Meeting PCI DSS compliance for e-commerce sites: Getting to know the basics

If you are currently running, or looking to run, an e-commerce website, then you will most likely have heard of the PCI DSS standards. If you're running a website already then hopefully you're following them! Working out what you, as a website owner, need to do to meet these requirements is at first glance a little daunting.

Find out everything you need to know about meeting PCI DSS compliance below.

What is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by the Payment Card Industry Security Standards Council (PCI SSC) to provide clear guidance on the minimal acceptable standards of security that merchants handling credit card information have to meet. These standards help to ensure that online transactions are safe and secure, and that visitors' card data is protected from hackers.

PCI standards council logo

The PCI warns that failure to comply with the security standards outlined can have serious long term negative consequences, including lawsuits, insurance claims, cancelled accounts, payment card issuer fines, and government fines. This is on top of any damage to your reputation resulting from a security breach and the loss of trust this can cause to customers.

PCI DSS requirements

The requirements themselves are quite straight forward, although they can appear to represent a lot of work, particularly for a small business, and are quite daunting to a non-technical person. The current guidelines (at the time of writing) can be found at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf. The requirements are subject to periodic review and change.

The requirements are broken down into six categories and can be summarised as follows:

Pink firewall icon

Build and maintain a secure network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Pink protect cardholder data icon

Protect cardholder data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
Pink vulnerability management icon

Maintain a vulnerability management program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
Pink access control measures icon

Implement strong access control measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
Pink monitor test networks icon

Regularly monitor and test networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
Pink information security policy icon

Maintain an information security policy

  • Requirement 12: Maintain a policy that addresses information security

Each requirement is explained in much more detail in the full documentation that the PCI offers.

 How to meet the PCI DSS requirements 

Green firewall icon

Build and maintain a secure network

Requirement 1: Firewall configuration

Setting up and configuring a firewall is a responsibility of your hosting provider’s network administrator. To meet this requirement, as a website owner, you need to check with your webhost that your server is protected by a firewall. Your host should be able to help you certify this requirement.

Requirement 2: Default passwords

This responsibility of adhering to this requirement is split between hosting and the website itself. Your hosting provider should not be using any default passwords for its hardware (routers, firewalls, servers, etc.) or the operating system and database that your website is running on. If you've used an off-the-shelf package for your e-commerce platform, then make sure that you have changed the administration passwords.

Green protect cardholder data icon

Protect cardholder data

Requirement 3: Protecting stored card holder data

Depending on the setup of your shop you may or may not be storing card holder data. Card holder data refers specifically to your customers' card details, i.e. primary account number, cardholder name, service code, and expiration date. You might choose to retain these details so that repeat customers can easily place repeat orders through your site, without needing to re-enter their card details each time.

If you are storing card holder data, it is important to ensure that you do not record the primary account number in plain text. Under no circumstances should you store the card holders PIN, CVV/CVV2 (the three or four digit number on the back of the card) or the full track data (held in the card's magnetic strip).

Requirement 4: Encrypt data transmissions

If you're using hosted payment pages provided by your payment processor, then the responsibility for encrypting the card holder data lies with them. However, if you've decided to self-host the payment pages on your website and then send the card holder data across to the payment gateway, the data needs to be encrypted. All self-hosted pages need to be served over HTTPS using a valid SSL certificate for your domain, and the information sent to the gateway must also be encrypted. 

Green vulnerability management icon

Maintain a vulnerability management program

Requirement 5: Anti-virus software

Your web server needs to be protected by anti-virus software. Depending on the hosting agreement you have, this may be something that is taken care of and managed by your hosting provider, or it may be something that you are responsible for. 

Requirement 6: Develop secure systems

It is your responsibility to handle any access details for any part of the system sensibly (for example, don't publish your admin password to the server on your blog!). Your hosting company is responsible for keeping its network infrastructure secure but, if you are managing your own server, you will have responsibility to keep the operating system patched and up-to-date. 

