When it comes to processing payments online these days, most people don’t even bat an eye. Shoppers are paying with credit cards, over email, and through Facebook, but for ecommerce sites, payment security risk aversion is integral to how they do business.
Here’s how to make sure that your clients’ sites are staying compliant, and what to do when you’re dealing with an out of date application that’s reached end-of-life.
What does it mean?
First of all, let’s get our heads around what PCI compliance even means.
Originally set by the major credit card companies, the PCI Security Standards Council formed these parameters for payment processing compliance to protect their cardholders from security threats and fraud.
Using a set of qualifications to determine the safety of a point of sale terminal or ecommerce website, these standards are now mandatory best practices between businesses who process card payments and their customers.
The standards for PCI compliance are as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
For developers, a separate set of standards has been set by the PCI SSC to ensure websites are processing electronic payments securely:
- Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
- Protect stored cardholder data
- Provide secure authentication features
- Log payment application activity
- Develop secure payment applications
- Protect wireless transmissions
- Test payment applications to address vulnerabilities
- Facilitate secure network implementation
- Cardholder data must never be stored on a server connected to the Internet
- Facilitate secure remote access to payment application
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain instructional documentation and training programs for customers, resellers, and integrators
- Maintain instructional documentation and training prog
Penalty fines for non compliance can range between $5,000 and $100,000 a month, and inevitably wind up being the merchant’s responsibility. Additionally, merchants can face steeper transaction processing fees, or even the inability to process electronic payments for their customers in the future for non-compliance.
What Developers Need to Know About PCI Compliance
Thankfully, payment applications and payment gateways have taken care of much of the technical side of ensuring that payments are processed securely. As a developer or site builder, your primary responsibility where PCI compliance is concerned is to ensure that your applications meet the PCI SSC’s standards and stay up to date.
PCI compliance standards are determined by the volume of transactions which a merchant processes. The merchant is assigned a compliance level requirement based on the volume of business that he or she does, and the security of their sites may be tested by an approved scanning vendor, or ASV.
Ecommerce sites fall under PCI SAQ 3.1 and have the following standards:
Whether your client requires an ASV really depends on which payment processors and ecommerce applications you’re running their site on. These charts depict the flow of data, so that you can determine whether your client’s site will need an ASV or not.
The burden of site security is ultimately on the site administrator, which may be you. If that’s the case, the strongest prevention for noncompliance is pretty straightforward:
- Make sure plugins stay up to date
- Ensure that software updates and security patches get installed
- Maintain stringent server security standards
- Make sure ecommerce applications are up to date
What End of Life Means for PCI Compliance
Recently, Magento 1 reached end-of-life, putting thousands of ecommerce sites into a compliance grey area when Adobe stopped issuing official security updates.
While the ecommerce application itself represents only a small part of what PCI compliance truly entails, for merchants still running their ecommerce sites on Magento 1, the important thing to note is there will no longer be security patches and updates issued for the platform. They’re on their own unless they’ve invested in a solution like Nexcess Safe Harbor.
This primarily applies to number seven in the list of PCI compliance measures for developers:
Test payment applications to address vulnerabilities.
With Magento no longer looking after security updates for Magento 1 users, it begs the question: can an ecommerce site be PCI compliant on an ecommerce application that’s reached end of life?
Yes. Nexcess has done it with Safe Harbor.
What to Do When a Platform Reaches End of Life
Magento was built on Nexcess servers. When Magento 1 started approaching end of life, our engineering team jumped to work developing a solution that would allow merchants to decide for themselves when to migrate.
For many Magento 1 store owners, making the move to Magento 2 in the wake of COVID-19 wasn’t financially realistic. Site migrations are expensive and complex, and with so much upheaval and uncertainty, many were understandably scared to make the leap.
So the engineering team at Nexcess came up with a compromise. Nexcess Safe Harbor was built to address Magento 1 end-of-life, keeping ecommerce sites and stores owners PCI compliant until at LEAST the end of 2021, so they can migrate on their own time.
With regular security patches made by the team who literally started with Magento, Nexcess is able to keep Magento 1 sites and stores PCI compliant until they’re ready to make the switch.
End of life doesn’t have to mean the end of PCI compliance.
Get more time, and keep customer data safe with Nexcess Safe Harbor.
Click here to learn more about Nexcess Safe Harbor, or open the chat window at the bottom right of your screen to speak to sales.