PCI Security Standards Impact Parking Credit Card Operations
July, 2014
By Philip Yu
Do you sell parking permits online? Do you allow the public to pay for parking citations through your website? Can consumers make reservations for event parking through your website? If the answer to any of these questions is yes, “PCI 3.0” will have an impact on your operation.
The Payment Card Industry (PCI) Security Standards Council (www.pcisecuritystandards.org), in an effort to decrease the risk of credit card compromises, released the latest version PCI DSS 3.0 in late 2013 with enhanced security standard. (DSS is short for Data Security Standards.)
If your operation accepts online credit card payments, you will be impacted.
Until now, the common practice for collecting sensitive payment information from the customer has been redirecting him or her to a hosted order page (HOP), managed by a third-party payment management company – typically a bank or card processor.
This prevents your website from transmitting cardholder data, because the data are collected directly by the payment management company, and PCI compliance is their responsibility.
This “redirecting” approach has been compliant under PCI DSS 2.0, but is no longer compliant under PCI DSS 3.0, which went into effect as a voluntary standard Jan. 1, 2014, and will be mandatory starting Jan. 1, 2015.
In order to redirect the payment data collection to a hosted order page, your website must maintain the web address, port and other pertinent information related to the HOP. This still poses risks, because cyber-criminals can insert malicious code to compromise your security.
For example, you may have heard about “man in the middle” attacks on websites; here’s how they work:
When a consumer enters the card data into the webpage and clicks “Submit,” he or she is redirected to a malicious website that mimics the payment page of the legitimate provider’s system, instead of to the authentic website. Cyber-criminals can capture the card data and sell or use them for fraudulent transactions.
PCI DSS 3.0 addresses this scenario specifically by requiring organizations that conduct business online to take several additional steps to achieve compliance. To prevent “man in the middle” attacks, you will have to install and maintain additional security controls to achieve compliance.
PCI DSS 3.0 requires significant effort from the payment card industry in general, and in particular, it impacts organizations that rely on vendors that host their websites or redirect to a HOP managed by independent payment management companies.
To put this in perspective, the new Self-Assessment Questionnaires (SAQs) for PCI DSS version 3.0 have 139 questions in the SAQ A-EP, compared with the 13 questions in the existing SAQ-A. (SAQ A-EP is for “Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing.”)
If you conduct transactions online, you should start planning for PCI DSS 3.0 compliance now – if you haven’t already – and examine your website and infrastructure.
It’s important to consult with the vendors that host your website and provide payment management, and to understand what they are doing to comply with PCI DSS 3.0. It’s especially important to start conversations with a security consulting company if you host your own website and send credit card information through a HOP.
Contact Philip Yu, Director of Product Management for T2 Systems, at
philipyu@t2systems.com.
The Payment Card Industry (PCI) Security Standards Council (www.pcisecuritystandards.org), in an effort to decrease the risk of credit card compromises, released the latest version PCI DSS 3.0 in late 2013 with enhanced security standard. (DSS is short for Data Security Standards.)
If your operation accepts online credit card payments, you will be impacted.
Until now, the common practice for collecting sensitive payment information from the customer has been redirecting him or her to a hosted order page (HOP), managed by a third-party payment management company – typically a bank or card processor.
This prevents your website from transmitting cardholder data, because the data are collected directly by the payment management company, and PCI compliance is their responsibility.
This “redirecting” approach has been compliant under PCI DSS 2.0, but is no longer compliant under PCI DSS 3.0, which went into effect as a voluntary standard Jan. 1, 2014, and will be mandatory starting Jan. 1, 2015.
In order to redirect the payment data collection to a hosted order page, your website must maintain the web address, port and other pertinent information related to the HOP. This still poses risks, because cyber-criminals can insert malicious code to compromise your security.
For example, you may have heard about “man in the middle” attacks on websites; here’s how they work:
When a consumer enters the card data into the webpage and clicks “Submit,” he or she is redirected to a malicious website that mimics the payment page of the legitimate provider’s system, instead of to the authentic website. Cyber-criminals can capture the card data and sell or use them for fraudulent transactions.
PCI DSS 3.0 addresses this scenario specifically by requiring organizations that conduct business online to take several additional steps to achieve compliance. To prevent “man in the middle” attacks, you will have to install and maintain additional security controls to achieve compliance.
PCI DSS 3.0 requires significant effort from the payment card industry in general, and in particular, it impacts organizations that rely on vendors that host their websites or redirect to a HOP managed by independent payment management companies.
To put this in perspective, the new Self-Assessment Questionnaires (SAQs) for PCI DSS version 3.0 have 139 questions in the SAQ A-EP, compared with the 13 questions in the existing SAQ-A. (SAQ A-EP is for “Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing.”)
If you conduct transactions online, you should start planning for PCI DSS 3.0 compliance now – if you haven’t already – and examine your website and infrastructure.
It’s important to consult with the vendors that host your website and provide payment management, and to understand what they are doing to comply with PCI DSS 3.0. It’s especially important to start conversations with a security consulting company if you host your own website and send credit card information through a HOP.
Contact Philip Yu, Director of Product Management for T2 Systems, at
philipyu@t2systems.com.
