The Most Importantly Boring Thing You Will Ever Read
With the holiday season approaching and more and more incidents of credit card information being hacked from retailers, the security of your eCommerce site is more important than ever. Meeting PCI Compliance standards is a way to make sure that your business is secure in all aspects of customer payment information. According to the PCI Security Standards Council, “PCI DSS [Payment Card Industry Data Security Standard] provides a baseline of technical and operational requirements designed to protect cardholder data.” While the solution to security issues, PCI Compliance, may seem simple, the path to achieving it is not.
PCI Compliance is a complicated necessity for merchants. Becoming PCI compliant is a marriage between the enterprise-wide PCI requirements outlined in this document and the assessment of a CISSP (Certified Information Systems Security Professional). With 12 different requirements for protecting all aspects of stored cardholder data, it can be difficult to keep up with all of the nuanced stipulations. Not meeting these requirements, however, is not an option. The 12 PCI DSS requirements, broken into six categories, are as follows:
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
As mentioned in a previous blog post, Magento Enterprise helps to ease the burden of achieving PCI Compliance through a PA-DSS certified Payment Bridge. This relates to Protecting Cardholder Data and Implementing Strong Access Control Measures, among other aspects of the 12 PCI DSS requirements.
Although PCI Compliance focuses on the data obtained through payments, it affects the entire organization. PA-DSS (Payment Application Data Security Standard), however, is a subset of PCI Compliance focused specifically on payment applications. For merchants, this is applicable to things like POS terminals and eCommerce applications, as well as any and all applications used to gather account data and transfer funds from a customer. The key difference between PCI and PA-DSS is that PA-DSS outlines the proper requirements for handling account data as a payment system or application, whereas PCI compliance outlines the requirements for the entire enterprise.
Magento Enterprise fulfills the PA-DSS certification through its Secure Payment Bridge. The Secure Payment Bridge supports and is integrated with various external payment gateways, including PayPal, Authorize.net and Braintree. But, while the Secure Payment Bridge itself is PA-DSS certified, it must be implemented in a PCI Compliant environment. Gian Genovesi, eCommerce Delivery Lead at Briteskies, came up with this analogy to describe how PA-DSS fits into PCI Compliance:
“I liken PCI Compliance to having cooks wear rubber gloves in a restaurant. It is a requirement that keeps the overall cooking process sanitary, but none of that matters if you are serving the food on dirty dishes. Similarly, your site can be PA-DSS Certified, but if the rest of your organization is not following its respective PCI requirements, it doesn’t matter.”
So, while PA-DSS is an integral part of PCI Compliance, it is not the only aspect that needs to be taken into consideration. Magento Enterprise fulfills its part of the equation by providing a PA-DSS compliant payment system (its record can be found here), but as a merchant, it’s imperative to create a PCI Compliant environment throughout the organization in order to truly reach PCI Compliance.
One way to ease stress of the PCI Compliance process is to partner with an experienced and certified development team. Certified developers have the knowledge and experience needed to truly know a platform's ins and outs, including the complicated PCI Compliance specifications. When it comes to something as crucial and nuanced as the entire PCI Compliance process, relying on experts is a great strategy.