Whilst at today’s Merchant Agent Risk Forum (www.merchantagentriskforum.com) in London, a topic that frequently came up was that of the types of due diligence merchants* should be undertaking when evaluating an agent* to build and operate a website on their behalf that accepts payments.

There was no particular list of questions offered as a template, but plenty of discussion. This got me thinking, so I thought I’d pull together my top 10 list of questions you really need the answers to if you’re going to build a website that accepts card payments.

1. Are you PCI DSS certified?

Probably the most important question to ask, but be careful as the answer you receive could be carefully worded to make you think they are certified. It is important that you understand that there is a difference between certified and compliant. Be wary of anyone who claims to be compliant – this will probably mean they aren’t PCI DSS certified, which is an important difference.

2. Your certified, great. Can I see your RoC?

So, the agent tells you they are certified, at the very least you should ask to see a copy of their certificate of compliance (which they should actually be proudly displaying on their website). Even better is a copy of their Report on Compliance (RoC). This is the independently issued report which sets out the view of the QSA.

3. Is your shopping cart software your own or someone else’s that you install?

This is an important point. Many web companies will make use of third party software or OpenSource shopping cart software, which itself may be PA-DSS certified or even PCI DSS certified, but this DOES NOT mean that your web agency is certified.

4. Are the servers where my website will be hosted in a PCI DSS certified environment?

Another subtle thing to look out for is where your website will actually be hosted. Most web designers or agencies will think they are certified if the shopping cart software they are using is either PA-DSS or PCI DSS certified, but they completely forget about the physical environment and servers that host your website. The RoC will reveal whether or not the environment is certified.

5. Do you own and manage the environment where my website will operate from?

Another key consideration is where many web agencies will use third parties to host your website and in some cases even provide the software services. We have exactly this situation with Chapter Eight. We have a large number of web designers, advertising agencies, PR companies, marketing agencies and even digital agencies who use us exclusively to provide the web platforms their customers use – without their customers knowing about it. In such circumstances we provide our RoC to our resellers to give to their customers.

6. As your shopping cart software is your own, can you give me an overview of your software development standards and in particular tell me how you operate the OWASP guidelines?

O what? The Open Web Application Security Project (OWASP) was founded in 2001 in response to the need to develop software applications that can be trusted. OWASP provide a vast number of resources for developers to use and is a key tool in any programmers toolbox. You should make sure that your agent is fully signed up to OWASP and follows its principles day-to-day. Furthermore, you should make sure that you define a term such as Good Industry Practice in your contract and ensure OWASP is included in the definition. Also, any decent software developer will have software development standards they are following including coding guidelines, code review and deployment processes and vulnerability scanning policies that should be enshrined in writing and be easy therefore to share with you. As an extra step, put them in a schedule to your contract and make sure they are a continuous contractual obligation.

7. Do you store any cardholder data on the servers where my website will be running?

This is an important question to ask because if card holder data is being stored on any of your providers systems then a breach here could result in not only a loss of data and the implications that would bring, but a hefty fine for your business from your bank. This is the case because it is unlikely that your provider will either have a direct contract with your bank or be a Visa Merchant Agent – so there is no direct route to your provider for the bank or Visa to issue the fine to them.

8. How do you handle personal data as opposed to cardholder data?

Most people are concerned with the security cardholder data with little regard for ‘less sensitive’ information such as email addresses. The truth of the matter is that you should be equally concerned about all personal data as you are about cardholder data. Treating both sets of data as one and subjecting them to the same controls and processes will make ensuring the security of the data easier. Doing this under the guidance of the PCI standard will give even more benefits. So, ask this question and make sure that your web agency that personal data as importantly as cardholder data.

9. Have you ever had a data breach?

It sounds like an obvious question to ask, but I’m amazed at how few of my clients actually ask me this question. It’s easy to answer too. But where the answer is yes, you really do need to get familiar with the specifics of what happened and what steps the agent took to mitigate the breach and stop it happening again.

10. Can you provide me with a copy of your incident response plan specifically in relation to data breaches?

Linked to the previous question is of course the need to see how the person building your shiny new website will deal with a breach if one does occur. This document should typically be codified in their staff handbooks and form part of their staff induction and training programmes as well as being entrenched in their Board reporting processes.

Wrapping Up

My recommendation is that the answers to the questions above should be incorporated into whatever contract you sign with the agent. You should also ensure you get a contractual obligation to maintain ongoing certification and not just be certified at the point of contract.

So these are my starter for 10. I’d like to create an even bigger list of questions, so please use the comments feature below to post questions you think we should be asking.

Visa and the banks don’t typically talk in terms of business owners and their web agencies, but in terms of merchants and their agents. For a list of currently approved agents see www.visamerchantagentslist.com