PCI Compliance Checklist For eCommerce Businesses
August 17, 2015
A PCI compliance checklist was needed in the early years of eCommerce because there were no set standards for web site architecture design or configuration—let alone measures to protect sensitive data such as credit card numbers and data tracking. With the increasing instances of unauthorized transactions reported by consumers, Visa launched its own requirements and standards platform to be followed by any retailer conducting business on the Internet and accepting Visa as a tender.
There were other credit card brands working on similar projects at the time, but Visa had the strongest requirements. Eventually the brands came together and helped form the Payment Card Industry Data Security Standard (PCI DSS) council to create a formal set of requirements and standards that covered all brands. The standards help to not only protect the card brands, but also retailers and consumers.
Definition of a PCI Compliance Checklist and Why It’s So Important
PCI DSS is so important because it provides a set of baseline requirements and standards on how to protect consumer credit card data, which is referred to as cardholder data or CHD. The standards help guide companies on how to initially build an internal Information Security program, and design it to meet their own business needs. The requirements and standards also help to identify where and how CHD is coming from, moving through, and ultimately being stored. Mapping how the data moves throughout a company’s network is one of the first steps to knowing how to protect it.
Why Your Business Will Be Better With a Comprehensive PCI Compliance Checklist
A PCI compliance program is just one piece of a company’s overall Information Security program. There is a symbiotic relationship between the programs. Having one helps to strengthen the other. The PCI compliance program helps to identify a basic set of standards that, when implemented correctly for the business, help to strengthen the company’s overall Information Security program.
Risks of Being Non-Compliant
The risks range from monetary fines imposed by the card issuers to loss of consumer trust in the businesses who are found to be non-compliant. Trust is built over years and can be as valuable as any product sold. Beware of violating that trust by not protecting consumer card data as the effects of that can have a lasting impact on your business.
What You Need to Do to Protect Your Business
The latest update to the standard, PCI DSS v3, has six main requirements that are broken out into twelve sub-requirements that contain more than three hundred specific standards that have to be met. These standards have one main goal in mind: protecting cardholder data. That is the golden nugget that every person with malicious intent is trying to get to. Once they have cardholder data, it can be used for their own profit at the expense of the consumer, partner, business, and the card issuers.
If You Were Writing a PCI Compliance Checklist, What Would You Include?
The PCI DSS provides a general set of standards that can be implemented across any business model. Over the years the council has improved on the language, definitions, and applicability of the requirements and the changes have incrementally helped to improve PCI DSS compliance as a whole. Your PCI compliance checklist should include the following:
Use a firewall between the payment card data and the public network, and keep the firewall updated.
Don’t use vendor-supplied default passwords that come with network equipment or devices used in payment processing.
Do not store cardholder data. If you have a business need to keep cardholder data, make sure you use strong encryption. You can use Magento’s BrainTree extension to shift the storage of cardholder data off of your system.
Use encryption to protect all transmission of cardholder data over any public network.
Use antivirus software on all machines in the cardholder data environment and ensure that the software is regularly updated.
Check that your card processing systems have vendor-supplied security patches installed.
Limit access to cardholder data to as few people as possible.
Assign a unique ID number to each user so that everyone is accountable for his own actions.
Restrict physical access to the cardholder data environment.
Monitor all access to the network and cardholder data environment.
Regularly test your security systems and network environment.
Maintain a security policy and ensure that all personnel are aware of it.
How Does Magento Help Businesses Remain Compliant?
Magento offers a payment application/bridge that meets a specific version of the PCI DSS, the PA DSS or Payment Application Data Security Standard. This standard is a stand-alone certification process offered by the council. Magento’s payment application/bridge has undergone the process to become PA DSS certified. While Magento provides a PA-DSS compliant application/payment bridge, it does not make you PCI compliant automatically due to the number of PCI controls that lie outside the Magento platform.
For more information about completing your PCI compliance checklist or recommendations for a qualified security assessor, contact Magento online.