The ABC's of PCI Compliance
By Josh Ewin and Andy Mahler
The face of e-commerce is about to change in a big way. In the coming months, the Payment Card Industry (PCI) implements DSS — the new standard in security practices for e-commerce companies. Whether you are an online merchant, webmaster or Web host, it is vital to understand the fundamental requirements of the PCI DSS (Payment Card Industry Data Security Standard) to keep your business and your clients from incurring stiff penalties.
The Payment Card Industry Data Security Standard
PCI DSS was developed by the founding brands of the PCI Security Standards Council, including American Express, JCB, Discover, MasterCard and Visa. The PCI Council has established this standard to protect cardholder information. As a vendor, it is critical that you are not only aware of the new requirements, but also understand the tools and practices available to remain in compliance with the new standard.
The Need to Comply
PCI DSS provides a comprehensive set of requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
The standards outlined within PCI DSS can be used to help build the security policies and structure for the enterprise, data centers and your customers. This set of standards should be used as a best practices guide to implement and follow.
Even though the PCI Council manages the underlying security standards, compliance is set independently by the individual brands. Each brand has its own set of penalties that can range from $8 per compromised account to more than $158,000 per incident, with additional penalties ranging from restrictions to outright loss of use.
PCI DSS Requirements
There are twelve major requirements to the PCI standard:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10.Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security.
In June 2008, The PCI Council added Appendix A, which is “PCI DSS Applicability for Hosting Providers.” In a nutshell, all service providers with access to cardholder data (including hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that hosting providers must protect each entity’s hosted environment and data. Therefore, hosting providers must give special consideration to the following:
- A.1 — Protect each entity’s (that is merchant, service provider, or other entity) hosted environment and data, as in A.1.1 through A.1.4:
- A.1.1 — Ensure that each entity only has access to its own cardholder data environment.
- A.1.2 — Restrict each entity’s access and privileges to own cardholder data environment only.
- A.1.3 — Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10.
- A.1.4 — Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS. Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not necessarily guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.
Besides being good security practice, if followed, a Web hosting company providing procedures, processes and tools to meet the requirements can be a competitive advantage. Specifically, it can be used to differentiate your services from your competitors and entice e-commerce companies to host their sites with you.
New for the latest release of PCI DSS is requirement 6.6. It requires that all Web-facing applications be protected against known attacks. Hosting companies over the years have become very good at protecting the network and the operating systems from attacks, while the applications have been left vulnerable. Hackers are now attacking using SQL Injection and Path Traversal techniques to gain access to applications and valuable information.
Application security is an area that hosting companies have little or no control over. Once these hacks occur, and they do, expenses and man-hours mount as Web hosts deal with customer complaints. To combat these attacks the PCI DSS recommends installing an application layer firewall in front of Web-facing applications known as a Web Application Firewall (WAF). One example of a WAF is Applicure’s dotDefender™, which works well for hosting companies, as it supports dedicated, shared and virtual environments running either Windows IIS or Apache on Linux platforms. Offering a WAF to clients will provide the security they need for PCI compliance, additional revenue for Web hosts, and reduce customer care calls addressing hacking attacks.
The penalties for not following the PCI’s DSS are significant and should not be ignored by any company accepting credit cards online or any company providing supporting services, like Web hosting companies. That being said, gaining compliance is relatively easy and could prove to be a competitive advantage if used creatively.
Josh Ewin ([email protected]">[email protected]) is VP of Sales and Marketing for DedicatedNow. Andy Mahler ([email protected]">[email protected]) is Director, Business Development for Applicure Technologies.