Search the Manual:

• Table of Contents
  • Introduction
    • What is Web Content Management?
    • Intro to Bistro
    • Editing Web-Based Content
  • Installing and Configuring
    • System Requirements
    • Installation
    • Configuration
  • Using Bistro
    • What is included
    • How to Login
      • The Bistro Homepage
    • Changing User Preferences
    • System Setup
      • Modify Your Settings
      • Adding and Editing Admin Users
      • Resetting System Log Files
      • Resetting Traffic Statistics
      • Checking for Updates
    • Monitoring Your Site
      • Viewing Site Statistics
      • Viewing Site Logs
    • Creating Content
    • Adding Folders
    • Adding Pages
    • Editing Pages
      • Standard Mode Editor
        • Cut, Copy and Paste Functions
        • Adding and Removing Links
        • Adding and Editing Images
        • Selecting Styles (CSS)
        • Formatting Text
        • Additional Functions
      • Advanced Mode Editor
        • Cut, Copy and Paste Functions
        • Search Functions
        • Adding and Removing Links and Anchors
        • Adding and Editing Images and Media Files
        • Adding and Editing Tables
        • Editing HTML Code Directly
        • Selecting Styles (CSS)
        • Editing CSS Attributes
        • Formatting Text
        • Additional Functions
        • Working with Forms
    • Managing Your Menu
      • Adding a Menu Item
      • Editing a Menu Item
      • Deleting a Menu Item
      • Moving a Menu Item
      • Adding a SubMenu Item
    • Cross Linking the Pages on Your Site
    • Uploading Documents to Your Site
      • Acceptable File Formats
      • Uploading Large Files Using FTP
      • Replacing Linked Documents & Files
    • Linking Thumbnail Images to Larger Images
  • Add-On Modules
    • Articles Manager
      • Set Up Articles Manager
      • Use Articles Manager
    • Blog Module
      • Set Up Blog Module
      • Use Blog Module
    • Contact Us Form
      • Set Up Contact Us Form
      • Use Contact Us Form
    • Member Access System
      • Set Up Member Access System
      • Use Member Access System
    • URL Manager
  • Getting Help
    • Helpdesk Support
    • FAQs & Documentation
    • Contact Your Designer
    • Video Tutorials
  • Designing for Bistro
    • Theme Design
    • Creating a Theme
    • Minimum Requirements
    • Best Practices
    • Potential Pitfalls
    • Tips & Tricks
    • More Tutorials
  • Using Autostuff™
  • Developing New Modules
    • Module Basics
      • The Module Skeleton
      • Install &Uninstall
      • Administration Screens
      • Public Output
      • AutoStuff & Hooks
    • Using Hooks
    • Global & Session Variables
• Appendices
  • Critical Reading for E-Commerce Sites
  • Additional PHP Statements
  • AutoStuff™ Entries
  • Migrating a Bistro Site to Another Host
    • Before You Start
    • Overview
    • Migrate the Database
    • Migrate the Files
    • Modify the Config File
  • Module-Specific Template Listing
  • List of Modules
• Quick Tips & Common Tutorials
  • Adding a Page of Links
  • Tables Within Tables
  • Uploading Documents
    • Acceptable File Formats
    • Uploading Large Files Using FTP
    • Replacing Linked Files
  • Linking Thumbnail Images to Larger Images
  • Cross Linking Pages

9.1. Critical Reading for E-Commerce Sites

Accepting, Storing, and Transmitting Credit Card Information

You should be reading this if you are considering storing credit card information, rather than using a third-party process (e.g. PayPal) or a gateway (like BeanStream).

Although this information applies to all credit card merchants to varying degrees, the combination of E-Commerce and Credit Card Number Storage makes you especially vulnerable.

 

Fact: All merchants are required to adhere to the PCI Data Security Standards - it is part of the merchant agreements they signed

Fact: If a merchant is found to be not in compliance, they will be subject to hefty fines. These fines were created by Visa, MasterCard and other companies to act as a deterrent to large financial institutions like Banks. Banks have amended their merchant agreements to pass these fines on to merchants. These fines are very large.

