A crucial factor of a successful eCommerce site is creating trust between your company and your customers. They need to trust that your products or services will meet their needs and standards, and they need to trust you with their sensitive payment information.
In order to establish that trust, eCommerce organizations need to comply with the Payment Card Industry Data Security Standard (PCI DSS), a 12-part roadmap to creating a secure payment process on your site.
The PCI DSS is a global standard for payment security for retailers, online merchants, credit data processors, and other payment-related businesses. PCI compliance is not an option for eCommerce sites; it’s a necessity.
PCI DSS Requirements
These are the 12 PCI DSS requirements, broken into six categories:
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
WebSphere Commerce and PCI Compliance Standards
We have already touched on how Magento helps to achieve PCI Compliance, but what about WebSphere Commerce?
Just as with Magento, simply installing and configuring your WCS site correctly does not ensure PCI Compliance. For example, there are multiple ways to handle payments in a WebSphere Commerce implementation:
- The WebSphere Commerce Payments subsystem
- Custom or third-party payments APIs or plug-ins
- Hosted payments pages provided by a third party
WebSphere Commerce offers a guide to ensuring that your WebSphere Commerce Payments subsystem is PCI compliant, but if you are using one of the other options, it is entirely up to your team to determine if the payment process is PCI compliant or not.
Additionally, WCS provides a list of configuration actions that are required to ensure that your WebSphere Commerce implementation is PCI compliant. While properly utilizing WCS puts you on the path to PCI Compliance, these actions are required to achieve it. The actions address requirements 1, 3, 4, 6, and 10 of the PCI DSS. Read more about these configuration actions here.
To stay up to date on security fixes, WebSphere Commerce recommends subscribing to the WebSphere Commerce Security Bulletins, which will update you on recommended security fixes as needed.
These recommendations are just the tip of the iceberg when it comes to PCI Compliance and WCS. For more thorough information, be sure to work with an informed consulting partner, and check out the IBM Knowledge Center.
Have a question about WebSphere Commerce and PCI Compliance? Contact our team of WCS developers.