The Rules for PCI Compliance

As of June 30, 2008, VISA requires mechants to comply with PCI (Payment Card Industry) standards to prevent security / data breaches.

Here is an excerpt from the PCI Data Security Standard…

6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security

• Installing an application layer firewall in front of web-facing applications.

PCI Self-Assessment Survey

– To determine compliance, businesses need to complete the PCI Self – Assessment Survey.

Don’t Store Credit Card Information on Your Own Servers

One of the requirements is that the merchant should not store any client credit card information of their own servers. I just spoke to the gateway tech support and learned that this is fairly easy to accomplish by using the gateway to store the client credit card information for future use. The gateway stores the information and the merchant’s program accesses the data via a token. We recommend our Cocard gateway with the Customer Vault feature.

There are six major categories within the standards established by the PCI SSC, which are as follows:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

Within these six categories are 12 requirements that address particular issues and that are directly related to web application security:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security