Fact: PCI Data Security Standards compliance is not easy. In fact, it's very difficult. Many banks have decided to simply continue paying the fines to Visa and MasterCard, rather than incurring the huge expense of overhauling their IT infrastructure.

To be PCI DSS compliant for your online store you need to make sure you have the following:

• The right website software configuration
• The right network configuration in your office, and
• The right business processes in place.

Bistro can only help you with the first of these three - the rest is up to you.

Note: If you use an e-commerce gateway (like BeanStream or Authorize.net), several of the following requirements still apply; but the implications for you and your business are less significant and the potential exposure is reduced.

What are the requirements and which ones are you solely responsible for?

		Website Software	Office Network	Business Process
		Bistro	YOU	YOU
Build and Maintain a Secure Network
Requirement 1:	Install and maintain a firewall configuration to protect cardholder data		X		Required for all computers on the network where cardholder data is stored
Requirement 2:	Do not use vendor-supplied defaults for system passwords and other security parameters		X
Protect Cardholder Data
Requirement 3:	Protect stored cardholder data	X	X	X	Includes protecting all digital and printed copies of cardholder data
Requirement 4:	Encrypt transmission of cardholder data across open, public networks	X	X		Critical if wireless networks are being used
Maintain a Vulnerability Management Program
Requirement 5:	Use and regularly update anti-virus software		X	X	Required for all computers on the network where cardholder data is stored
Requirement 6:	Develop and maintain secure systems and applications	X	X	X	Includes process for ensuring software is up-to-date
Implement Strong Access Control Measures
Requirement 7:	Restrict access to cardholder data by business need-to-know	X	X	X
Requirement 8:	Assign a unique ID to each person with computer access	X	X	X
Requirement 9:	Restrict physical access to cardholder data			X	Includes locks on cabinets, restricted access to backups, etc.
Regularly Monitor and Test Networks
Requirement 10:	Track and monitor all access to network resources and cardholder data	X	X
Requirement 11:	Regularly test security systems and processes			X	Typically documented quarterly tests are required
Maintain an Information Security Policy
Requirement 12:	Maintain a policy that addresses information security			X

*chart excepted verbatim from the PCI Security Standard

 

Based on the terms of your merchant agreements, by the end of 2007, any organization that accepts credit card transactions by any means (online, telephone, or in person) must be in compliance with the standards.

In practice though, Visa and Master card are first examining the areas of business where their experience shows the highest risk level; e-commerce is at the top of the list.

 

Example Scenario:

Bob's Widgets sells widgets in an online store, has a reasonably secure set of business procedures, and only sells about $15,000 worth of widgets each year.

A customer buys a product from Bob's online store using a credit card that was also used at another online store that sells dongles.

Unknown to Bob's, the credit card number was compromised at the previous online store (the dongle store)

At this point, Visa has to do a forensic audit of the merchants (Bob's widget store, and the dongle store) to figure out what went wrong. Visa fines the banks of both stores for the cost of the audit, and the banks pass those fines on to the store owners. These fines generally start at about $50,000

A VISA-authorized auditor visits Bob and completes a review of Bob's network, and finds that although Bob's systems are good, he hasn't run a review and test in the last quarter, and the auditor finds him "non-compliant" with PCI DSS standards (see requirement 11 above). Bob is then fined and is labeled a "High Risk" merchant. These direct fines to merchants generally start at about $30,000, and "High Risk" merchants are subject to increased merchant fees on each transaction because of the "High Risk" status.

In this case, Bob is now faced with $80,000 in fines, and has been labeled "High Risk" even though his company didn't cause the issue.

Even if he had been 100% PCI DSS compliant, he still would be subject to the $50,000 fine mentioned above, but he would have avoided the additional $30,000 fine. Also, if Bob is a small business owner, he likely signed a personal guarantee on his merchant agreement, and his home is likely on the line if he can't pay the fine.

Additional Resources

PCI Security Standards Council:

https://www.pcisecuritystandards.org

The full PCI Specification can be found here:

https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

There is a self-assessment questionnaire that you can use to evaluate your business here:

https://www.pcisecuritystandards.org/docs/saq_a_v1-1.doc

We highly recommend that you take the time to complete the questionnaire