PCI Compliant Hosting: PCI DSS and Online Payment Process

9 min read

Payment Card Industry Data Security Standard specifies the minimum requirements of security for software vendors, merchants, or any organizations that process or transmit credit card data. Whether you are directly dealing with payments or using a third-party payment processor, compliance is mandatory otherwise you will be banned or pay monthly fines. To accept credit card payments, you need to use PCI compliant hosting and other PCI requirements that are discussed in this article. 

You will also understand the complete process of making online payments using credit cards, merchant PCI DSS levels, quality assurance techniques, and many more.

What is PCI DSS?

What is PCI DSS?

PCI DSS short for Payment Card Industry Data Security Standard is a set of security standards formed by Visa, MasterCard, JCB International, Discover Financial Services, and American Express in 2004. These standards are governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aiming to prevent data breaches and secure credit and debit card transactions.

Overview of PCI Security Standards

PCI security standards are a set of rules and guidelines for any organization that stores or processes cardholder data.  The technical requirements are well-defined for three main sectors; software vendors/developers, manufacturers, and acquirers (merchants, or service providers). Issuers or service providers are the most vulnerable group when it comes to consumer data loss. It is also necessary to use PCI compliant hosting for websites that involve online payment processing.

Overview of PCI Security Standards

All these three security standards are related as you can view in the following section:

a. PCI Data Security Standard (PCI DSS)

This is the core component and is specially designed for vendors or merchants. It has several controls and methods that are necessary to be in place for the protection of cardholder data.

b. Payment Application Data Security Standard (PA DSS)

 This is especially true for software vendors, developers, or organizations that develop and sell software for processing payments. Only secure and approved payment processing is used in the software application.

c. Personal Identification Number (PIN) Transaction Security Requirement (PTS)

This security standard is for manufacturers of payment processing devices that businesses use at POS (Point of sale). It is necessary to use devices that better comply with PTS.

What are the Merchant PCI DSS Levels?

Keep in mind, the PCI guidelines are necessary for all parties that are involved in this complete process. Merchants PCI DSS is divided into four levels that are differentiated based on annual transactions. The details may vary according to the credit card company but you can get an overview of the basics.  

What are the Merchant PCI DSS Levels

Level 1

This level is for those merchants or vendors that process more than 6 million transactions per year and experienced a cyber-attack that resulted in the compromise of cardholder’s data. Because of the huge volume of their transactions per year, they need to carry out additional measures to safeguard their processing system. They will use the PCI compliant hosting to maintain the required security. Every merchant at this level should complete an annual internal audit and conduct quarterly PCI scans to assess vulnerability. Don’t forget to check the latest requirements before setting procedures.

Level 2

Merchants that process 1 to 6 million transactions per year are categorized at this level. They should complete an annual risk assessment using SAQ and conduct quarterly PCI scans to spot weak points.

Level 3

This category is referred to those merchants who process 20,000 to 1 million transactions per year. They should complete an annual risk assessment using SAQ (Self-Assessment Questionnaire) and conduct quarterly PCI scans to fulfill vulnerability requirements.

Level 4

This level is for those merchants who process less than 20,000 e-commerce transactions per year and for those who process less than 1 million e-transactions per year. They should also complete an annual risk assessment using the Self-Assessment Questionnaire (SAQ) and conduct quarterly PCI scans to keep compliance up to date.

Every Credit Card Transaction is Based on the Following Participants

Cardholder

It is the person having a credit card from any bank either can “transactor” who repays all the credit balance or “revolver” who will repay only a portion of the balance while the rest accrues interest.

Merchant

This is the online store or vendor that sells products or services to any cardholder and accepts credit card payments. The merchant requests the issuing bank to pay his charges from the account of the cardholder.

Acquiring Bank

The authority is responsible for receiving payment authorization requests from the merchant side and sending all the requests to the issuing bank using a proper channel. It then transmits the response of issuing banks to the vendor or merchant.

Acquiring Processor

It is a third-party entity that provides a device that is used to accept credit cards as well as send credit card payment details to CCD (Credit Card Network) and give a response to the acquiring bank.

Credit Card Network (CCD)

CCDs operate the networks that process credit card payments all over the world and govern the interchange fees. CCDs like Visa and MasterCard receive the details of credit card payments from the acquiring processor and forward the authorization request to the issuing bank. CCD is also responsible for sending the issuing response back to the acquiring processor.

Issuing Bank

This is the bank or any financial institution that issued the credit card to cardholders. This institution accepts or rejects any transaction request received by the CCD.

Credit Card Transaction Process

Credit card transactions are processed through a variety of platforms, including brick-and-mortar stores, e-commerce stores, wireless terminals, and phone or mobile devices. The entire cycle — from the time you slide your card through the card reader until a receipt is produced — takes place within two to three seconds. Using a brick-and-mortar store purchase as a model, we’ve broken down the transaction process into three stages (the “clearing” and “settlement” stages take place simultaneously):

Credit card transactions are made by different e-commerce online stores, mobile devices, etc. and the process begins when you slide your credit card into a card reader until you receive a receipt. It usually takes only 2 to 3 seconds to perform this complete payment process. This entire cycle is divided into three main stages: Authorization –  Authentication – Clearing  & Settlement.

Stage 1: Authorization

In this stage, the merchant or vendor needs approval for payment from the credit card issuing bank.

The cardholder gives the credit card to the vendor/merchant at the (POS) point of sale. The merchant swipes the card into the POS terminal and all details of the payment are sent to the acquiring bank using the internet. Then the bank forwards the details to the CCD (Credit Card Network).

