PCI Compliance – A dance with multiple partners
More and more merchants are being faced with the requirement to be PCI Compliant in order to avoid recurring banking fees that increase like a snow ball that starts off very small at the top of a hill, and eventually is large enough to knock down a house by the time it gets to the bottom of the hill.
Merchants going through the process, especially for the first time, are often shocked to find they have to read, review, understand, and comply with up to approximately 50 pages of questions and documentation of being PCI compliant. Most small to even medium size businesses do not have PCI compliance specialists on payroll; some gamble they are answering the questions correctly, and some are meticulous as they go through the process. Which group will you fit into?
A number of merchants make the mistake thinking the PCI compliance dance is between them (their stores and offices) and their web site. They see the dance starting and ending with themselves. Yet, the PCI compliance dance involves far more partners:
- The data center that provides services and servers to the hosting provider (they may or may not be the same company; many hosting providers claim they own the data center, yet they are only renting servers from a data center they do not own). Is the data center SSAE 16 Certified (would this be a part of the “Build and Maintain a Secure Network” PCI complaint standard?)?
- The hosting provider that hosts your site. Is your hosting provider aware of PCI compliance standards? Do they already have a firm foundation in place for PCI compliance? Since the hosting provider is selling products and services, is your hosting provider PCI Compliant?
- The application provider(s) of the web site. Are your ecommerce applications VISA PA DSS certified? Are your application vendors going through a re-certification process every time they release a new version? Does your hosting provider or application provider alert you when your application(s) are out of date (and therefore more vulnerable to hackers)?
Every day you can read about a hacker or hacker group either breaking into a web site to deface it, to steal data, or (more commonly) to use the computing resources available to the site. Sun Tzu, in the Art of War wrote “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
If you are going to do ecommerce on the Internet, this means to me you need to know your partners, or at least how one partner selected another partner. If you, yourself don’t know about hackers, then at least one of your partners should know about them well enough to provide a frame work, a layered approach, to defending against them.
Are you involved in the PCI Compliance dance? Do you know your partners? Do you need a PCI Compliant hosting provider who takes the dance seriously? Who will hold your hand, and walk you through any difficult or tedious step?
We believe we are that provider. Contact us for more information.