a merchant in the Indian e-commerce scene, you may have not crossed as many transactions to get to a level 1 classification just yet. This could mean that merchants are possibly under level 2, 3 or 4. This brings in an interesting twist to the audit process. The choice of going for a full onsite audit (expensive) or for an internal self audit (painful).
What is the difference and which audit option should I go for?
A vendor in the business of running PCI scans will always recommend an onsite audit. A merchant is better off doing an onsite audit as internal resources need not be pulled into tasks that are not necessary for the daily running of the website. An onsite audit needs to happen if the merchant is a level 1 business. They need to get an annual audit done along with quarterly scans and certifications. For all other levels (including level 4 where things are optional), you can go for filling something called a self assessment questionnaire a.k.a. SAQ. Going for an onsite audit is still recommended as the DSS checks that one needs to comply with is the same (except for a few exceptions) irrespective of whether you go for an onsite audit or a self-assessment. The onus is on the merchant to get all the compliance checks completed in both cases and based on a conversation with a technology expert I worked with, filling up the SAQ and being compliant with its needs isn’t pretty either. In fact, it amounts to getting the same things done that one would have completed with an onsite audit in place. The convenience factor is lost with the SAQ.
Now, the SAQ is still a viable and cost-effective option for a merchant. In fact, it is an option, which if executed well with a strong technology team, can get you on the road to PCI DSS certification much more faster than a regular onsite audit. In fact, there are tools in the market that do full-network scans (similar to what your onsite auditor will do) and let you know what is missing from a compliance standpoint and what needs to be fixed. However, the reality leans more towards leaving all the pain of compliance research to a 3rd party vendor. Coming back to the SAQ, there are four different types of SAQs – A, B, C and D. Each one of them are tailored towards a certain business model or business practice that you adhere to as an e-commerce merchant. The problem is that the definition for the SAQ classifications could get confusing. It almost makes you nervous that you don’t choose the wrong option like in filling out a job application. I’ve had a payment gateway provider ask me to fill a SAQ A to a bank asking me to fill a SAQ D. End of day, the technology team said, “let’s go with the onsite stuff”.
Is this for sure the way PCI DSS audit and certification works?
A very good question. In fact, several people have asked me this question and I’ve even asked myself this question time and again. There is no straightforward answer. The Standards Council has given such a vague definition of the various compliance rules that there are people fighting out daily on the nuances of the pseudo-legal rules that PCI has come up with. See the comments section of this article for example: http://developer.practicalecommerce.com/articles/2893-Eliminating-PCI-Scope-with-Authorize-Net-s-Direct-Post-Method
Every vendor who has made a business out of PCI scans, audits and certifications have further tweaked the interpretation of rules to their business advantage and seldom give a satisfying picture to the merchants who hire them. In fact, even the banks and payment gateway providers who are ideally PCI DSS certified, don’t know why and how they got certified. They give answers, but they don’t give answers that make complete sense. A high profile Country Head of a leading payment gateway once proposed that we can get a level-4 PCI certification in lightning speed if we go with his product. When I said that levels are not a certification option that you can pick and choose from to go with, he put his high-paying top notch job on the line and swore this is how PCI certification works. When I pushed further, he eventually asked me to go talk to his PCI vendor team and strongly cautioned me as to how his job expertise lies in this specific area of work. His team eventually accepted that they used the “level” language to make things simple for clients. The last I heard of, he didn’t resign from his job yet. It is fine though, as, after all, I was only taunting him on the technical understanding of what levels meant. Eventually, if you are identified as a level 4 merchant, you get PCI certified for whatever is needed at that level.
What if I get penalized for violation of PCI DSS?
Well, there is no straightforward answer yet again. It depends on the level of security breach and what amount of customer data was lost. End of day, nobody closes your shop. You pay a fine (could be heavy) and you need to go through a full audit to resume business the same way as you were doing “before”.
For good or bad, PCI DSS certification helps all e-commerce merchants be on a level footing when it comes to security and protection of customer data. It also helps as a cool marketing tool to build TRUST with customers by tagging oneself as a PCI compliant business (similar to the Verisign trust seal that gives some nice fuzzy feeling supposedly to the shopper!). Getting certified also clears the way for an e-commerce merchant to build some useful features for its customers as Product Managers. Last but not the least, all these measures don’t necessarily prevent an e-commerce website from being hacked as hackers don’t look for PCI certification to not attack. A strong technology team with strong network security is needed to save a business and its customer’s private information.