If a vulnerability is detected in your e-commerce platform, you need to work to get that vulnerability patched within a reasonable timeframe. These vulnerabilities are usually faults that will be picked up in regular security scans. 

Green access control measures icon

Implement strong access control measures

Requirement 7: 'Need to know' access

If there's no reason for your content writer to have access to customer order information, then lock those parts of your system down. Your e-commerce platform needs to be capable of restricting access to sensitive data to only the users who really need that access. Never grant more permissions to a user than they need to have to be able to get their job done. 

Requirement 8: Unique user access

If you're used to sharing a login between several users who administer your website, that's something you'll have to change. Each user who logs into the administration area of your website needs to be uniquely identifiable. 

A record should also be kept of anyone making changes to the source code of the website. So, if FTP is being used to transfer files to the server, each person who has access to FTP needs to have their own FTP account. The same is true of a hosting control panel or remote desktop access. Your hosting company will be able to help you restrict access to the server to individual user accounts. 

Requirement 9: Physical access to card holder data

As the data exists logically rather than physically in real terms, this requirement means physical access to the server that's holding the data. Access to the server is normally controlled by the hosting company. (Often when a web host says that they are PCI compliant, they're referring to meeting this condition of the PCI DSS requirements.)

Green information security policy icon

Regularly monitor and test networks

Requirement 10: Access tracking

Your e-commerce platform needs to keep a log of users interacting with card holder data (if you're storing it). Those log files need to be reviewed, and any anomalies in the data need to be investigated within a timely period. 

All access to the webserver needs to be logged, and any changes to files on the server should be carefully monitored to be certain that the website has not been compromised. 

Requirement 11: Regular security scanning

It is the responsibility of the website owner to perform regular security scans of their website. Depending on the scale of your website, you may need to employ a Qualified Security Assessor to manually review the site, but most website owners can use an Approved Vendor Scanner to automate the testing of their site, for example Security Metrics or McAfee SafeScan.

Green information security policy icon

Maintain an information security policy

Requirement 12: Maintain a security policy

Maintaining a policy that addresses information security is your responsibility as the website owner. A security policy doesn't have to be draconic, but in the event of a breach you do need to be able to demonstrate that you've done your best to stay secure. 

Common misconceptions of PCI requirements

The PCI DSS requirements are complex if you're unfamiliar with IT infrastructure, security, hosting requirements, etc. Inevitably, there are some misinterpretations that have sprung up. A couple of common beliefs we see from clients are around compliant websites, and hosted payment pages:

"If you use PCI a compliant shopping cart everything is taken care of for you."

Many off-the-shelf e-commerce platforms claim to be fully PCI compliant but the truth of the matter is slightly less clear cut. Website software can go so far towards meeting PCI DSS requirements but cannot fully satisfy all of the standards outlined. If a retailer puts their trust in the marketing message of the software providers, it leaves itself in the position where it is unwittingly non-compliant.

"If you use payment processing pages hosted by your PSP then you don't have to worry about making your site compliant."

Another common belief is that if the payment service provider (PSP) is hosting the pages for payment collection, then the responsibility for PCI compliance stops with them and that the website owner does not need to worry about security standards. While the payment processor does have to satisfy a large proportion the of requirements for the PCI, this is in addition to those that still fall on you as the site owner.

To conclude: it's worthwhile getting to grips with the PCI requirements

Although understanding the requirements can take a little effort, even if it weren't a requirement from the PCI, it is worth website owners implementing the best practices outlined by the PCI DSS. The majority require very little effort to put into place but they give a website owner a little reassurance that their site is safe. In the same way that you would fit an alarm to a bricks and mortar establishment, digital monitoring can help prevent data theft, vandalism and website defacement and a number of other cyber-crimes. Also like a physical shop, no website is ever completely safe from being broken into, but practical defensive measures can help deter cyber crooks from trying. 

Want help making sure your website is safe? Contact us to speak to one of the Fresh Egg team today.

Is e-commerce your thing? Find out more by reading one of the other posts in our e-commerce blog series: