Is your store vulnerable? 24 out of the top 30 US retailers have online vulnerabilities, per a study by Cyberpion.

Rave Digital is your partner to perform vulnerability remediation promptly upon detection. Once a vulnerability has been discovered, the ideal solution is to remediate it—to fix or patch the vulnerability before it can become a larger issue.

Vulnerability remediation is the patching or fixing of cybersecurity weaknesses. Vulnerabilities are cybersecurity weaknesses that are detected in enterprise assets, networks and applications. Remediation can include resolving misconfigurations, uninstalling high-risk or obsolete software, and auditing ports. Effective remediation requires continuous detection and remediation processes that are called Vulnerability Management. The Rave All Care plans include support for remediation and monitoring vulnerability scans.

Automated Vulnerability Management and Threat Detection is provided by various service providers. Rave Digital has partnered with Qualys, a leading provider of vulnerability scans, to support a large online retailer in their Vulnerability Management Program. Vulnerability scans and remediation is one of the most important and starting points for PCI compliance.

Who needs PCI compliance?

Every business that accepts credit card payments must comply with the Payment Card Industry Data Security Standard or PCI DSS.

As users or shoppers, we all need our financial transactions to be compliant. We need to trust that they have safeguarded our financial details with standard protection. The Payment Card Industry Data Security Standard (PCI DSS) has set the standards for compliance. They devised a series of questionnaires, tests, and other evaluations to meet certification requirements. The requirements will vary based on the organization. Failing to meet these requirements can lead to fines and other penalties.

In this article, we’ll discuss how to start the process, what it might cost for ecommerce merchants, and what role your ecommerce platform plays in meeting the requirements. We’ll also provide some links to other resources that can help you determine your responsibility for staying compliant. Let’s get started!

Do I need to be PCI compliant if I use a payment gateway?

Yes. Most ecommerce retailers use a payment gateway, a third-party credit card processing application, to capture sensitive data. The payment gateway must be PCI compliant.

Braintree and Stripe are popular payment gateways for e-commerce. Their services and applications will capture the payment information and relay the result of the transaction back to the store. The retailer only needs to save the ‘token’ for the transaction to identify the transaction, as in the case of a return, refund, or chargeback.

Most online retailers have a minimal effort to be certified as PCI compliant. You don’t have to deal with the tough network security requirements, but there are aspects of the PCI DSS that you have to comply with. Merchants are required to perform website and server vulnerability checks by Approved Scanning Vendors (ASVs), company security policy audits, and complete the self-assessment questionnaire (SAQs) annually.

How do I get PCI certified?

Online retailers that use a hosted platform like Shopify or Adobe Commerce (formerly Magento) can use the self-assessment questionnaire A, or A-EP if your store’s payment gateway runs via an extension, not a native integration.

Each questionnaire is appended with the Attestation of Compliance, the last section where you declare your store’s compliance status. The SAQ Questionnaire on pcisecuritystandards.org will tell you exactly what sections of the PCI DSS you must implement as a merchant with all cardholder functions outsourced.

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

How much does it cost to be PCI compliant?

This PCI certification cost varies considerably depending on how PCI DSS classifies your business. If you’re a level two, three, or four merchant, you only need to complete a self-assessment questionnaire, purchase a vulnerability scan, and sign an attestation of compliance form.

Vulnerability scanning involves paying an approved scanning vendor, or ASV, to scan your system and check for security vulnerabilities. Merchants and service providers at all levels need to perform these scans. These scans are only available from providers that the PCI Security Standards Council has reviewed and approved. The scans typically cost around $200 and up. Qualys is an industry leading provider of vulnerability scans. They offer paid plans as well as their Community Edition for free. SecurityMetrics is another top-rated vendor.

Rave Digital and PCI ASV Compliance tools like Qualys and SecurityMetrics work together to address vulnerabilities on behalf of Magento retailers. Rave Digital supports fixing identified vulnerabilities as detected by the vulnerability scans. Our maintenance plan Rave All Care also supports Magento stores to perform all patches and version upgrades on the store and its extensions.

Coming in 2022: PCI DSS v4.0

It is important to stay in touch with developments in the requirements. The official release of PCI DSS v4.0 is expected before April 2022. Once released, PCI will support a transition period of 18 months where PCI DSS v3.2.1 will remain active.

Resources: