One of the most misunderstood aspects of eCommerce is PCI compliance. It is a term that is often used, but rarely explained. In eCommerce, it is generally used to define whether your web store or shopping cart is compliant. That is one aspect of PCI compliance, but there is actually much more. Compliance is defined as meeting the 12 requirements for the PCI DSS (Payment Card Industry Data Security Standard) that address security best practices. We will take a look at those 12 requirements and show a prioritized approach to ensure compliance for yourself or your client in protection of cardholder data. If you handle customer credit cards or cardholder data, you need to be aware of these requirements and incorporate them into your business as needed.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
To be compliant, you must use a firewall for each internet connection. This can be a hardware or software firewall. The details of firewall configuration go beyond the scope of this article, but note that a firewall is not simply recommended, it is required. Along with that, a company must have a current network diagram to include all points of connection to the internet, including wireless connections. A business case, or justification, must be made for any business services requiring use of the internet, as well as the protocols (HTTP, FTP, SSL etc.) and ports used.
There must also be a DMZ to limit outside network traffic to those systems that do not contain cardholder data. Systems containing cardholder data will not be accessible to/by the internet. A DMZ is defined as a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term “demilitarized zone“, an area between nation states in which military action is not permitted.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
This may seem like an obvious one, but I cannot count the amount of times I have been able to access a company router by using the factory default passwords. I just did a quick Google search and typed in “netgear default password” and the first result gave me everything I need to know to access a Netgear router that still had the factory default password.
This would include using industry standards that address security vulnerabilities, such as wireless protocols (i.e. WEP, WPA). There are still a lot of wireless routers using WEP, a type of wireless protocol. For one reason not to use WEP, Google “WEP cracker”. Hence, strong network security is mandatory for PCI compliance.
Protect Cardholder Data
3. Protect stored cardholder data.
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes. Do not store authentication data after authorization. Do not store the 3 or 4 digit card verification code or PIN. Mask the card number when it is displayed (the first six and last four digits are the maximum number allowed). Without getting too technical, any card data stored must be encrypted. This encryption can be done with disk encryption, file-level or column-level database encryption.
4. Encrypt transmission of cardholder data across open, public networks.
Use strong cryptography and security protocols (i.e. SSL/TLS, IPSEC, SSH etc.) to safeguard cardholder data. A good example of this is when you are ordering something online and the website URL begins with https://, this indicates that you are using SSL/TLS (Secure Socket Layer/Transport Layer Security if you must know) to encrypt your browser transaction. Do not order anything from a website that does not offer https.
Maintain a Vulnerability Management Program
5. Use, and regularly update, anti-virus software or programs.
This should be obvious, but how many people turn off their anti-virus software and choose not to keep them updated? This allows a huge opportunity for hackers to load malicious software on your system that can not only cause damage, but expose the data contained on that system. Enough said.
6. Develop and maintain secure systems and applications.
Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Critical security patches must be installed within one month of release. Any software developed by your company must be in accordance with PCI DSS. This includes internal, external and web-based applications. Application development must be developed using change control procedures. A separate environment must be used that is isolated from the production environment. There are many specific application coding vulnerabilities too numerous to list here, but developers must ensure that none of these vulnerabilities exist in the
Implement Strong Access Control Measures
7. Restrict access to cardholder data by “business need to know”.
Limit access to system components and cardholder data to only those individuals whose job require such access. Access limitations must include the following:
- Restriction of access rights to privileged user ID’s to the least privileges necessary to perform job functions. Users should have access to only what they need, nothing more.
- Assignment of privileges is based on individual personnel’s job classification and function.
- Requirement for a documented approval by authorized parties specifying required privileges. Must be an approval process in place and justification must be provided for access to system components.
- Implementation of an automated access control system that covers all system components, assignment of systems based on job classification and the default user privilege must be set to “deny all”.
8. Assign a unique ID to each person with computer access.
Assign all users a unique username and password before allowing them to access system components or cardholder data. In addition a password, token or biometric verification must be used for authentication. Remote access must use two-factor authentication. Without going into too much detail, it requires a password and an additional form of authentication. Passwords must be unreadable when transmitted.
A strict security policy must address:
- Control of addition, deletion and modifications of user accounts.
- Verifying user identity before issuing password resets.
- Set password for first login to a unique value and change immediately upon first use.
- Immediately revoke access for terminated users.
- Vendor remote access is monitored and issued for only the length of time needed.
- Do not use generic user accounts that are shared by more than one user.
- Change user passwords every 90 days.
- Passwords must contain at least 7 characters and must contain numeric and alphabetic characters.
- User password cannot be the same as one of the last 4 passwords used.
- Lock user ID after repeated attempts to access account.
- Require re-authentication for accounts with no activity for 15 minutes.
9. Restrict physical access to cardholder data.
Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. Use video camera and/or access control mechanisms to monitor physical access to sensitive areas. Store access data for at least 3 months. Restrict physical access to publicly-accessible network jacks, as well as any network equipment.
Develop procedures for distinguishing onsite personnel and visitors, especially in areas where cardholder data is accessible. Visitors must display a badge or access device and surrender it when leaving the premises. A visitor log is kept and retained for at least 3 months.
Store media backups in a secure location, preferably off-site. Physically secure all media. Require management approval for removal of any media from a secured location. Shred, incinerate or pulp hardcopy materials so that cardholder data cannot be reconstructed. Render any media that may have contained cardholder data unreadable.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
Establish a process for linking all access to system components to each individual user. Implement automated audit trails for user access to sensitive areas. Ensure that audit trails cannot be altered. Retain audit trail history for at least one year.
11. Regularly test security systems and processes.
Test for unauthorized wireless activity. Run internal and external network vulnerability scans regularly and after any changes to the network topology or system applications. Use intrusion detection/prevention systems and keep them updated. Deploy file monitoring tools to alert any changes to critical system files.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
Establish, publish and maintain and disseminate a security policy. Develop daily operational security procedures. Develop usage policies for critical technologies, remote access, wireless access and removable media. Assign responsibility for security management. Screen potential personnel to minimize risk.
The actual PCI DSS version 2.0 is much more detailed than what I have presented and can be found here. As you can see, PCI compliance is a lot more than just your website, it includes all aspects of your business. You can start by filling out a self-assessment questionnaire. But cardholder security is more than just a fill in form; it is a complete change in the way we do business. However, the cost of being compliant is far less than the liability for noncompliance, which could range from $5,000 to $100,000 per month and could result in a terminated merchant account.