PCI Compliance Guide

PCI Compliance Guide What PCI Compliance Means As credit card use has become more widespread both offline and online, and as consumer concern about security has understandably grown, the credit card industries have made an effort to ensure that sensitive information is protected. To that end, in September 2006, the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) formed the PCI Security Standards Council (SSC) and established a set of rules for what they called PCI compliance. These rules have to be followed depending on the size of a business and the number of credit card transactions handled, and if done properly will help protect consumers' data from theft. The Rules for PCI Compliance There are six major categories within the standards established by the PCI SSC, which are as follows: --Build and maintain a secure network --Protect cardholder data --Maintain a vulnerability management program --Implement strong access control measures --Regularly monitor and test networks --Maintain an information security policy Within these six categories are 12 requirements that address particular issues and that are directly related to web application security: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Ensure that the router used has a built in firewall, and change the default password for your router. Most routers like Linksys come with the user/password: admin/admin, we have to change it to something more secure. Also make sure that the server computer also has a firewall software running. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks In practical terms, this means to ensure that all the areas on the website, where customers enter private data, is SSL encrypted. Even Administration screen needs to be SSL Encrypted. Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Storing customer credit card data in on the site calls for additional security. There should be proper role based access control to the different sections on the site. At each point the access to the sensitive areas should be tracked and logged for future references. Only those people who have proper authority to view or maintain card related information should be allowed access. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes (also see the point # 5 below). Maintain an Information Security Policy 12. Maintain a policy that addresses information security Practical Steps to ensure compliance 1. Make sure that customer checkout and Admin section is SSL Encrypted 2. Provide different access levels and logins to the different people that use the administration section of the website. Don't provide people access to customer credit card information that doesn’t need it (i.e. employees that update product info or website articles). 3. Try to avoid storing Customer Credit Card information on the site. It reduces the risk. You only really need to have the customer credit card data entered on the payment screen, and sent immediately to your payment processor. Your payment is then authorized/captured, and you don't need to store that data any longer. If there is a need to store customer credit card data for recurring billing or other applications, many payment processors now offer a service where they store the credit card data, and your shopping cart accesses and bills customers using an API. This means that you are no longer responsible for storing that data and don't have that liability. We fully recommend this solution. 4. Never store CVV credit card information (3 to 4 digit code on the back of the credit card). 5. Run a compliance scan from an ASV Vendor. After you have assured that you are following the PCI compliance checklist above, the next step is to have the website scanned. There are some third party vendors available which can test the site on various parameters and ensure that the site is secure in all aspects and hence, is PCI compliant. Here is the PDF official list of certified ASV vendors for your reference. These PCI Compliance scans will reveal some settings that will need some attention from the web hosting company too. There are a lot of settings which have to be adjusted on the physical server level for the website