PCI Compliance

Payment Card Industry Data Security Standard (PCIDSS) or PCI compliance

According to the Sitepoint article 6th March 2013 PCI Compliance and the PHP Developer every developer who touches credit card data has to be aware of PCI compliance.

The PCI Compliance standards are set by the PCI Security Standards Council.

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The organisation was founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc,

Standards cover point of entry of credit card details, how data is processed, and how it is stored.

Operates training programs that train and qualify security professionals.

Qualified Security Assessors and Approved Scanning Vendors (ASVs) Certified by the PCI Security Standards Council

PCISSC do not impose penalties for non-compliance, that is down to the individual credit card companies.

PCI applies to anyone who accepts card information

Guidelines and ideas not techniques – platform and architecture independent.

Full PCI review is once a year – ongoing quality assurance, and a Quarterly Network Scan.

There are a number of approved private companies that are able to scan a website and they will report back to the PCISSC the results.

Depending on your number of transactions (50,000 a year upwards) they come out an inspect your network. Smaller number of transactions mean a self assessment form and a quarterly network scan.

A scan is looking for non-compliance and network vulnerability.

A full list of approved companies are on the council’s site.

Typically, a large company like for example Marks and Spencers(M&S) pay a member fee to a company that handles all this for them and in their case (see M&S ISIS accreditation) it is Trusted Shops who then audit or scan M&S site once a month. Before joining Trusted Shops, M&S would have had a full audit and inspection before they were allowed membership and Trusted Shops, because of the regular scan is able to offer buyer protection ie. Compensation in the event of credit card fraud (ISIS accreditation).

Developers who intend to make a site that takes money have to be aware of PCI guidelines and best practise.

How to comply?

There are 12 Requirements split into 6 areas

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for systems passwords and other security parameters

Protect Cardholder Data

3. Protect Stored Data
4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to data by business need to know
8. Assign a unique ID to each Person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and Monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information Security

References.

americanexpress americanexpress

ASVs PCI Approved Scanning Vendors ASV

PCI DSS Quick Reference Guide (2010) PCI

Trusted Shops TS

Trusted Shops Price List TS price list

ISIS accreditation ISIS

Marks and SpencerMS

M&S ISIS accreditation MS ISIS

PCI Compliance and the PHP Developer Sitepoint SP PCI