Legal issue - PCI compliance

OwenM

Hello,
I have a question and it's a bit more of a legal question than a coding one so if it belongs in a different forum then please let me know.

A web design company has created a website with a webstore for me and they maintain it. They have a contract with a hosting company to host it. Realex are the payment gateway and the payment pages are not on the realex website.

The code to handle the payments is from a PCI certified source. The website uses SSL. Credit card details are not stored on the site.

My head office will shortly require PCI-DSS certification, I do not have any involvement in the sites maintenance, patching etc. I assume I am responsible to my customers for the security of a website I invite them to use and my question is simply:

Who is responsible to me for the security of the website? It should be the Webdesign company as far as I can see. They do not accept responsibility at the moment.

Tks,

seamus

Your web design company are technically only responsible if you have an ongoing maintenance contract with that company which includes patching.

If you only have a casual arrangement where they resell the hosting to you and do ad-hoc website stuff, then they may not be responsible.

PCI-DSS is also a step above a standard maintenance agreement so unless you have specified that the service/website must be up to PCI-DSS standard, then they have no responsibility to do that.

NeverSayDie

I would assume (bearing in mind I'm not a legal professional and this is absolutely not offered as or to be taken as legal advice) that it depends largely on the details of the various contracts and agreements involved.

I would strongly recommend you seek professional legal advice on this one. There is a Legal Discussion forum here on Boards.ie, but they're not likely to give you legal advice there either. There are presumably potentially large amounts of money, liability issues, and other risk factors involved here, so best address this issue properly.

Sparks

There's a pretty strong prohibition on giving legal advice on boards, for the same reason as the prohibition on giving medical advice - ie. it'd be daft to do it because you have no idea who anyone is, who's qualified and who's just a 14-year-old messing about, and what happens if you follow the advice and something bad happens? Especially in Ireland, the second-most litigious state in the world?

Best advice would be what NeverSayDie indicated - seek professional legal advice.
That, or kick it upstairs to let the boss sort it out, which is what most coders would do...

Civilian_Target

Yep. From what little I know about PCI-DSS as a coder (not a lawyer), there's 2 elements.

There's data transmission: ensuring that the credit card details are passed from the customers computer down to their point of storage and processing correctly. I guess your designers and hosting company are responsible for that if there is an ongoing maintenence contract. The best way to ensure compliance is to follow OWASP guidelines, to make sure, for example, that credit card numbers are never stored in logs by the live sytem, etc.

Then there's data storage: your payments handler is probably responsible for this one. After the payment's been made, you have to log the transaction, bill the client, etc. So this ensures the credit card details are sufficiently protected out of harms way. This will involve showing verifiable processes for handling the data, demonstrating good encryption, etc.

Like I say, I'm no expert in this, I just have an idea of the process from a programmers perspective.

amen

not only showing good encyption but also who has access to the data.

carrolls

OwenM wrote: »

Hello,
I have a question and it's a bit more of a legal question than a coding one so if it belongs in a different forum then please let me know.

A web design company has created a website with a webstore for me and they maintain it. They have a contract with a hosting company to host it. Realex are the payment gateway and the payment pages are not on the realex website.

The code to handle the payments is from a PCI certified source. The website uses SSL. Credit card details are not stored on the site.

My head office will shortly require PCI-DSS certification, I do not have any involvement in the sites maintenance, patching etc. I assume I am responsible to my customers for the security of a website I invite them to use and my question is simply:

Who is responsible to me for the security of the website? It should be the Webdesign company as far as I can see. They do not accept responsibility at the moment.

Tks,

In order to become PCI-DSS compliant you are going to have to get a company like Trustwave involved. They will need to to analyse the code and the envionment created by the third party web company to ensure that it is in compliance with every aspect of the official PA-DSS documentation. See
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
You will find that the compliance document is extremely strict, for example the third party web company cannot have any wireless LANs operating within the premises, or at ay stage have unencrypted card details on the web servers hard drives etc. Any customer personal data can only be stored on RAM drives in encrypted form.
To do what you are doing, you will probably need to host the website in your own office on your own line. I don't see the hosting company agreeing to comply with the strict PCI-DSS directives.

mneylon

Pretty much all merchants are going to need to be PCI DSS compliant at some level in the not too distant future.

Some of the banks will assist with the questionnaires etc., and even cover the cost of the first year of scanning.

Unless you asked the designers / developers to provide something specifically I suspect they wouldn't be responsible

Having said that, if they were being asked to code a secure site .....

carrolls

Heres the actual document that you will have to comply to.
https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_security_audit_procedures_v1-1.pdf
What you might think is open to interpretation is definitely not.
You will have to go through each point and do an analysis as to how your software complies. Not a trivial project for anyone to carry out for an online payment application. Its hugely expensive too I might add.
By the way, your company is solely responsible for any security issues that might arise with the existing arrangement.

Cathaoirleach

This is why I always advise my clients to use Realex Redirect (or equvilant) to handle transactions. That way, you and the client are not responsible for receiving, transmitting or storing credit card details as all of that is done on Realex's servers.

If the client wants to have autobilling and store customers' card details, you have to go the PCI Compliance route, which comes with a lot of responsibility for the web developer/company.

Galtee

OwenM wrote: »

Hello,
I have a question and it's a bit more of a legal question than a coding one so if it belongs in a different forum then please let me know.

A web design company has created a website with a webstore for me and they maintain it. They have a contract with a hosting company to host it. Realex are the payment gateway and the payment pages are not on the realex website.

The code to handle the payments is from a PCI certified source. The website uses SSL. Credit card details are not stored on the site.

My head office will shortly require PCI-DSS certification, I do not have any involvement in the sites maintenance, patching etc. I assume I am responsible to my customers for the security of a website I invite them to use and my question is simply:

Who is responsible to me for the security of the website? It should be the Webdesign company as far as I can see. They do not accept responsibility at the moment.

Tks,

The little I know about PCI - DSS is all that I have read from the link provided by CARROLLS but to me it looks as if whom ever provided/is maintaining the PCI Certified payment pages is responsible as it seems to me that this is the only potential security pitfall in the setup you have described as this is where card & holder details are being taken.

mneylon

The PCI compliance, in simple terms, applies to whoever is storing or handling credit card data.

Even if you aren't storing the actual card data the security standard is worth looking at, as you might be storing other sensitive data