The journey to PCI compliance

Credit card issuers have standardized guidelines to better protect customers' payment information from theft and abuse, PCI-DSS.

In 2004, the Payment Card Industry Security Standards Council (PCI SSC), formed by representatives from Visa, Mastercard, American Express, Discover, and JCB, collected and aligned their individual data security policies to produce the first Payment Card Industry Data Security Standard (PCI-DSS), or PCI for short. This standard has been updated multiple times since that first draft, but has always aimed to increase the level of protection afforded to credit card holders and reduce or prevent any potential fraud.

Legally, there isn’t a hard requirement for businesses to comply with the PCI standard on a federal level within the United States. Several states have, however, incorporated portions of the standard into their own state laws. Washington state, for example, doesn’t require compliance but does shield compliant entities from liability in the event of a data breach.

The driver behind being PCI compliant isn’t so much strict regulation as it is protecting your business’ reputation in the market. Ensuring PCI compliance means you can be trusted with your customers’ data – failing to remain compliant gives your competition an advantage.

Compliance in development

On the one hand, it can be very tempting to flesh out all aspects of your eCommerce or payment system from scratch. Making a purchase could be as simple as submitting a form for processing on the server. Unfortunately, this means your team has to also build out functionality for refunds. For repeat purchases. For purchase history audits. For further customer management.

It’s easy to get started, but even easier to make a mistake and compromise customer information.

Instead, it’s a safer approach to leverage a platform like Magento to manage the commerce side of your application. Magento integrates directly with secure payment gateways to ensure your application is compliant with the PCI standard. Having a partner standing by to help navigate the ins and outs of compliance frees your development team to focus on building a quality application instead.

For teams who want deeper control over the customer experience, tools like Stripe provide rich APIs and complete developer support. Customer management can happen entirely within your application while the actual purchase information only flows between your customer and Stripe’s PCI-compliant servers. Your site and application are then also compliant because they never touch customer payment information in the first place!

PCI in fundraising

In 2013, the National Republican Senatorial Committee (NRSC) launched a new fundraising tool called Victory Passport. The primary goal of the tool was to allow donors to “contribute anywhere with just one click – across websites, their email inbox, and their mobile devices.” It was an innovative tool, and it was built on PHP as a base.

While the tool itself was built atop sound engineering principles, the tool’s deployment suffered from some security oversights. Victory Passport was built in PHP, bundled into a WordPress extension, and hosted on servers managed by WP Engine. WP Engine, as a host, is only PCI compliant in specific instances – when payment information is never brought into their server. Every site powered by their platform runs on shared infrastructure; a breach into one part of the system could potentially impact data passing through another part of the system.

The engineering team behind Victory Passport built a great tool. They checked all the boxes to ensure their application was PCI compliant. Except for one – the tool was hosted on servers managed by a third party in such a way as to render the application as a whole noncompliant. Payment information would flow from the front-end of the browser to the application hosted on WP Engine, where it would then be routed to an outside processor:

While the credit card information is secured by encryption as it gets passed to the third-party payment processor, the fact that WP Engine acts as a middleman (however briefly) introduces an element of risk. If WP Engine were somehow compromised, that hacker would theoretically be able to scoop up the financial data moving through its infrastructure whether WP Engine stores the information in its database or not.

The Washington Post

This shows that even large, experienced teams can get PCI wrong. Instead of trying to navigate the standards on your own, work with a quality partner who can help you navigate any potential pitfalls.

Key guidance

The easiest solution for achieving PCI compliance is to not handle customer payment information in the first place. Instead, work with a partner like Stripe or PayPal and let them shoulder the risk of data management. Direct integration with the APIs exposed by these platforms helps blend the customer experience on your site with your application’s existing branding and creates the most consistent experience possible.

A second solution is to use a pre-packaged eCommerce solution like Magento that handles the setup and payment gateway integration for you. Again, this involves shifting the burden of PCI compliance off your team’s shoulders and onto a team that specializes in ensuring applications follow the rules.

Keep in mind that, however you interact with payments, the onus is still on your team to routinely monitor and test your own application for vulnerabilities. A PCI compliant partner is not a magic pill to ensure lasting security.