The announcement by Visa USA and MasterCard of the combined Payment Card Industry (PCI) data security requirements marks a watershed moment in the payment services industry. Finally, a single set of data security requirements exists for merchants and service providers to follow. The PCI is very new and the vast majority of those companies that have achieved compliance with industry standards were validated against Visa USA’s CISP and MasterCard International’s SDP program. As such, all references in this article to PCI compliant merchants and services providers should be understood to include those who are currently considered compliant with the legacy CISP and SDP programs. Among some of the changes wrought by the recent consolidation include more categories of merchants, requirement modifications, and document reorganization.
    Visa USA now identifies four categories of merchants that are required to comply with the PCI. The groupings are based upon transaction volume. The first three categories of merchants are required by Visa USA to not only comply with the PCI but to also validate compliance on an annual basis through a combination of manual (on-site) and automated means. Merchants in the fourth category (level 4), while still being held to the same standard of compliance, are NOT required to provide annual proof of such. If this sounds confusing, it is. It is important to understand that all merchants and service providers, irrespective of classification, are required to comply with all card association requirements. Some merchants and service providers however, are also required to validate their compliance through either an onsite assessment, or via automated means. This creates a potentially dangerous situation for both the merchants and the acquirers of smaller (level 4) merchants. Continuing the discussion started in the January 2005 article: “Flying under the radar, hidden acquirer risk in high volume hosting”, it is important to recognize challenges of validating small merchants housed in shared hosting environments and the potential liability posed to acquirers.
    To summarize the main points of the article mentioned above, merchants housed in a high-volume, shared hosting environment typically have little, if any technical control over their environments and, unbeknownst to them, may not be operating in a manner that is consistent with card association requirements. Since many of these are categorized as Level 4 Visa merchants, and as such are not required to validate compliance, this situation poses a significant risk to the merchants’ respective acquirers as it is the acquiring member who ultimately may be penalized by the card associations for a merchant’s non-compliance. Consider for example, a small merchant who is using the services of a shared-hosting solution that is not compliant. This merchant may not be required to validate their compliance against the PCI but they are still required to operate in a manner that is consistent with the card association standards. If compromised, the merchant’s member acquirer may be subjected to penalties for their merchant’s non-compliance.
    An integrated “end-to-end” compliance offering that would enable merchants in a shared hosting environment to achieve compliance with the PCI by virtue of their use of such an offering would prove ideal. An Integrated offering would provide two distinct benefits. First, an integrated offering would remove much of the burden from the merchant in ensuring that their hosting provider, gateway, and applications are compliant. As many of these smaller merchants may not have the ability to validate or influence the various service providers, this provides a significant advantage.
    Second, and more importantly, an Integrated compliance offering would enable member acquirers to ensure that their level 4 merchants, the ones that generally ‘fly under the radar’, are operating in a manner that is compliant with the card association requirements. This would provide a distinct benefit, as the member acquirers would not have to worry about being potentially penalized in the event one of their smaller merchants is compromised.
    In its most basic form an Integrated Compliance Solution is comprised of the following four main components:
    PCI Compliant Hosting Environment: Logically, any end-to-end or Integrated compliance offering would need to include a compliant hosting environment. In much the same way that merchants and gateways are evaluated for compliance with the PCI, hosting environments should be evaluated to ensure that they support the PCI and enable their customers to comply, as well.
    VABP Compliant Merchant Application: In 2004, Visa USA released the Visa Application Best Practices or VABP. The intent was to provide guidance to application providers so that they can ensure they are developing solutions that comply with the card association requirements and support merchant, and service provider compliance, as well. This is a very critical aspect as many shopping carts and commerce applications do not currently support compliance for a number of reasons which brevity precludes listing in this article. More information can be found on Visa USA’s website under the CISP/ CISP Training and Tools section.
    PCI Compliant Payment Solution (gateway): An end-to-end solution can not exist without a PCI compliant payment service ensuring that all transactions are processed in a secure manner that is consistent with the card association requirements. Currently, Visa USA lists all of the compliant payment companies on their website. Any ‘end-to-end’ offering would have to ensure that only payment services that have met compliance with the PCI are able to be used by the merchant.
    Assessment and Scans by a Qualified Vendor: As stated, an end-to-end, Integrated compliance offering that enables a merchant to achieve compliance with the card association requirements simply by using the solution is more than the sum of its component parts. It is crucial that any offering that claims to enable compliance be assessed by a qualified vendor. This point is more easily illustrated with an example.
    It is possible for a shopping cart application developer to partner with a compliant gateway, and hosting provider and NOT enable the merchant to fully comply with the card associations. Consider an example where a PCI compliant hosting company partners with a compliant gateway and a compliant shopping cart. This partnership develops an offering and claims that their offering is an ‘end-to-end’ compliant solution that, by virtue of its component parts, guarantees compliance to any merchant that uses the solution for their online merchant processing.
    At first glance, it would appear logical that such an offering employing compliant parts would indeed guarantee compliance. Unfortunately, this is not always accurate. A truly end-to-end compliance offering is one that integrates all of the component parts and must be evaluated independently. This assessment must include a review of the transaction process, data transmission and retention practices, and the user interaction. It is not enough to simply say that ‘Hosting Provider A’ partnered with ‘Shopping Cart B’ using ‘Gateway C’ guarantees compliance.
    Expanding on the example above, while a hosting environment may be evaluated as ‘compliant’, this does not necessarily apply to all of the offerings it provides. Most shared hosting providers utilize a variety of different operating systems, management applications, and other features that they sell as different hosting packages. A quick visit to some of the more popular web hosting companies’ web-sites will illustrate this point. It is possible to purchase a shared account, a shared “virtual” system, and a dedicated system from the same company. Each of these provides the user with different functionality and each may comply with the PCI yet not support compliance through an integrated solution. In short, depending upon which offering is selected and the amount of control offered to the merchant, the ease of achieving compliance with the PCI may vary significantly.
    In much the same way, many merchant application providers have different versions of their software designed for different types of users and accounts. Evaluating the actual implementation of the shopping cart in the specific hosting environment, and more specifically, on the actual type of hosting solution that will be used (shared, virtual, dedicated) in the Integrated solution is critical. It is not simply enough to know that the application has the ability to support compliance, it must be evaluated in the environment to ensure it is configured in such a manner.
    Finally, when designing and assessing an integrated compliance offering, one must consider the merchant’s permissions on the system and within the application. To truly offer an Integrated solution, the merchant must be limited in their ability to impact the data or the systems and devices that store the data. If the merchant is able to change the configuration of the firewall, for example, the possibility exists that the merchant could open every port on the firewall and be completely out of compliance with the PCI.
    A number of companies are currently partnered with other service providers and are developing end-to-end compliance offerings. While these type of services are still likely several months from being released, they will provide a significant benefit to member acquirers who are looking for a way to ensure the compliance of their level 4 merchants.