The Myths of PCI Compliance: A “PCI Compliant Box”
October 16, 2013 - Best Practices・Culture・Security
One of the “perks” of being a PCI Level 1 Service Provider is that we often get asked about becoming PCI compliant by friends and acquaintances. Often it’s by a developer friend who knows enough about PCI to be cautious, but nonetheless really just wants the fastest path to full compliance. Unfortunately, when it comes to achieving PCI compliance “quickly” or “easily”, we don’t generally have the answer our friends want to hear.
This scene recently repeated itself when we had a long-time FoxyCart user report that one of his clients needed to be PCI compliant in order to interact with a 3rd party. The dev was looking at a specific cloud hosting provider that claimed to offer a “PCI compliant box” (ie. dedicated or virtual server that was “out of the box” PCI compliant).
So what do we do when somebody simply must handle cardholder data? First, we need to explain what PCI compliance actually is. Next, we explain the options as we see them.
What PCI Compliance Actually Is
So first and foremost, we point to our “PCI DSS: What it is and what it means to you” so we’re starting from the same page. It’s important to note that vast bulk of the PCI DSS has very little to do with “servers”. Rather, it’s about policies and procedures and access and logging and monitoring and change protocols and application design and much more. So if you’re shopping for a PCI compliant hosting environment, yes, the hosting provider does need to provide an environment that’s capable of being PCI compliant. That’s critically important, but it’s just a small part of becoming truly PCI compliant.
(And of course, there are varying levels of PCI compliance, and as some would say, “The only winning move is not to play.” If you can avoid full PCI compliance, you should.)
But If You Must…
If a merchant truly cannot avoid full PCI compliance, there are a few options.
Seriously, try to avoid it altogether. Try harder. Try again 🙂
There are too many options now (gateway-specific transparent redirects, or 3rd party hosted iframes or javascript tokenization, or hosted payment pages like FoxyCart, etc.) to jump into full PCI compliance.If pockets run deep and time isn’t of the essence, we’d recommend connecting with our QSA (Qualified Security Assessor). QSAs can help you navigate what you need to do immediately, what might be able to wait, and how best to proceed. But this isn’t quick or easy, and full compliance absolutely isn’t cheap. So this doesn’t generally appeal to merchants or devs who’re looking for a quick solution. (This is the option FoxyCart takes. We’ve spent years and considerable resources to become fully and truly compliant.)
If for some reason you simply can’t do option #1 or #2… and if you’re willing to throw caution and truth to the wind: You fake it. The 3rd party wants proof of PCI compliance, which is provided in two parts: the AOC (Attestation of Compliance) for the SAQ D; and a quarterly passing security scan from an ASV (Approved Scanning Vendor). Anybody can fill out an AOC with “yes” checkboxes, and with some work you can get hosting to pass a security scan, but that won’t actually make you compliant unless you’re doing everything required by the 220+ requirements you’ve checked “yes” to.
It’s hard to give a good answer here, because the reality is that we’ve spent years and tons of time and money to actually “do” PCI correctly. So we could say, “Yeah, it’s no big deal, just fill out the SAQ and get the scan,” except we know it’s just not actually how it works. Yet we have strong suspicion that the majority of merchants presenting an AOC for full compliance are, unfortunately, like Pinocchio in the image above.
We’re sure you’ll get a different answer from somebody who’s been in the #3 boat (faking it) and never had to do #2 (full compliance), but from our perspective…
We aren’t QSAs ourselves, but we’ve been in this business long enough to know more about PCI compliance than most. And at this point, our opinion is that unless you have money to burn and literally no other options, there are far better things to do with your time and resources than becoming PCI compliant. Trust us. We’ve done it. 🙂
Want to minimize your PCI compliance burden? It’s up to you, but FoxyCart is free during development, and we’re here to help. Give it a try.