What is PCI DSS Compliance
Guides to PCI (Payment Card Industry) DSS (Data Security Standard) Compliance.
by Bernard Kohan
I'm sure by now you have heard many times in the news about hackers and scammers hacking into eCommerce systems and stealing consumers' sensitive information including credit card information.
When users or customers' sensitive information is exposed or stolen, it is called a Data Breach.
One important fact to know is that if there is an occurrence of a Data Breach on your website, and you are storing users or customers sensitive information, you are more likely to be liable for any identity theft or fraudulent credit card chargers and you can be sued for a substantial amount of money.
Most website owners are not aware of the seriousness of a Data Breach. They do not know that there are several Federal and State laws about the notification requirements if there is a Data Breach.
There is also a major misconception that if there is a Data Breach, the hosting company or website developer will be liable for such an occurrence and not the website owner, but that is not the case; the fact is that if you are the website owner and there is a Data Breach on your website, you are the first in line to be liable and getting sued. The argument is that a website owner should maintain and follow sufficient and recognized security standards such as PCI DSS Compliance by hiring specialists and qualified people to help maintain security.
Below is an example of the average cost a Security Breach and it will provide you some ideas of how the amount of liability and claims that can arise out of a Data Breach:
Average cost of a Data Breach based on 2012 Data Breaches (research and info is from Netdiligence):
Average cost of defense $582K
Average cost of settlement $2.1 million
Average record lost (accounts) = 1.4M accounts compromised
Average cost per breach $3.7M
Average cost for crisis services (forensics, notification to customers, call center, credit monitoring, legal counsel) $983K
Average cost for
Call Center $50K
Credit Monitoring $354K
Legal Counsel $66K
If there is a Data Breach on your website, State and Federal laws require that you notify your customers by mail (or email if certain conditions are met). That by itself can cost you not only the mailing cost, but customers who are unhappy and can later file a lawsuit for stolen identity or fraudulent credit card charges.
The Payment Card Industry Security Standards Council was formed by Visa International, MasterCard Worldwide, American Express, Discover Financial Services, and JCB in order to set forth the necessary security standards to protect customers data. They put together the Payment Card Industry Data Security Standard (PCI DSS) and are requiring companies, organizations or stores that accept credit cards to adapt the standards (PCI DSS).
These standards are updated periodically; the most recent version of the PCI DSS is version 3.0, which was released in November 2013.
There are a lot of detailed requirements for following and adapting PCI DSS which is outside the scope of this article, but below is a summary list in order to provide you some ideas on these security measures:
- Make sure to properly install a Secure Socket Layer (SSL) when collecting and transmitting cardholder or sensitive customer data and use an SSL that has a 2048 bit key and with a 256 bit encryption level.
- Unless absolutely necessary, do not store customers' credit card data on your site, you can use a third party payment gateway or subscription services such as Authorize.net CIM or Recurly to store your customers data and access customers data by sending a customer token to their servers. If you must store credit card information, never store the security code and always encrypt the credit card data.
- Use strong passwords for all access to the server and site and update the passwords often (every 1-3 months.)
- Make sure that your site is running on a server that is behind a firewall that is always maintained and monitored, and that the firewall software has very strict access policies that only allows necessary access and block all other access to the server. (For example, if you are running a Linux, limit SSH root access to only the necessary admin IPs and do not open SSH access to a whole network or subnet.)
- Make sure that your site is on a server that has a security software that controls access to the files or applications through strict security policies. The access software should also monitor any suspicious access attempts and block those accesses and report those suspicious access to the server administrator. An example of such a software is Security-Enhanced Linux (SELinux) for Linux Systems.
- Make sure that your site is running on a server that runs and maintains an anti-virus software with the latest updates.
- Make sure that your eCommerce application (or web application or mobile app) is scanned and tested for security issues such as SQL Injections, Cross-site Scripting (XSS), Session Hijacking, Cross-Site Request Forgery, Executable Code in File Uploads, Brute-Force Attacks, Account Hijacking, Different methods of Injections (Header Injection, CSS Injection, Ajax Injection,Textile Injection, Command Line Injection, etc.)
Important: Even though you may think that you have a secure platform with the latest security patches, when you add third party plug-ins or software, you can essentially create additional bugs, and possible vulnerabilities outside the original platform. So it is recommended to always scan your final release application for security vulnerabilities.
- Make sure that there are access restrictions to physically access the server.
- Make sure to maintain a security policy in place for accessing the server physical or through the network.
- Make sure that each access to the server or website has a unique ID and is being tracked.
- Continuously monitor and track all access to the server physically or through the network.
One of the other misconceptions that site owners have regarding PCI DSS compliance is that they believe that it is a one-time implementation and once a site is PCI DSS compliant, it will continue to stay compliant. This is not the case; in order for a site to stay PCI DSS compliant, the site owner is required to continuously run and test the site for any new vulnerabilities that have not been discovered. For example, your website may have passed the PCI DSS Compliance last month, but if there is a new vulnerability found in the web server software that you are using, your site will fail a PCI DSS Compliance security scan until you fix the new vulnerability.
There are a few approved companies that can provide PCI DSS Compliance evaluation and scanning at a monthly charge. Trustwave and SecurityMetrics are the most popular approved companies. Most Merchant Service companies will provide PCI DSS Compliance scanning for their customers at no charge through an approved PCI DSS security companies. For example, Wells Fargo Merchant Services provides Trustwave PCI DSS Compliance evaluation and scanning complementary to its customers who accept credit cards using Wells Fargo Merchant Services in order for its customers to become and stay PCI DSS Compliant.
If your Merchant Service provider does not offer complementary PCI DSS compliance evaluation and scanning, you may need to seek the help of a professional consultant to help you become PCI DSS Complaint.
Final thought, it is important to know that keeping your customers' sensitive information secure is your responsibility and you can have a substantial liability if you do not invest into securing your site.