MarketPlace Information

North Foundation Hall, Room 120
318 Meadow Brook Road
Rochester, MI 48309-4454
(location map)

PCI DSS Compliance

PCI DSS Compliance

PCI DSS is a mature standard to which we have all been adhering to for a number of years. It is easy to allow things to just settle in as you maintain your compliance program. However, compliance is not an end game. Here are two thoughts that we urge you to consider:

  • Do not become complacent with compliance. Continually reevaluate and reassess your environment to ensure you continue to meet all criteria for relevant systems. Do not just meet the letter of the law; consider the intent, also.
  • Go beyond compliance. Compliance is fine, but security should be your goal. At the end of the day, can you say that your systems (regardless of PCI scope see "Hosted Payment Pages" below) are secure?

*Information extracted from the TouchNet SafeCommerce Bulletin

  • Hosted Payment Pages Out of scope, not out of mind
  • Hosted payment pages allow merchants to reduce the size of their PCI footprint.

As stated by MasterCard: "[while hosted payment pages] may help the merchant in reducing PCI DSS scope, it does not remove the need for a robust information security program to be implemented around the merchant's web environment to mitigate data security vulnerabilities."

Consider the following example. You have a web page at your university that links over to your TouchNet U.Commerce application. If an attacker can modify your page to link or redirect users to their own site and craft their site to appear like a typical payment page, then they may be successful at compromising your constituents' card data and other personal information.

While a web page that merely links over to the payment pages may technically be considered "out of scope" for PCI DSS, it is not out of scope for attackers. You are urged to consider such sites when designing, implementing, and operating your security controls. Please review the references noted below for more detailed background, risk considerations, and mitigation strategies.