MI Pro

The Tube is back up and running here in London, but it may not be the last shutdown this year… The card companies are coming.

And the websites of UK’s music dealers need to be ready… or face a ‘shutdown’ of their own.

A consortium of credit card companies – having already successfully imposed strict e-commerce credit card processing rules on major companies – are now moving ‘down market’ to impose the same strict requirements on mid-sized and smaller businesses.

In order for stores to continue to accept Visa, MasterCard, American Express and other credit cards, the Payment Card Industry (PCI) Data Security Standards (DSS) will now require stores to provide two proofs of compliance:

•    Positive answers to a 240-question survey of internal policies, programming, hosting arrangements and management controls that apply to the site.

•    A quarterly scan that includes (on average) 25, 000 or more tests of your site’s ability to prevent hacker and programming attacks that could allow unauthorised access to card numbers and security codes.

The requirements are substantial and should not be underestimated.

The survey requirements include:

•    A highly detailed programming policy that can be examined at any time on demand.

•    Strict management controls over the methods that new programming is produced, tested and approved.

•    Hosting facilities will no longer (in essence) be maintained in the store due to requirements for controlled access by personnel and firewall requirements.

•    Increased attention how coding for sites is maintained and credit information is deleted once the transaction is completed.

The programming tests examine:

•    Hosting irregularities
•    Firewall capabilities
•    Coding and programming methods
•    How the security certificates and secure socket layers are configured
•    The site’s ability to repel common attacks such as SQL injection (a type of database attacks)
•    The current status of patches to the server environment (there’s a requirement to have all patches installed every 30 days)

and others.

To meet these requirements generally requires monthly attention from network and programming personnel.

Bank companies that clear credit cards have had the ability to request these reports for some time. However now that most large companies are in compliance dealers report that banks are stepping up enforcement on smaller companies in 2009. Further, the turnaround time that banks impose to meet these requirements can be as little as 15 business days to respond. Banks retain the right to shut down the shopping carts of sites that do not comply.

The dealers most at risk are that use ‘off the shelf’ or free e-commerce software and provide their own hosting. The next riskiest would be in-house programmed sites that have not yet completed the PCI compliance questionnaires or scanning requirements.

The surest way to compliance is to use a service provider that has already been approved for PCI DSS standards. With this approach dealers can have the appropriate questionnaires and scans readily available for bank personnel. This allows the store to focus on the requirements of internal training and monitoring of the staff assigned to manage a site’s credit card information.

Retail Up – the music industry’s largest provider of Website services – announced at LIMS that it is the first music industry company to be a fully PCI compliant service provider. Through the company’s newly PCI Up program, dealers that use Retail Up’s system can be assured that their sites will comply with forthcoming scrutiny of your credit card processing companies and banks. With PCI Up dealers are prepared with immediate access to the required PCI surveys and quarterly scan requirements.

PCI Compliance is the lurking surprise that every dealer will face in 2009. Retail Up’s PCI Up program will help dealers maintain uninterrupted services to their customers and meet the card issuer’s requirements to protect the integrity of credit card data. We invite dealers to learn more by e-mailing us. As a service to the industry, we are offering a PCI Up analysis to determine how their sites can comply with these rules… and prevent the possibility of a shutdown in the future.