Comments on: PCI 101 http://startupsecurity.info/blog/2008/11/03/pci-101/ Security, for Startups Mon, 21 Sep 2009 16:57:21 +0000 http://wordpress.org/?v=2.9 hourly 1 By: Damon Cortesi http://startupsecurity.info/blog/2008/11/03/pci-101/comment-page-1/#comment-13 Damon Cortesi Tue, 04 Nov 2008 03:33:21 +0000 http://startupsecurity.info/?p=76#comment-13 Fantastic points, Mike. I'll re-iterate the specific you mentioned about avoiding PCI compliance: "It’s simple, just don’t ever store, process, or transmit cardholder data - let someone else do it for you." As an example, right after I posted this somebody asked me about a particular shopping cart app and if it was a secure solution. My answer, similar to yours, as long as they redirect to a payment site it should be fine. Handling credit card data in a secure fashion is no easy task, which is why it's much better to let others with the resources to do so, tackle that problem. Fantastic points, Mike. I’ll re-iterate the specific you mentioned about avoiding PCI compliance: “It’s simple, just don’t ever store, process, or transmit cardholder data – let someone else do it for you.”

As an example, right after I posted this somebody asked me about a particular shopping cart app and if it was a secure solution. My answer, similar to yours, as long as they redirect to a payment site it should be fine.

Handling credit card data in a secure fashion is no easy task, which is why it’s much better to let others with the resources to do so, tackle that problem.

]]> By: Mike http://startupsecurity.info/blog/2008/11/03/pci-101/comment-page-1/#comment-12 Mike Tue, 04 Nov 2008 03:04:41 +0000 http://startupsecurity.info/?p=76#comment-12 Damon, you make an excellent point and one that companies need to really be aware of. One of the problems with any new topic, such as PCI, is that the volume of information can be overwhelming. When small startups try to direct the details and differences between: PCI DSS, PCI PIN, and PCI PA-DSS it can be overwhelming. Throw in acronyms such as DSE, ISO, TPP, and people just stop listening. That is why it's very important that we digest the information for our target audience. I've taught the information to large and small companies alike in various industries, and each constituent has a different take home message pertinent to they way they do business. If there is one take home message I would have for your audience it's that PCI only applies to you if you "store, process, or transmit cardholder data." Now I don't have to even define cardholder data before you ask how to get this compliance monkey off your back. It's simple, just don't ever store, process, or transmit cardholder data - let someone else do it for you. In reviewing a shopping cart recently they had two modes of operation: 1) Solutions that don't require customers to redirect 2) Systems that redirect your customers to a payment site and then back Small startups want to choose number two because it causes the end user to enter their credit card data at the third-party vendor, instead of accepting it themselves. Even if they only accept it for a second on their one web server, now that server is in scope for PCI compliance. So, want to do away with PCI? Don't accept cardholder data online, and let someone else do it for you. But what if a governing body asks me to validate compliance, or provide them a report stating we are doing everything right? Well, you can confidently fill out the Self-Assessment Questionnaire (SAQ) A. This means you only do card-not-present transactions and all Cardholder Data functions are outsourced. This is only 11 questions, instead of the 224 question long SAQ D (they are labeled A, B, C, and D.) Damon, you make an excellent point and one that companies need to really be aware of. One of the problems with any new topic, such as PCI, is that the volume of information can be overwhelming.

When small startups try to direct the details and differences between: PCI DSS, PCI PIN, and PCI PA-DSS it can be overwhelming. Throw in acronyms such as DSE, ISO, TPP, and people just stop listening.

That is why it’s very important that we digest the information for our target audience. I’ve taught the information to large and small companies alike in various industries, and each constituent has a different take home message pertinent to they way they do business.

If there is one take home message I would have for your audience it’s that PCI only applies to you if you “store, process, or transmit cardholder data.” Now I don’t have to even define cardholder data before you ask how to get this compliance monkey off your back.

It’s simple, just don’t ever store, process, or transmit cardholder data – let someone else do it for you. In reviewing a shopping cart recently they had two modes of operation:

1) Solutions that don’t require customers to redirect
2) Systems that redirect your customers to a payment site and then back

Small startups want to choose number two because it causes the end user to enter their credit card data at the third-party vendor, instead of accepting it themselves. Even if they only accept it for a second on their one web server, now that server is in scope for PCI compliance.

So, want to do away with PCI? Don’t accept cardholder data online, and let someone else do it for you.

But what if a governing body asks me to validate compliance, or provide them a report stating we are doing everything right? Well, you can confidently fill out the Self-Assessment Questionnaire (SAQ) A. This means you only do card-not-present transactions and all Cardholder Data functions are outsourced. This is only 11 questions, instead of the 224 question long SAQ D (they are labeled A, B, C, and D.)

]]>