If your business relies on payment by credit cards, compliance to the PCI security standards is required. Non compliance means you can lose your merchant account, and what’s more you open up your company to fines, lawsuits and bad publicity. You must comply with all security standards or risk loosing your merchant account!
TJX - an illustration of the real world need for PCI
PCI compliance is not just another bureaucratic standard to comply to. It’s a standard to protect consumers and the future of online business, based on real world needs.
The TJX Companies Inc. breach is the largest known data theft to date. Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver's license numbers of another 455,000 customers who returned merchandise without receipts.
TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. TJX were clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.
Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.
To avoid similar cases such as TJX happen again, major credit card companies including VISA and Mastercard have established a strict set of rules called the Payment Card Industry Data Security Standard (PCI DSS). This standard will govern retail, mail orders, telephone orders and most importantly e-commerce.
The PCI security standards cover several security areas, a detailed document of the standards can be found here
PCI compliance requires that you audit your web site security
If your company has a website and does business online, PCI compliance requires that you ensured that your web site and other web applications are secure.
You are required to scan your shopping cart and other web applications for vulnerabilities!
Acunetix Web Vulnerability Scanner helps you meet the following PCI requirements:
- (Requirement 2.2.2) Disable all unnecessary and insecure services and protocols
- (Requirement 2.2.3) Configure system security parameters
- (Requirement 2.2.4) Remove all unnecessary functionality
- (Requirement 2.3) Encrypt all non-console administrative access
- (Requirement 4) Encrypt transmission of cardholder data across open, public networks
- (Requirement 4.1) Use strong cryptography and security protocols
- (Requirement 6) Develop and maintain secure systems and applications
- (Requirement 6.1) Ensure that all system components and software have the latest vendor-supplied security patches
- (Requirement 6.5) Develop applications based on secure coding guidelines and prevent common coding vulnerabilities in software development
- (Requirement 6.5.1) Injection Flaws
- (Requirement 6.5.2) Buffer Overflows
- (Requirement 6.5.3) Insecure Cryptographic Storage
- (Requirement 6.5.4) Insecure communications
- (Requirement 6.5.5) Improper error handling
- (Requirement 6.5.6) All "High" vulnerabilities identified in the vulnerability identification process
- (Requirement 6.5.7) Cross Site Scripting (XSS) flaws (input validation)
- (Requirement 6.5.8) Improper Access Control
- (Requirement 6.5.9) Cross-site Request Forgery (CSRF)
- (Requirement 6.6) Ensure that all web-facing applications are protected against known attacks
Acunetix will check your web site and alert you to any issues you need to fix. Once fixed, it will create a detailed report which will allow you to easily prove that you meet these particular PCI standards.
A sample of such a report (of a web site application that does NOT meet the standards) can be found here.
Only a Web Vulnerability Scanner such as Acunetix can help you meet the above requirements; Network Security Scanners will not be able to check the above requirements!