I have a few questions for PCI compliance

Question

I'm looking at the Merchant accounts, and from what I understand, storing a shipping address is okay for PCI Compliance, is this true? Also, it seems Recurly's API would require SAQ C or SAQ D and I looked at some sample questions:

• Do configuration standards include requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
• Is there a formal process for approving and testing all external network connections and changes to the firewall and router configurations?

I mean, I would think NO for most people. Is PCI compliance ONLY ideal for well established companies? I am sure a lot of people want that seamless checkout, and there are definitely a few services to avoid PCI Compliance, so then why get a merchant account? Is it worth the extra effort? I mean, seeing these sample questions see like a huge hassle already.

Answer 1

PCI compliance is required for any merchant that accepts credit cards.

You're far better off speaking with a company that specializes in PCI compliance. You'll likely need to hire an Auditor to verify your compliance level anyway. I think that this is the wrong forum for a full answer.

However, addressing some of your points:

• Storing the shipping address isn't prohibited by PCI. Most shopping carts do so.
  • However, as a customer I'd appreciate it if the businesses that store my address treat it as valuable, sensitive information, and protect it as if it were credit card data or Social Security numbers.
• DMZ/Firewall configuration is completely off-topic for the site, but in general, yes.
• Your company/business should have its own formal process for testing/verification/documentation, and you will be required to prove that you have this (by giving it to your auditor) and also to prove that you follow it (show change ticket requests tied to configuration changes, or whatever applies in your situation)

Also, bear in mind that PCI Compliance should be considered a bare minimum of good security practices. Being PCI Compliant doesn't mean you're secure. It means that you meet that one particular standard.

Plenty of PCI Compliant companies have been breached, and lost critical/sensitive data, including the type that leads to their customers/employees getting their identity stolen.

When we started going through audits several years ago, it was an eye opener, and after having our eyes opened, we integrated a Secure Development Lifecycle, required tons of training, and learned over time that PCI Compliance is just a start. There's so much out there that PCI doesn't cover.

At any rate, I'd start here, and then determine what level you need to be at.

And as for it being a huge hassle, you are right...

Good security is a hassle. It requires tedious attention to detail. You don't just go out and code things, you do threat modeling, code reviews, penetration testing. your entire process should be documented, with security addressed at every step, from requirements gathering to release. You should be thinking about separation of concerns to ensure that no single rogue developer can infect your website if he or she becomes disgruntled, or that a SysAdmin can't lock everything down and quit (as happened to a city in California not too many years ago).

The amount of detail you have to get to is insane, if you want any protection, and then you still have to live with the fact that you can never reach 100% invulnerable.

And that's just the beginning.

It adds a lot of overhead, and it is a hassle.

But that huge hassle is worth it. When you consider the cost of being breached, not only to you, but to your customers, business partners, etc.