Credit card processing with an external payment gateway: Riskier than you think?

These days is seems businesses will do almost anything to escape the rigours of PCI-DSS (the Payment Card Industry Data Security Standard), that infects the operations of any organisation daring to process payment by credit or debit card. Got customers who want to pay? Try cash and carrier pigeons, it's easier. Got customers who don't want to pay? Take them to court, it's quicker. OK, so Riskmonkey is getting a little carried away again, but it's fair to say that PCI-DSS is not the most flexible or accommodating standard in circulation, and there is simply no way round it if you want to take card payments.This is understandable though - the security risks involved are extreme. A single weakness in your IT infrastructure could be sufficient to expose sufficient details on your entire customer base for identify theft or just plan old theft of cash. Given the rectification costs in the event of a data security incident and the fact that if you are a big company hackers will target you for card details, even PCI-DSS compliance can seem like a bargain.

However, it's understandable that many companies, particularly those with under 20,000 transactions a year who can qualify for the lowest level of supervision under the PCI-DSS standard, try to avoid the cost entirely. This is a reasonable course of action, and if you never store card details yourself but hand over the entire task to a PCI-DSS compliant payment gateway you may have to do nothing more than a fairly minimal type-A self assessment.

However that doesn't mean you can sleep easy knowing customer card data is secure, as there may still be a number of crucial weaknesses in your data security controls.

For example, how does data get on to the third party system in the first place?

  • If your staff or customers write down the details, for example on an application form, you're already storing card data, even if it is only temporarily and the data is subsequently destroyed.
  • You staff will be handling the payment details. How do you know they will not make copies or use the details for unauthorised transactions. Proper training, vetting, and supervision are still required.
  • Is there a delay between receiving the payment details and processing the transaction? if so, where are the details stored? if on a computer, you're into electronic storage and your systems immediately fall fully within the remit of PCI-DSS. If on paper, are they held by remote workers or sales staff, in a shopping mall, in a briefcase in a car boot, or in your incoming post which is opened in reception and circulated in the internal mail. All this creates risk that needs to be managed and controlled. To give so,me examples, if your remote sales team drive to clients, ban them from keeping their case in their car overnight. If details are held on laptops, they should be fully encrypted at an absolute minimum.
  • What facilities does your payment gateway provide? Assuming we're processing the card payments using a web interface, the company will probably also provide online reporting functionality. If so, how much information does this provide on your customers and transactions, and who has access?
  • Who has access to the payments interface anyway? If it isn't controlled by your network security, ask yourself whether your staff leavers and staff changes procedures ensure that access is removed in a timely manner.
  • Does the payment gateway integrate with other systems, even if only to transfer general customer and order details? If so, is that data transfer secure and is the information held securely in the destination system?

Finally, don't forget that even if you've ticked all the boxes and you're storing no data, you still need to talk to your payment gateway and merchant account provider about your PCI-DSS self assessment questionnaire.