PCI ComplianceOctober 15, 2010
The bank through which you process all of your online commerce payments has just informed you that your web site must be "PCI Compliant" or they will no longer process your web site's credit card transactions. Without the ability to process payments, your business is effectively shut down. You need to find a development partner who can help you navigate the maze of PCI requirements and keep your business operational. This scenario is happening to internet commerce sites across the country, and companies are scrambling to meet deadlines.
PCI stands for Payment Card Industry. The PCI Standards Organization was formed by the major credit card companies to create a set of standards for protecting cardholder data collected and processed by commercial companies. A quick trip to the PCI Standards web site reveals a series of documents aimed at guiding companies through the upgrades required to ensure that their data systems meet the new PCI standards. There are four steps every company has to complete on the way to becoming compliant with the PCI standards.
Step #1 – What standards apply to my company?
The first step is determining what standards apply to your company’s commerce operations. Depending on how your systems process and store cardholder data, as well as the volume of transactions performed, the level of standards that you must comply with will vary.
Step #2 – What changes are needed to make my systems compliant?
Once you have identified the appropriate standards, you have to identify the changes that need to be made to your commerce systems to achieve PCI compliance. This is frequently referred to as the "GAP Analysis," where your systems and software are analyzed to determine what portions are in-compliance and what portions are out of compliance. This includes changes to your system infrastructure (servers, networks, security, etc.) as well as changes to your commerce software systems.
Step #3 – How do I make the changes? Remediation
Here is where the rubber meets the road, so to speak. After you have identified the necessary changes, it’s now time to adapt your infrastructure and/or application to address the deficiencies.
Step #4 – How can I verify compliance?
This is the final step in attaining certification; to be "PCI Certified" your commerce operations must be scanned by an Approved Scanning Vendor (ASV). These are companies that have been vetted by the PCI organization and are authorized to certify commerce sites as being "in compliance" with the PCI standards. The result of this step is a report/certificate that certifies your transaction processing systems are in compliance with the PCI Standards.
What Standards Apply?
The first step, and perhaps the most confusing, is determining what level of the PCI compliance is relevant to your business. The mechanism by which you assess your commerce system is by choosing the relevant Self Assessment Questionnaire (SAQ) that matches how your company processes card transactions. If your commerce systems store cardholder information on premises, in a database, or some other persistent storage, then you are Validation Type 5, and must answer the considerably longer SAQ D (225 questions!). You must also adhere to a much broader set of security concerns. If your commerce system does not store credit card data (for example, the credit card processing is transacted by a third party payment system), then you are most likely a Validation Type 4 and must answer the SAQ C form. These are the most common commerce site payment methods in use by internet e-commerce merchants.
The frequency and detail of the audit procedures is determined by the annual transaction volume. At the top-most level, a Qualified Security Analyst (QSA), certified by the PCI Security Standards Council (SSC), must audit the site annually. The following table illustrates which criteria apply for Merchants processing credit card transactions:
As can be seen, unless your site is processing more than 6 million transactions per year, you can perform your own self assessment and fill out the SAQ without the help of a QSA – if you feel up to it. If your site qualifies as Validation Type 5, you might want some help with the required and complicated SAQ D that you will be required to complete. In all cases if your site is processing cardholder data, you must have an ASV perform quarterly scans of your commerce infrastructure.
NOTE: If your company experiences a security breach with subsequent loss of credit card information, you may be held to a higher standard (Level 1) regardless of the transaction card volume you process.
The PCI Standards organization has identified six areas in which Merchants should focus their compliance efforts. These six areas are further broken down into 12 criteria, listed below.
#1 - Build and Maintain a Secure Network
If your system isn’t already protected by a firewall, you’ll need to install one. If your system is currently protected by a firewall, you need to show that it is properly configured. Also, you will need to ensure compliance with updates to maintain the effectiveness of your firewall.
Do not use vendor defaults! Too often, security is compromised by systems integrators who, through either ignorance or convenience, have left factory default passwords in place. As an added precaution, systems should utilize best practices and only allow strong passwords.
#2 - Protect cardholder Data
Protect stored cardholder data
Perhaps the most important part of the PCI Standard is the implementation of measures to protect cardholder data (not necessarily just the credit card number, but other information that could be used by parties intent on identity theft). If your systems require the storage of cardholder data, this data must be secured both physically (in a secure data center) and programmatically (via encryption algorithms and key management).
Protect cardholder data during transmission
Even if your system does not store cardholder data, as long as your system transmits this information to other systems, even if those systems are part of your company, the information must be protected. This typically means using industry standard security protocols (SSL, WES, SFTP, etc.) when transmitting cardholder data.
#3 – Maintain a Vulnerability Management Program
Use Antivirus software
For systems that manage cardholder data (even if it’s not stored), the presence of up-to-date antivirus software is critical. Antiviral software minimizes the risk that malicious software agents will compromise systems managing cardholder data.
If you are using a third-party e-Commerce solution, make sure it is PCI compliant and that you are current with all updates and security patches. If you have developed your own e-Commerce solution, work with your vendor (or us!) to ensure that your application is PCI compliant.
#4 – Implement Strong Access Controls
Restrict Data Access
Make sure that access to critical information is restricted on a need-to-know basis. Maintain policies and procedures that ensure that only people that require access to sensitive information (cardholder data) have it.
Unique User Accounts
Every user of the system should have their own unique account.
Restrict Physical Access
Just as data access needs to be restricted to only individuals that require this as part of their business function, access to the physical servers at the data center must be similarly restricted. A person with access to a machine holding cardholder data represents a risk to the security of that data. For this reason, all servers that contain cardholder data must be secured in a PCI standards-compliant datacenter. Additionally, an area that typically gets overlooked when creating physical access restrictions are WiFi access points.
#5 – Regularly Monitor and Test Network
Maintain Audit Trails
All access to the systems containing the cardholder data must be monitored in such a way that full knowledge of system access is maintained.
Regularly Test Security
Once you have created a PCI standard-compliant system, the work is not done. Security requires constant vigilance; you must plan to test your security processes and procedures, as well as your systems, on a regular basis.
#6 – Maintain an Information Security Policy
Create and Maintain an Information Security policy
Your organization should have a written policy that describes how information security will be maintained on an on-going basis. This policy needs to be regularly reviewed to ensure it complies with the latest requirements of the PCI Standards organization.
By adhering to the PCI guidelines, you can ensure that cardholder information that your company collects is protected in a manner consistent with industry best practices. By securing your commerce site in this manner, you will greatly minimize the possibility of malicious parties gaining access to cardholder data. Without these security measures in place, your company may be exposed to a potentially large financial liability and jeopardize the trust relationship you have with your customers.