From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit http://www.ecmta.org to find out more.

1. PCI Compliance and the Online Merchant

2. PCI Compliance Explained Melanie Beam Director, Business Development

6. PCI DSS Principles and Requirements Requirement 12: Maintain a policy that addresses information security Maintain an Information Security Policy Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Regularly Monitor and Test Networks Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Implement Strong Access Control Measures Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Maintain a Vulnerability Management Program Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Protect Cardholder Data Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network Associated Requirements Principle

7. What are the merchant levels? These are based on your annual transaction volumes MOST ECOMMERCE MERCHANTS FALL INTO LEVEL 3 OR 4 Any merchant processing fewer than 20,000 ecommerce card transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M transactions per year. Level 4 Any merchant processing 20,000 to 1M ecommerce credit card transactions per year. Level 3 Any merchant -- regardless of acceptance channel -- processing 1M to 6M card transactions per year. Level 2 Any merchant -- regardless of acceptance channel -- processing over 6M card transactions per year. Any merchant that the card companies, determine should meet the Level 1 merchant requirements to minimize risk. Level 1 Annual Transaction Volume Merchant Level

9. Self Assessment Questionnaire Validation Must comply with requirements in SAQ-D. and may require a Report on Compliance from a Qualified Security Assessor.These are the same the requirements that are required of PCI certified service providers and are typically out of the financial and technical reach of most small ecommerce retailers. Cost to comply is well over $50,000 and requires written policies and procedures. Requires the operating service providers are PCI-DSS certified. This includes the web hosting provider and data center. Not required to perform quarterly scans, but recommended. Must comply with SAQ-C. Does not require PCI compliant web hosting, but may be necessary to complete the SAQ-A. Not required to perform a quarterly vulnerability scan, but recommended. Hosting Environment Managed PCI compliant product like Rack Space PCI hosting and PCI Compliant Ecommerce application. Card holder data can be stored for later use. Allows the customers to save cards for later purchases. Type 5 (The Hardest) Credit card payments are made at the merchant’s website. Using a shopping cart solution with Authorize.net is an example. Ecommerce merchants with shopping cart applications that transmit cardholder data via the Internet for processing. No cardholder data can be stored. Type 4 (Most Merchants) The purchaser must be redirected to the service provider’s website to complete the purchase. Using Paypal Payments Standard is an example. All cardholder data functions are performed by a PCI compliant third-party. No cardholder data can be stored or transmitted. Type 1 (The Easiest) Example Card holder Data SAQ Type

13. PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS Source: October 2008. Statistics based on data gathered from 443 account data compromise cases investigated since 2001. ACCOUNT DATA COMPROMISE STATISTICS John Jacobs Moneris Solutions Merchant Acquirer

18. PCI SSC – SECURITY STANDARDS OVERVIEW

21. Awarded To: June 4, 2009 eCom Merchant eCom Merchant ("Client") is enrolled in Compliance Validation Services to meet the Payment Card Industry Data Security Standard (PCI DSS). Validation Service has been accredited by all the major card associations' data security programs including: Etc……