There are two important standards which web developers and their clients in Massachusetts need to know about. They are:
- PCI Compliance. This affects everyone who stores or processes credit cards. It can also affect anyone who is doing any form of e-commerce online.
- Massachusetts 201 CMR 17.00 or Standards for the Protection of Personal Information of Residents in the Commonwealth. These standards can affect anyone who stores or processes electronic (or paper) information about Massachusetts residents.
Let me provide a quick overview of these two changes, and then mention how they will affect small to medium sized businesses in regards to their web development needs.
The PCI Security Standards Council is a policy entity founded by representatives from the major credit card companies. Its purpose is to ensure that all vendors who process card information comply with standards and reporting regulations, for the purpose of keeping cardholder data secure. The Council defines PCI Compliance and helps organizations to become PCI Compliant.
PCI Compliance requires that you identify your security level by completing a self assessment questionnaire (SAQ). Depending on your SAQ level, you must comply with certain standards, such as having a verified 3rd party (or qualified security assessor, QSA) scan your site for vulnerabilities, encrypting all card data with strong encryption, and using dedicated (vs shared or virtual servers). The most difficult level will be level 5 (D) vendors, who are storing card data for "one-click" ordering. Learn more about QSA here.
In order to work with the QSA, you need to go through process which will involve your hosting company as well as your web developer. They will expect the self-assessment questionnaire to be completed. Then, they will also perform a web scan on your site, which will affect your web host, as the scan may require some changes in server configuration. There may be some back and forth during that process, which can slow things down for some organizations. To remain PCI compliant, the QSA must continually scan your site. They will notify you if known vulnerabilities are detected.
States have adopted their own sets of standards. In Massachusetts, it is called Massachusetts 201 CMR 17.00 or "Standards for the Protection of Personal Information of Residents in the Commonwealth". This standard requires the protection of personal user information for state residents*. Also not actively enforced, these standards might only be used post-facto were a breach to occur (e.g. as a basis for a law suit). They could also form the basis for future regulation. If you are PCI compliant levels 4 or 5, you should also be complaint with CMR 17.00.
Massachusetts 201 CMR 17.00 defines “Personal Information” as “a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number.”
There are several notable stipulations in Massachusetts 201 CMR 17.00. Compliant organizations are required to:
- Encrypt forms which collect personal information on the site; a 1024 bit SSL certificate will satisfy this requirement.
- Block access to non-public sites after multiple unsuccessful login attempts.
- Encrypt data stored on laptops (of interest, but not affecting the web).
- Have Firewall software, Anti-virus software, & Operating system patches (less notable because most IT systems have this in place)
- Comply with a variety of employee reviews and procedural requirements, such as maintaining a “comprehensive security program”.
PCI and Data Compliance Impact on Small and Mid-Sized Businesses
So how are PCI and CMR17.00 recommendations affecting small and medium sized businesses (SMBs) who are our clients here at Neptune Web?
Generally, PCI compliance is the most difficult hurdle for SMBs to deal with. Since it only affects customers doing e-commerce transactions, many businesses are not affected at all. CMR17.00 has generally been less of a burden for SMBs, since many companies aren’t storing or transmitting credit cards or social security numbers, and since PCI compliance covers nearly all of the CMR17.00 requirements, depending on the level. Since both recommendations are good practice, businesses have already taken many of the steps required by both CMR17.00 and PCI compliance.
Some businesses are concerned that any form found on their site must have an SSL certificate – even a simple “contact us” form. This seems a bit absurd given the promiscuous information sharing on the Internet today. An SSL certificate is not required by CMR17.00 as long as “personal information” (credit card, social security number, bank account, not found in any public resource, see definition above) is not being passed or stored through those forms.
Making your site PCI compliant site can increase hosting costs because any site that processes card data (transmitted) needs a dedicated server and a firewall. (To store cards, at least 2 dedicated servers are required. ) For small businesses who are taking a few transactions, the cost $700/month or more is prohibitive, and they just don’t want to deal with the security of credit cards. We’ve seen many of our customers convert their card processing to an offsite system hosted by a third party such as Paypal or Authorize.net. In this scenario, the user is redirected to the 3rd party site to enter their card information. Usability is negatively affected, but for these customers it’s still worth it because they can continue to host on a shared host, which is much less expensive than dedicated and easier to maintain.
Lately, I’ve found customers have been more inclined to avoid the problem altogether and use a end-to-end, hosted system such as Yahoo store or Amazon’s E-commerce service.
We’ve seen businesses that aren’t doing “big time” e-commerce moving their payment processes to offsite vendors at the cost of reduced usability. The risk just outweighs the benefits (mainly usability) for these customers. Any customer using a shared or virtual web host fits into the “small time” category. Only customers who have an e-commerce component, which is a big enough part of their business that the usability really matters, will become PCI compliant as level 4. Very few clients will become level 5 vendors due to the high hosting costs (which will be as much as most Boston area apartments – $1500-2000/month). Those that do tend to have in-house web development and IT staff.
Our eCommerce Recommendations
For e-commerce sites, Neptune generally does not recommend storing credit card data, due to the increased cost, risk and regulatory burden imposed by these standards. If you decide to become a level 5 vendor, the requirements will be very difficult to fulfill. This is important because storage of card data is necessary for "one-click" ordering. For level 5 vendors, at least 2 dedicated servers must be used to store cards - one for the web host and the other for the database. All card data must be encrypted. In addition, at least one firewall must be in place. These requirements will increase hosting costs significantly.
A level 4 (vs. level 5) designation means that e-commerce projects our client do with us will be significantly smaller, as you will not have to deal with encryption of cards, the systems administration required for 2 machines, and the overall complexity this introduces.
Generally, I think both PCI and CMR 17.00 requirements are pretty reasonable. We’ve been doing most of these things for years anyway, but without a formal “checklist” by an outside organization. The requirements are helping psychologically - by keeping security first in people’s minds. We’re seeing a lot more SSL certificates being requested, which can mean more management, costs, and another thing for clients to remember. Until now, support for SSL over a shared IP address (virtual hosting) has not been well supported. I expect that to change soon. SSL should become more available and more widely used.
FYI: We’ve been a Rackspace fan for years and recommend Rackspace's PCI compliance toolkit, whether cards are stored or not.