What WePay partners need to know about the new PCI rules

October 15, 2015 Partner Success
Atit Shah
By Atit Shah, Head of Security
Atit Shah
By Atit Shah, Head of Security

Open safe door

Willie Sutton, an infamous gangster, was once asked by a reporter why he robbed banks. Sutton didn’t even have to think for a second before he responded, “That’s where the money is.”

Online, the money is with the people who process payments. That’s why the credit card networks (ie. Visa, MasterCard, etc) created the Payment Card Industry Data Security Standards (PCI DSS). These mandatory rules codify the current best practices in security. They ensure that anyone who handles or processes payments is doing so as safely as possible.

Recently, a new version of the PCI DSS was released. It has some major changes that may affect WePay partners. In the following document, we’ll try to break down what they are in a way that’s clear and actionable. Even so, we’ll warn you that this goes a bit long, and gets a little dense at times — but it’s important stuff.

Think of the new requirements as a relatively small but essential additional layer of security that will help us all continue to play safe.

PCI DSS 3.0 in a nutshell

According to the latest PCI DSS 3.0 standards, all WePay partners now need to be compliant with the new standards before their next assessment. PCI DSS 3.0 adds new requirements for some partners, depending on how their application integrates with WePay. These requirements supplement the ongoing work that we do on our systems everyday to maintain the highest possible level of PCI compliance as your payments service provider.

  • Every partner needs to be PCI compliant, even if you are using iFrame checkout (embedded checkout).
  • In most cases, being PCI compliant means filling out a Self Assessment Questionnaire (SAQ).
  • Partners using iFrame checkout will generally qualify for the simpler SAQ-A.
  • Partners using custom checkout (tokenization) will generally need to fill out the new SAQ-A-EP and perform quarterly scans.
  • WePay will continue to look for compliant ways to offer the benefits of tokenization without requiring partners to complete the SAQ-A-EP.

Who has to be PCI compliant?

Anyone involved in the processing, transmission, or storage of credit card data must be PCI compliant. While WePay securely stores and processes cardholder data for partners, thereby significantly reducing the level of effort required to be PCI compliant, action is still required from partners to be fully compliant with the new requirements. In the majority of cases, partners will need to complete a PCI self-assessment.

PCI rules and how they are interpreted evolve over time.  After working with our own PCI Qualified Security Assessor (QSA), WePay and most other providers in the industry are taking the position described in this document.  

What is needed to be PCI compliant?

Compliance requirements are determined by your transaction level and nature of integration with WePay.

  • Level: Number of transactions processed each year
  • Integration: How you interact with WePay and thus card data

This information will help you determine which SAQ to complete and whether network testing is required.

PCI Levels

PCI has four levels of compliance.  The level you need will depend on the number of transactions that are processed each year. The table below is a simplified set of requirements.  Note that the transactions/year counts are for Visa OR Mastercard, not the two combined.

pci-blog

Key considerations for WePay partners:

Partners below level 1 can self-assess.  If you are processing more than 6M Visa or Mastercard transactions/year, you will need to use a professional QSA.

Partners processing more than 20K eCommerce transactions (i.e. not including mobile card reader transactions) will need to have quarterly network scans by a PCI-approved provider unless qualified for the SAQ-A.

Choosing SAQs

There are a number of different SAQs.  The form(s) you need to fill out depends on how your platform integrates with WePay.

iFrame checkout integration

If you integrate using only WePay’s iframes (either checkout or pre-approval), you’ll need to fill out the simplest form, the SAQ-A. This is because all of the credit card data is managed on WePay-served pages / iframes.

Custom UX (tokenization checkout integration)

If you integrate using WePay’s tokenization, you’ll need to fill out the longer SAQ-A-EP.  This form is new as of PCI DSS 3.0.  You are using tokenization if you collect credit card data on a webpage you serve, and then use WePay’s javascript library to send the field values directly to WePay.

You will also be required to have an approved vendor conduct quarterly network scans, even if you are only level 4. 

Why the extra work for tokenization:  The PCI council believes that the risk of attack is higher for a custom UX checkout than for an iFrame checkout.  They specifically highlight that attacks on custom UX integrations can be much harder for users to notice, and thus impact many more people, than a compromise involving iFrames.  

Server-Server integration

A small number of partners integrate with WePay by collecting credit card information directly and then passing it on to WePay (e.g. via /credit_card/create). These partners need to complete the SAQ-D.

Other scenarios that could require additional SAQs

If you are doing any of the following, discuss your situation with WePay who can help you complete the appropriate SAQs:

  • Using WePay’s mobile card reader program
  • Allowing “virtual terminal” operations where the merchant (rather than the payer) keys in credit card data

Completing SAQ-A, SAQ-A-EP, SAQ-D

Unless you require PCI level 1, you can complete these forms yourself.  You will need to do this every year.

SAQ-A: https://www.pcisecuritystandards.org/documents/SAQ_A_v3.pdf

SAQ-A-EP:  https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.pdf

SAQ-D: https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf

WePay is not currently requiring copies of the completed documents, but reserves the right to ask for them in the future.

To make it easy, WePay has prepared a model of how these can be filled out assuming WePay is the only integration you have involving payment processing.

Obtaining network scans

If you are either level 1 OR required to complete SAQ-A-EP or SAQ-D, you will also need to have an authorized provider conduct quarterly scans.  

A list of approved vendors is maintained here:

https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

The ASV scans are relatively easy to set up as majority of the vendors provide cloud-based offerings which do not require any system setup and software installation. The ASV scans typically start at approximately $500 per year for up to 3 systems.

WePay is not requiring the proof of PCI compliance be sent to us at this time, but reserves the right to do so in the future.

We are together in this journey!

PCI compliance is mandatory for all WePay partners and as your trusted partner in payments, we have provided this information to help you better understand and meet your compliance obligations. We’re here to help! In case of any questions, please email security@wepay.com.

Learn More

Official sources for more information:

PCI Standards:

https://www.pcisecuritystandards.org/

http://www.visaeurope.com/media/images/processing%20e-commerce%20payments%20guide-73-17337.pdf

Visa:

http://usa.visa.com/merchants/protect-your-business/cisp/merchant-pci-dss-compliance.jsp

MasterCard:

http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html

About the author

Atit Shah

Atit Shah, Head of Security

Atit Shah is Head of Security for WePay. He has more than 11 years of combined experience in technology, security and leadership. Prior to WePay, he held security-related positions at Microsoft, Deloitte, and Ernst & Young.

More blog posts by Atit Shah