Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to On-line Payments & PCI DSS Compliance

298 views

Published on

A look at on-line payment methods with and without merchant bank accounts. When and who is PCI compliant and for what. The 12 step checklist for being PCI DSS compliant and the possible consequences for being non-compliant.

Presented at WordPress Sydney April meetup.

Published in: Internet
  • Be the first to comment

Introduction to On-line Payments & PCI DSS Compliance

  1. 1. Wil Brown @DeveloperWil zeropointdevelopment.com for WordPress Sydney Introduction to
  2. 2. @DeveloperWil #wpsyd The traditional on-line payment model
  3. 3. A merchant account sits in the middle between your bank and the consumers bank e.g. PayPal, eWay, WorldPay, NAB, Comm Bank • Annual or monthly fee + set up cost • % of fee + fixed amount per transaction • Multiple currencies? – May require multiple merchant accounts – Higher exchange rate (interbank rate + extra %) @DeveloperWil #wpsyd
  4. 4. Connects your site to the merchant account – Collects personal information: name, address etc. – Collects payment card information – Validates input (hopefully) – Submits a transaction to merchant bank – Waits for a response from merchant bank – Acts on the response: success/fail/card stolen/comms error etc @DeveloperWil #wpsyd
  5. 5. High level – collect, validate and process user & payment information Type 1 = Merchant collects transaction info – This is done on the merchants’ site – Usually the cheaper merchant account type – PCI compliance is *mostly* merchants responsibility Type 2 = You collect all transaction info – This is done on your own site – Usually the more expensive merchant account type – PCI compliance is mostly your own responsibility @DeveloperWil #wpsyd
  6. 6. @DeveloperWil #wpsyd Developer focused payment model Avoiding Merchants
  7. 7. Stripe – “Payments for Developers” – No need for merchant bank – API access for payment transactions – 2.9% + 30¢ - no monthly fees – Payment to your bank account every 2 days as a lump sum – Supports subscription/recurring payments using card tokens – https://stripe.com/au @DeveloperWil #wpsyd Avoiding Merchants
  8. 8. Pin Payments – Australia – No need for merchant bank – API access for payment transactions – 1.75% + 30c (AUD transactions) – 2.6% + 30c (International transactions) – Flat exchange rate of 2% + interbank rate – Payment to your bank account every day – Supports subscription/recurring payments using card tokens – https://pin.net.au/ @DeveloperWil #wpsyd Avoiding Merchants
  9. 9. Using Stripe or Pin means YOU need to be PCI compliant for entire transaction. You are storing/transmitting/processing cardholder data. @DeveloperWil #wpsyd
  10. 10. Payment Card Industry Data Security Standard “a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.” Who does this apply to? “PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data*. ” *not just card data: name, address, email, … Ref: http://www.pcicomplianceguide.org/ Ref: http://www.cio.com.au/article/400300/what_pci_compliance_/ @DeveloperWil #wpsyd
  11. 11. Are you PCI compliant if you have an SSL certificate installed? i.e. HTTPS:// Even if you have a fancy schmancy 4096-bit military grade SLL certificate? @DeveloperWil #wpsyd
  12. 12. Are you PCI compliant if you just have an SSL certificate installed? i.e. HTTPS:// NO Not even close! PCI compliance is a lot more than just having an SSL cert. @DeveloperWil #wpsyd
  13. 13. 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Always change vendor-supplied defaults before installing a system on your network 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols 5. Use and regularly update antivirus software. Make sure that your antivirus software remains current and actively running 6. Develop and maintain security systems and applications 7. Restrict access to cardholder data by business employees on a need-to-know basis only 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Ref: http://www.cio.com.au/article/400303/pci_compliance_checklist/ Ref: http://www.cio.com.au/article/400306/pci_compliance_requirements_aussie_businesses/ @DeveloperWil #wpsyd
  14. 14. Human Error – Weak passwords – Victim of social engineering Outdated Systems – WordPress version – Server version Malware – Zero Day exploits – Outdated firewall definitions @DeveloperWil #wpsyd How do they happen?
  15. 15. PCI DSS is not a legal requirement. Non-compliance can be subject to: – Fines ranging from $5,000 to $50,000 monthly – Card replacement costs – Costly forensic audits – Brand damage – Suspension of merchant card processing – Civil litigation from breached customers Ref: https://www.pcicomplianceguide.org/pci-faqs-2/ Ref: http://www.focusonpci.com/site/index.php/pci-101/pci-noncompliant-consequences.html @DeveloperWil #wpsyd Non-compliance
  16. 16. PCI Standards Council https://www.pcisecuritystandards.org/pci_security/educational_resources Understanding the 12 requirements of PCI Compliance https://www.dimensiondata.com/Global/Downloadable%20Documents/Und erstanding%20The%2012%20Requirements%20Of%20PCI%20DSS%20Opinion %20Piece.pdf Dummies Guide to PCI Compliance https://www.qualys.com/forms/ebook/pci-compliance-for-dummies/ @DeveloperWil #wpsyd
  17. 17. @DeveloperWil #wpsyd • [Front Cover] examiner.com • [2] blaze1.findmyhosting.com • [9] stripe.com • [10] pin.net.au • [Back Cover] zeropointdevelopment.com
  18. 18.  20+ years in IT: Dev & SysOps  WordPress Developer since 2008  Plugins, APIs, Security & Systems Integrations  Organiser WPSyd & WordCamp Sydney zeropointdevelopment.com @DeveloperWil ♥ Pizza & Beer @DeveloperWil #wpsyd
  19. 19. @DeveloperWil @DeveloperWil #wpsyd

×