How to achieve PCI Compliance with XMPie uStore

Summary: This article describes how to achieve PCI compliance with XMPie uStore.

Audience: XMPie, channels and customers

Overview and Motivation

XMPie offers uStore as an eCommerce platform. In many cases, uStore customers (merchants) build online stores which include credit card clearing. When credit cards are being cleared, PCI (Payment Card Industry) compliance becomes a mandatory requirement. This document explains how to achieve PCI compliance for your uStore-based stores.

uStore enables PCI compliance to be easily achieved by offering integrated payment gateways (see List of payment gateways integrated into uStore) that allow merchants to securely transmit credit card data via integration with leading payment gateways.

The following two payment methods incorporated in uStore are helpful with regard to PCI compliance:

  • Redirect method (Hosted payment gateways) – clearing is done in the payment gateway’s website.

  • Direct method (API/Non-hosted payment gateways) – clearing is done via API from uStore webpages to the gateway servers.

Redirect method allows merchants to offer a seamless checkout process that satisfies most of the PCI requirements. Once a customer clicks the payment button at the uStore store, he/she is redirected to the payment gateway’s website to fill the payment details. Once the payment is completed, the customer is redirected back to the store to finish the checkout process. Thus, the payment forms are integrated into the checkout process but no sensitive data flows through the uStore application server.

Direct method allows customers to enter their credit or debit card information directly on the uStore checkout page. The payment information is sent using API queries directly to the payment gateway without sensitive data being stored on the uStore application server. Thus, updates to the core uStore application server can be performed without having to go through PCI compliance re-assessment.

As a result of these integration options, uStore-based merchants are able to validate for compliance via self-assessment at the SAQ A or SAQ A-EP level rather than the more difficult SAQ D level (see Which SAQ best applies to my environment?).

In addition, XMPie, being the application developer, can provide a filled SAQ D form for requirements 6 and 12.

List of payment gateways integrated into uStore

Redirect gateways

  • PayPal Web Site Payment Standard

  • Ogone Redirect

  • Authorize.Net

  • MultiSafepay

The Twelve Requirements of PCI

Note: The information below is not intended to be a source of legal advice. Therefore, you should not rely on the information provided herein as legal advice for any purpose, and should always seek the legal advice of competent counsel in your jurisdiction

Since uStore is already geared towards supporting PCI compliance, the twelve requirements described below can be easily achieved.

Build and maintain a secure network

  1. Install and maintain a firewall configuration to protect cardholder data.

  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

  1. Protect stored cardholder data.

    Note: Both Redirect and Direct methods integrated with uStore do not require to protect the cardholder's data as it is not stored in uStore

  2. Encrypt transmission or cardholder data across open, public networks.

    When using a Redirect method there is no need to encrypt the data since it does not flow through uStore

Maintain a vulnerability management program

  1. Use and regularly update anti-virus software.

  2. Develop and maintain secure systems and applications.

Being the base for the merchant store applications, uStore is a secured application that is developed following standard industry procedures.

Implement strong access control measures

  1. Restrict access to cardholder data by business need-to-know.

  2. Assign a unique ID to each person with computer access.

  3. Restrict physical access to cardholder data.

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data.

  2. Regularly test security systems and processes.

Maintain an information security policy

  • Maintain a policy that addresses information security for all personnel.

PCI Compliance terms

Updated information about PCI Compliance can be found at: https://www.pcisecuritystandards.org/.

What is PCI compliance?

PCI Compliance means that your business meets the requirements established by the Payment Card Industry (PCI) Security Standards Council. The council is run by the five major credit card companies – Visa, MasterCard, Discover, American Express and JCB International – and is responsible for enforcing the PCI Data Security Standards (PCI DSS). In order to be compliant, you must meet these standards.

Why do customers need to achieve PCI compliance?

PCI compliance enables merchants who sell products via credit card clearing to safeguard their buyers’ payment card information. This means following security requirements that include policies and procedures, software design, and network architecture.

Why customers must be PCI-compliant?

The credit card associations require merchants to securely handle this information at all times. Merchants who fail to comply with PCI requirements can expect large fines, which can also result in canceling their ability to process payments.

In addition, large clients of these merchants are already aware of this regulation and require it prior to using uStore.

What does PCI help you protect?

In order to protect cardholder data, it's important to understand what it is and where it can be found. The PCI applies wherever account data (such as a primary account number from a credit card) is stored, processed or transmitted.

What is the SAQ?

The Self-Assessment Questionnaire (SAQ) functions as a self-validation tool to assess security for cardholder data. It includes a series of questions for each applicable PCI Data Security Standard requirement. It is important to choose the right SAQ, but organizations often aren’t sure which SAQ they have to complete, especially with the changes introduced related to versions. It is best to check with your acquiring bank which SAQ is applicable before starting the process. The challenging part is often the completion of the SAQ itself.

Which SAQ best applies to my environment?

There are five different SAQs a merchant must choose from, depending on the way you process, store, or handle credit and debit cards.

Entities should ensure they meet all the requirements for a particular SAQ before using the SAQ. Merchants are encouraged to contact their merchant bank (acquirer) or the applicable payment brand(s) to identify the appropriate SAQ based on their eligibility.

For instructions on how to fill the SAQ, see https://www.pcisecuritystandards.org/pci_security/completing_self_assessment.

The following figure shows the SAQ selection process.

 

Created by: Hanan Weisman and David Shalom, last updated by Mohammad Mansour: June, 2024