If your business relies on payment by credit cards, PCI-DSS compliance is required. Non-compliance means you could lose your merchant account and even open up your company to fines, lawsuits and bad publicity.
Target – an illustration of the real world need for PCI-DSS
PCI-DSS compliance is not just another bureaucratic standard to comply to. It’s a set of essential business processes to protect consumers and the future of online business.
The American retailer Target breach is one of the largest known data thefts to date. In 2014 hackers managed to steal approximately 70 million sets of credit and debit card information.
To avoid similar cases occurring, major credit card companies including VISA and MasterCard have an established set of rules called the Payment Card Industry Data Security Standard (PCI DSS). This standard governs retail, mail orders, telephone orders and most importantly e-commerce.
The PCI security standards cover several security areas. Read the detailed white paper on PCI Compliance and standards.
PCI-DSS compliance requires that you audit your web site security
If your company has a website and does business online, PCI compliance requires that you ensured that your web site and other web applications are secure.
You are required to scan your shopping cart and other web applications for vulnerabilities!
Acunetix Web Vulnerability Scanner helps you meet the following PCI requirements:
- (Requirement 1.3.8) Do not disclose private IP addresses and routing information to unauthorized parties
- (Requirement 2.1) Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network
- (Requirement 2.2.2) Enable only necessary and secure services, protocols, daemons, etc
- (Requirement 2.2.4) Configure system security parameters
- (Requirement 2.2.5) Remove all unnecessary functionality
- (Requirement 2.3) Encrypt all non-console administrative access
- (Requirement 4) Encrypt transmission of cardholder data across open, public networks
- (Requirement 4.1) Use strong cryptography and security protocols
- (Requirement 6) Develop and maintain secure systems and applications
- (Requirement 6.2) Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed
- (Requirement 6.4.1) Separate development/test environments from production environments, and enforce the separation with access controls
- (Requirement 6.4.4) Removal of test data and accounts before production systems become active
- (Requirement 6.5.1) Injection flaws
- (Requirement 6.5.2) Buffer overflow
- (Requirement 6.5.3) Insecure cryptographic storage
- (Requirement 6.5.4) Insecure communications
- (Requirement 6.5.5) Improper error handling
- (Requirement 6.5.7) Cross-site scripting (XSS)
- (Requirement 6.5.8) Improper Access Control
- (Requirement 6.5.9) Cross Site Request Forgery (CSRF)
- (Requirement 6.5.10) Broken authentication and session management
- (Requirement 8.1.6) Limit repeated access attempts by locking out the user ID after not more than six attempts
- (Requirement 8.2.1) Render all authentication credentials unreadable during transmission and storage
- (Requirement 8.5.13) Limit repeated access attempts
Acunetix will check your web site and alert you to any issues you need to fix. Once fixed, it will create a detailed report which will allow you to easily prove that you meet these particular PCI-DSS standards.
Only a Web Vulnerability Scanner such as Acunetix can help you meet the above requirements; Network Security Scanners will not be able to check the above requirements!