Business White Paper

http://commercelab.ipcommerce.com

Solving PCI Compliance

for E-Commerce Merchants
Published September 23, 2009 by IP Commerce
Business White Paper Solving PCI Compliance for E-Commerce Merchants

Introduction
In 2004, the payment card brands aligned their individual cardholder data protection programs to create the Payment
Card Industry Data Security Standard (PCI DSS). This alignment in standards provides an industry-wide framework that
forms the basis of each association’s individual security programs. The objective of the individual programs is to compel
merchants and payment service providers to enact measures that protect cardholder information. The goal of the PCI
DSS is to specify the security controls required to protect cardholder data in the transaction-processing environment from
end-to-end.
PCI DSS can be a complex and lengthy process for the merchant to complete with no knowledge of the total cost it will
take to bring a merchant’s payment processing in line with the PCI DSS to prevent decertification. While there is general
understanding and acceptance of the process for the largest of merchants, the smaller merchant is often left without a
resource (or plan) or concept of cost for achieving and demonstrating compliance.

Merchant Level Definition

The merchant level indicates the complexity of PCI DSS compliance. As a card-accepting merchant, it is important to
determine (both individually and with the payment service provider) the appropriate merchant level to determine
compliance obligations. According to Visa, merchant levels are defined according to acceptance methodology and
transaction volume amounts.

Merchant Level Description

1 Any merchant – regardless of acceptance channel – processing over 6M Visa transactions per
year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant
requirements to minimize risk to the Visa system.
2 Any merchant – regardless of acceptance channel – processing 1M to 6M Visa transactions per
year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all
other
merchants – regardless of acceptance channel – processing up to 1M visa transactions per year.

FIGURE 1: VISA Merchant Level Definitions

http://commercelab.ipcommerce.com Page 2
Business White Paper Solving PCI Compliance for E-Commerce Merchants

PCI Data Security Standard Overview

The PCI DSS is a combination of base principles and associated requirements covering security management, policies,
procedures, network architecture, software design, and other protective measures. The high-level requirements and
detail as detailed by the PCI Security Standards Council (PCI SSC) are as follows:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security

The litmus test for the applicability of PCI DSS guidelines to the merchant business can generally be categorized as
storage, processing, and transmittal of the Primary Account Number (PAN). If a combination of these categories, and
merchant level, define the scope of compliance, how can a small merchant limit, or remove, these items from their
environment while still accepting credit cards as a payment method?

http://commercelab.ipcommerce.com Page 3
Business White Paper Solving PCI Compliance for E-Commerce Merchants

Hosted Payments Page

The Hosted Payments Page provides a methodology by which the Level 4 merchant can leverage partnerships to
provide the storage, transmittal, and processing of cardholder data. Although this minimizes, greatly, the scope of PCI
compliance there are still components of the PCI DSS guidelines that must be addressed. In particular, sub components
of Requirement 9 and Requirement 12 must be addressed. Fortunately, in the scenario of a small e-commerce
merchant, this compliance validation can be completed through the use of a much simpler and less-costly Self-
Assessment Questionnaire (SAQ) Validation Type 1.
A Hosted Payments Page is a PCI compliant service that presents itself in the normal checkout process, calling the
merchant shopping cart or website CSS for branding, to present a smooth and familiar experience to customers for
payment collection. In contrast to other offerings, there are no harsh or delayed transitions to other payment collection
pages.
Shifting card security responsibility to a third party provider is not a novel idea. In fact, familiar market solutions, like
PayPal, have allowed merchants to leverage outsourced payment and processing services for some time --but, not
without a cost. These traditional redirect services disrupt the checkout flow and surrender branding control to the
outsourced partner – often resulting in confused customers, increased cart abandonment, and fewer items per ticket.
However, a hosted payments page implements a cloning technology that supports the look/feel of the merchant’s website
during the redirect process for a seamless experience for the end user. Even better, the integration process is
impressively simple. The deployment and implementation can be completed same day.

Seamless branding
and Checkout flow
occurs across
merchant and secure
payment
environments

FIGURE 2: Normal checkout activities occur at the merchant site FIGURE 3: Hosted payment page using HTML clone technology

http://commercelab.ipcommerce.com Page 4
Business White Paper Solving PCI Compliance for E-Commerce Merchants

Deployment and Implementation

1. A customer begins to create their order on your site as
normal
2. They proceed to checkout where the CHPP module is
installed; they checkout in a normal fashion via the
secure CHPP powered payment method and choose
Checkout.
3. CHPP servers receive the order and payment request.
In a patent-pending process called HTML Clone
technology we retrieve a template file from your site in
real time, scrub it for any malicious code then combine
it with our securely stored credit card collection form.
4. CHPP presents to your customer a secure hosted
payment page that looks just like your site. With HTML
Clone, the customer still has access to all links and live
navigation of the merchant’s site because our patent
pending technology dynamically matches the
merchant’s unique template design.
5. The cardholder data and payment transaction is FIGURE 4: CHPP secure “punch through” adds secure payment
processed in our PCI Compliant data center and processing
connects directly with the payment gateway and
banking payment networks.
6. Once the payment transaction is complete the customer is connected directly back to your shopping cart application,
where the order status is updated.

The implementation of the workflow shown above involves leveraging a secure form post to pass a series of required
fields to the Hosted Payments Page servers. The transaction itself, including the collection and routing of all sensitive
data, is then managed via the servers hosted in a PCI compliant data center. Upon successful completion of the
transaction, a response is returned as key/value pairs in an HTTP POST (postback) to the supplied return URL. An
example of a successful transaction (where return.aspx is the return URL):

https://mydomain.com/return.aspx?order_id=6&code=000&msg=Success&error=&mPAN=XXXXXXXX
XXXX1234&name=Joe%20Shopper&type=Visa&exp=1012&transID=&osCsid=ddc2e76644e8dde7308d42
606f7f7e74

As referenced earlier, the majority of PCI Compliance requirements are addressed, as the merchant e-commerce
shopping cart is not collecting, transmitting or storing cardholder data. This “punch through” of security to the shopping
cart, powered by a Hosted Payment Page, greatly reduces compliance scope without sacrificing branding and customer
experience.
Leveraging a PCI Certified Commerce Hosted Payment Page can place a sense of relief with many e-commerce
merchants that the handling of cardholder data is secure and that the majority of what was once their PCI compliance
obligation is being handled by a known certified service at a highly reduced cost compared to “go it alone” security
compliance or, worse yet, the unbearable fines of a data breach.
Visit CommerceLab to learn how setting up a Commerce Hosted Payment Page in a day can get you on the path to PCI
Compliance.

http://commercelab.ipcommerce.com Page 5