What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard for an organization’s information security. It makes sure businesses securely handle the payment information of buyers from the major credit card companies, like Visa, MasterCard, American Express, etc. As of December 15, 2004, it has changed the individual requirements of each credit card brand.
This standard is governed by 12 main requirements on networks, systems and infrastructure, cardholder data handling, access control management and the procedural arrangements around this. The 12 main requirements combined can mount into 250+ separate rules where businesses holding payment card information will need to follow.
Does every company have to be compliant? How compliant does your business have to be?
Yes, every company that accepts credit card payments will have to prove their compliance in one of following ways: either a Self-Assessment Questionnaire or by Qualified Security Assessors.
There will be a difference in compliance requirements depending on how payments are accepted, but the main question to ask will be whether you want to store your customers’ cardholder data. If you do, you immediately become subject to capital PCI-compliance requirements which means your business must validate against 250+ requirements. Everyone else will need to make sure they do not store, process, or transmit any cardholder data/information on their systems or servers.
What are the PCI compliance requirements and where does one implement them?
The 12 PCI DSS requirements can be classified into three main subgroups:
Infrastructure. To ensure the infrastructure is compliant it must be secure enough to store cardholder data, and it is required that it has a firewall and an antivirus, none of the system defaults are used on the machines, the physical and virtual access to the infrastructure is secure, monitored and logged, and, in case of remote access – encrypted.
Applications. They must be hosted on a compliant infrastructure, and built in a way compliant with all the requirements. For example, we at Oro build applications in compliance with PCI requirements from the start. Every step of handling cardholder data must be encrypted and secured, especially when any bit of it may potentially be transmitted through open or public networks.
Processes. To be PCI compliant, you must create clear information security policies and procedures regarding deployment, working with data, access management, and general data handling. You must also ensure appropriate staff training and regularly test and monitor security systems and processes. This will include managing access to the data with extreme care, using unique IDs with 2-factor authentication, granting access only on a need to know basis and only allowing trained personnel to have access to the sensitive data.
In addition, when integrating your systems with external providers or implementing new solutions, it’s best to choose those compliant with PCI DSS so you don’t have to go about complying with a gazillion additional integration requirements.
How do Oro solutions measure up? What is the shared responsibility when we use Oro products?
If OroCommerce is deployed in the OroCloud infrastructure, it offers your business a PCI DSS compliant solution. This means that you will get a secure and PCI-compliant infrastructure and will only have to take care of the procedural controls, internal employee training and policies.
OroCommerce deployed in a non-OroCloud infrastructure already covers all Application requirements of PCI DSS, but the infrastructure, network security, procedures, and policies, as well as staff training, will be left to the client to be compliant.
To help you figure out which aspects of your eCommerce infrastructure you don’t have to worry about, as Oro has got it covered and where you still need to pay attention, we have created this “PCI DSS Shared Responsibility Matrix for OroCommerce”. We have listed the 12 main PCI DSS requirements in the table below and marked how OroCloud and on-premise infrastructures can address them.
“+” – means that OroCommerce is responsible for this requirement and conforms to it;
“-” – means that in this particular configuration, OroCommerce cannot be responsible for conformity with this requirement, as it’s on the client’s side, and so the client is responsible for making sure their infrastructure meets it.
“+/-” – this configuration of OroCommerce conforms to the requirement, but there are areas and/or processes out of our control that have to be taken care of on the client’s side.
Simplified PCI DSS Shared Responsibility Matrix for OroCommerce
|#||PCI DSS Requirements||OroCloud-hosted OroCommerce PaaS solution||OroCommerce on-premise|
|1||Install and maintain a firewall configuration to protect cardholder data.||+||–|
|2||Do not use vendor-supplied defaults for system passwords and other security parameters.||+||–|
|3||Protect stored cardholder data.**||+||-/+|
|4||Encrypt transmission of cardholder data across open, public networks.||+||–|
|5||Use and regularly update antivirus software.*||+/-||–|
|6||Develop and maintain secure systems and applications.||+||+|
|7||Restrict access to cardholder data by business need-to-know.**||+/-||-/+|
|8||Assign a unique ID to each person with computer access.***||+/-||-/+|
|9||Restrict physical access to cardholder data.||+||–|
|10||Track and monitor all access to network resources and cardholder data.**||+||-/+|
|11||Regularly test security systems and processes.||+/-||–|
|12||Maintain a policy that addresses information security.||+/-||–|
* Oro is compliant on its part of the OroCommerce application security, and the Client is responsible for keeping the equipment and applications they are using up-to-date
** OroCommerce implemented on OroCloud gives all the necessary tools to track and monitor who accesses the network and cardholder data.
*** Oro does not restrict access or assign unique IDs to the users, but we give our clients the tools to manage this.
Complying with PCI DSS requirements is not just a mere formality, but a way to promote loyalty and trust among potential and existing clients. It’s a healthy information security practice followed by most of your peers and competitors.