The CCD clears the payment and makes a payment authorization request that includes the following:

  • Credit card number
  • Expiry date
  • Billing address
  • Card security code
  • Payment amount

As you can see in the picture given below:

Authorization

Stage 2: Authentication

Authentication is necessary for any online transaction and is made by checking credit card validity using different fraud protection tools like AVS (Address Verification Service), card security codes, and CID.

The financial institution or issuing bank will receive the payment authorization request from the CCD and validate the card number, check the account balance, verify the billing address, and validate the CVV number. The issuing bank approves or rejects the transaction and sends back the response to the vendor/merchant using the same channels: CCD and the acquiring bank.

Once the merchant receives the authorization, the financial institution will place a hold on the amount of the purchase on account. The POS terminal will collect all approved authorizations in a “batch” at the end of every business day. After receiving the authentication the customer will receive a receipt to complete the sale as you can view the complete process in the picture given below.

Authentication

Stage 3: Clearing & Settlement

In this stage, the transaction is posted to both the merchant’s statement and the cardholder’s monthly billing statement simultaneously.

At the end of every business day, the merchant will send all approved authorizations to the acquiring bank. The acquiring process will forward all the information to the CCD for settlement. In the end, each approved transaction will be forwarded to the appropriate banks from the CCD. Usually, this process begins within 24 to 48 hours of the transaction, and the financial institution will transfer the funds less an “interchange fee,” which it shares with the CCD. The acquiring bank will receive the respective percentage from the remaining funds.

The acquiring bank transfers the amount to the merchant’s account for particular purchases, less a “merchant discount rate.” Now, the transaction information will be posted to the cardholder’s account and he will pay the bill after a specified period. As you can see the complete process is in the picture given below.

Clearing & Settlement

How Can You Secure Cardholder’s Data?

PCI Security Standards guidelines suggest two methods for fixing any loopholes in the process to ensure the safety of cardholder data.

The following are the main processes used to fix the loopholes:

Technology

Integrate software, hardware, third-party services, and PCI compliant hosting to form a secure application that will protect the cardholder data.

Security

Security is a vital part of any online business, so use comprehensive methods and procedures to make your system optimally free of vulnerability.

It is equally important for all organizations that are dealing with online payment transactions or having confidential data to prevent malware and viruses from preventing data breaches. Always use approved and trusted antiviruses, keep them active, and up to date, and continuously read the log files.

Why PCI Compliant Hosting?

Most online businesses need to fulfill PCI compliance requirements but they don’t have the experience and skills to build PCI compliant systems from scratch. They need third-party PCI Compliant hosting provided by the best hosting providers such as Temok has the professional team and infrastructure to achieve compliance without any difficulties.

Why am I referring to PCI compliant hosting provider? Because they take care of your server and provide network security as well as physical security. They deeply understand the importance and requirements to deliver a system that complies with PCI DSS. It is very tough for any organization to hire different expert employees for each task separately associated with your server and security.

Although PCI compliant hosting is mainly used for online stores or businesses that involve online payment processing systems, it is equally useful for other types of businesses that need to protect their confidential data.

PCI DSS Requirements

PCI DSS Requirements

Maintain a Secure Network

  1. Install and maintain a firewall
  2. Change Default passwords and increase the complexity

Protect cardholder data

  1. Protection of cardholder data must be your priority
  2. Always use encrypted communications over public networks

Vulnerability Management Processes

  1. Install anti-virus software and keep updated regularly
  2. Develop secure systems or applications and properly maintain

Strong Access Control

  1. Restrict access to cardholder data using a need-to-know basis
  2. Assign a unique ID to each user having computer access
  3. Physical access to cardholder data must be restricted

Monitor and Test Networks

  1. Keep track of all access to data and network resources
  2. Security systems should be updated and tested regularly

Information Security Policy

  1. Define a policy that addresses information security for employees and contractors

Implement a Quality Assurance Process

Any website must check the required functionality to give a better experience. But when it comes to online businesses where online payments are processed, you can never ignore the security and regulations to receive payments via cards for the services or products you are providing. Online payments made by credit cards come under the PCI DSS regulation and the following is the summary of major compliance requirements:

  • Build a secure network and use PCI compliant hosting
  • Protect cardholders and consumers’ critical/confidential information
  • Use a reliable anti-virus to prevent vulnerabilities
  • Set up an access control mechanism
  • Regularly monitor and test your system
  • Follow a comprehensive information policy

POS (Point Of Sale) can be utilized that normally don’t store/hold the consumer data or use third-party payment processing systems. Every business should be responsible for consumer data and the website needs to be more secure during payment processing within the following areas:

1. PCI Compliant Hosting

Every payment processing website should use SSL certificates and reliable PCI compliant hosting servers. Few organizations are trying to reduce their expenses and use shared web hosting services but every financial institution or online payment processing website should use dedicated servers. Before choosing any hosting provider make sure their hosting server, shopping cart, and hosting plans are according to the PCI standards.

2. Shopping Cart

You are not only protecting the client’s data but must also protect your online business. Select a reliable and reputable shopping cart software that is PA DSS compliant. It will help you to protect the confidential data by blocking malicious attacks. 

3. Employees

Conduct technical training for your staff and provide the proper guidelines, so that they help you to prevent data breaches. Make sure that you are using a dedicated server and that all devices either wireless or wired are connected with this server. Keep your main server up-to-date and install reliable antivirus software and firewalls.

Conclusion

In short, every merchant or organization accepting credit cards and dealing with online payments should follow the PCI DSS standards. PCI compliance hosting is very expensive if you build it in-house environment, so it is a better approach to get from hosting providers. To get more details about PCI Compliant hosting you can contact us for free consultation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Make Your Website Live Today!

Choose Your Desired Web Hosting Plan Now

Temok IT Services
© Copyright TEMOK 2024. All Rights Reserved.