PCI DSS Compliancy for hosted payment pages

26 February 2015

PCI DSS Compliancy for hosted payment pages

I've been dealing with one of our clients today who received a communication from securitymetrics which told him that he needed to sign up for their services in order for his ecom site to be complient with PCI DSS. We've had other clients who have received similar letters, and originally, I thought it might be a scam to scare people into parting with money that they don't need to. Now I have done the research and I can tell you it is 90% scammy, albeit a legal one.

The PCI data security standard is a measure of how secure your payment system is. Essentially, any merchant who stores, transmits or processes credit card information is required to be PCI DSS compliant. Note, the important part of that sentence is "stores, transmits or processes". If you are using a hosted payment provider like paypal or hosted payment pages (this is where your shopping cart system outsources the payment processing facilities to another payment gateway so when you click on 'buy now' the shopper is redirected to a secure server on the payment providers network) then technically, you are exempt from undergoing the security scans, and, at most, all you need to do to prove compliency is fill in a simple self assessment questionnaire (technically, you don't even need to do this in most cases). You do not need to pay for any 'security consultancy experts' to scan your website every 3 months to ensure that it is still secure. In fact, if you do not have a SSL certificate (which many shared hosting environments do not have) then you will fail the security scan anyway. Lack of SSL is one of the reasons many people use hosted payment pages.

Therefore, if you receive and official looking letter from a security firm saying that your website is not PCI DSS complient and that you could be eligible for a fine if you do not remedy this, ignore the scare tactics and find out for yourself whether you need comliency testing, and whether filling in the simple questionnaire will save you a lot of time and money.

Note though, just because you have completed your side of the PCI DSS requirements, doesn't automatically mean you are fully complient. RBS business gateway (formerly worldpay) is not complient following an incident of data breach which lead to russian hackers stealing over 9.5 million dollars from RBS ATM machines.