Just one thing...

You don't want to do this.

*yourself

Even for organizations where security is a core competency, breaches are becoming a common occurrence.

(World's Biggest Data Breaches)

So what is PCI?

"PCI DSS"

"The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment."

"PCI DSS"

• Payment Card Industry Data Security Standard
• A voluntary standard established by the major payment providers (VISA, MasterCard)
• Compliance is required for any organization handling credit cards digitally OR in person

Horror Story 2:

The firewall is breached!

Firebase App Audit

• Appthority reviewed 28k apps
• Over 10% of apps reviewed exposed user data
• Leaky backends exposed over 2.6 million unencrypted username/password combinations
• Over 50,000 personal financial records exposed

PCI Compliance overview: 4 Levels

Text

PCI Compliance Levels

• Higher levels have stricter validation requirements.
• Your bank will determine your level.
• Your "level" is the same for all networks (e.g. VISA, MC) even though the guidelines may differ.

PCI Compliance SAQ's

• PCI Compliance is currently on v. 3.3.
• With 3.0 forward there are "Self Assessment Questionnaires."
• For most small businesses, the SAQ is the only validation requirement.

SAQs

• There are different SAQs depending on how your organization processes payment data.
• Your bank will sometimes tell you if you require validation above-and-beyond an appropriate SAQ.

SAQ Types

• There is also SAQ-B for offline-only.
• SAQ-D is 10x longer than SAQ A-EP.
• You require SAQ-D if you don't meet the criteria
  for any other SAQ.
• Even if you require SAQ-D, you'll still want to
  outsource as much as possible.

Compliance is not just a checklist

More than a SAQ

• An SAQ is often the only validation step required to get started, but it is not the end of your responsibility.
• In the event of a breach, you will need to be able to defend your organization's practices and procedures.

Be Prepared

1. Have a person within your organization designated as the owner of all PCI-related issues.
2. Have a written strategy for PCI compliance.
3. Have written procedures for any interactions with payment data.
4. Perform regular reviews of your strategy, technology, and systems.
5. Educate yourself on other requirements (we are not lawyers).

What do I need to process Credit cards online?

1. Checkout Page
2. Payment "Gateway"
3. "Merchant Account"

Checkout page

• Where users enter their credit card information.
• This can live on your own "site" ...
• Or you can direct users to another site managed by your payment processor.
• Often you will be given options to customize the look and feel of an outsourced payment page.

Payment Gateway

• Translates Web API calls to the payment network used by credit card terminals.
• May or may not come with a merchant account.
• Popular providers: Authorize.net, Braintree

Merchant account

• A special account required to process credit cards online or in person.
• Money is usually transferred to your actual bank account every 24 hours.
• Brick and mortar businesses likely have one already with their bank.
• Bank-provided merchant accounts may not be compatible with your gateway of choice.
• Full-service gateways like Stripe and Paypal will provide this for you.

Strategies for e-commerce

• Outsource everything (SAQ-A)
  "Don't touch the data"
• Outsource most things (SAQ-AEP)
  "Don't let the data touch your servers"
• Full control (SAQ-D)
  ... try not to do this.

Outsource everything (SAQ A)

• Your entire checkout flow is outsourced to a PCI-compliant 3rd-party.
• Your organization does not have direct access to customer CC data.
• Easiest, lowest risk

Outsource most things (SAQ A-EP)

• Your checkout flow is hosted in an iframe or on a 3rd party's servers, and you have some control over CSS and JS.
• You use tokenized credit card data for recurring transactions.
• A-EP is a relatively new validation level, designed specifically for e-commerce ease.

Strategies for e-commerce

Examples

Outsource everything (WITH a shopping cart)

• Marketplace (e.g. Etsy, Ebay, Amazon)
• Shopify + Shopify Payments
• BigCommerce + Managed Checkout

Outsource everything (no shopping cart)

• PayPal "Buy Now" Buttons

Outsource most things

• Customized SaaS checkout on your own domain
• Customized 3rd-party payment form (e.g. Authorize.net)
• Embedded payment form on your site (e.g. Stripe, Paypal)
• Your servers handle tokenized CC data, e.g. for recurring billing

Direct gateway integration

Direct gateway integration

• You need complete control of the checkout and payment process.
• Customer credit card data is processed on your servers.
• Your servers interact directly with your payment processor's Gateway via API calls.

Things are going to get a lot more complicated. You should have security and networking experts on your team before attempting this. You will need to hire 3rd parties to verify your servers and software.

Recurring billing & subscriptions

• Storing customer CC data on your servers is yet more complicated.
• Before Stripe, this was really, really hard.
• Now, tokenization is common so you don't have to do this yourself.

Credit card Tokenization

1. The user's credit card number and expiry is transmitted to a payment processor directly from the user's browser.
2. The payment processor returns a token, which the user's browser then forwards to your servers.
3. Your servers can verify the token with the payment processor, then us that token as a short-term alternative to a credit card for charging that customer.