PCI Compliance (PCI-DSS) Payment Card Industry Data Security Standard

If your business relies on payment by credit cards, PCI compliance is required. Non compliance means you can lose your merchant account, and what’s more you open up your company to fines, lawsuits and bad publicity. You must comply with all security standards or risk loosing your merchant account!

TJX – an illustration of the real world need for PCI Compliance

PCI compliance is not just another bureaucratic standard to comply to. It’s a standard to protect consumers and the future of online business, based on real world needs.

The TJX Companies Inc. breach is the largest known data theft to date. Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver’s license numbers of another 455,000 customers who returned merchandise without receipts.

TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. TJX were clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.

Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.

To avoid similar cases such as TJX happen again, major credit card companies including VISA and MasterCard have established a strict set of rules called the Payment Card Industry Data Security Standard (PCI DSS). This standard will govern retail, mail orders, telephone orders and most importantly e-commerce.

The PCI security standards cover several security areas, a detailed document of the standards can be found here

PCI compliance requires that you audit your web site security

If your company has a website and does business online, PCI compliance requires that you ensured that your web site and other web applications are secure.

You are required to scan your shopping cart and other web applications for vulnerabilities!

Acunetix Web Vulnerability Scanner helps you meet the following PCI requirements:

  • (Requirement 1.3.8) Do not disclose private IP addresses and routing information to unauthorized parties
  • (Requirement 2.1) Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network
  • (Requirement 2.2.2) Enable only necessary and secure services, protocols, daemons, etc
  • (Requirement 2.2.4) Configure system security parameters
  • (Requirement 2.2.5) Remove all unnecessary functionality
  • (Requirement 2.3) Encrypt all non-console administrative access
  • (Requirement 4) Encrypt transmission of cardholder data across open, public networks
  • (Requirement 4.1) Use strong cryptography and security protocols
  • (Requirement 6) Develop and maintain secure systems and applications
  • (Requirement 6.2) Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed
  • (Requirement 6.4.1) Separate development/test environments from production environments, and enforce the separation with access controls
  • (Requirement 6.4.4) Removal of test data and accounts before production systems become active
  • (Requirement 6.5.1) Injection flaws
  • (Requirement 6.5.2) Buffer overflow
  • (Requirement 6.5.3) Insecure cryptographic storage
  • (Requirement 6.5.4) Insecure communications
  • (Requirement 6.5.5) Improper error handling
  • (Requirement 6.5.7) Cross-site scripting (XSS)
  • (Requirement 6.5.8) Improper Access Control
  • (Requirement 6.5.9) Cross Site Request Forgery (CSRF)
  • (Requirement 6.5.10) Broken authentication and session management
  • (Requirement 8.1.6) Limit repeated access attempts by locking out the user ID after not more than six attempts
  • (Requirement 8.2.1) Render all authentication credentials unreadable during transmission and storage
  • (Requirement 8.5.13) Limit repeated access attempts

Acunetix will check your web site and alert you to any issues you need to fix. Once fixed, it will create a detailed report which will allow you to easily prove that you meet these particular PCI standards.

A sample of such a report (of a web site application that does NOT meet the standards) can be found here.

Only a Web Vulnerability Scanner such as Acunetix can help you meet the above requirements; Network Security Scanners will not be able to check the above requirements!

Acunetix Web Vulnerability Scanner is a crucial tool to help you meet PCI compliance. Its easy to use and inexpensive – download the evaluation version!