PCI Compliance Basics and Tips
Can a Cartweaver site be PCI certified? Absolutely! Many sites have passed PCI compliance audits using Cartweaver.
What you need to know:
It's no secret that identity theft and customer information security has become a huge concern for anyone doing business on the web. Unfortunately, there are far too many careless online merchants who improperly handle sensitive consumer data, and countless unscrupulous individuals eager to take advantage of the situation. The industry is trying to do something about it, but it's extremely difficult when you are dealing with a rapidly moving target like internet security. One of the leading efforts to increase the security of online commerce is the movement toward PCI Data Security Standards. Will this be the solution? The magic bullet to kill identity theft and bring security to the web... who knows, time will tell. But any effort to increase the security of online commerce is a worthwhile endeavor.
So what can you do to become PCI compliant, and make your site safer to do business with?
First of all, go to http://www.pcicomplianceguide.org and become more familiar with what PCI is, and the general recommendatins to better secure your online business.
Next, if you have a Cartweaver site or any shopping cart site for that matter, what should you do? Let's take a look at what is required to have a "PCI secure site" and briefly discuss what can be done to see if your site measures up.
The following requirements are taken directly from http://www.pcicomplianceguide.org/pci-basics.html - we'll look at these one at a time, to see how Cartweaver addresses the issues it can, as well as other steps to better secure your online store.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- This is in your court as a developer. If using an Access database, make sure that it is stored in a safe, non-browseable folder. If you are using a SQL Server or MySQL database, be sure your host has it properly secured.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Be smart! By all means change all default usernames and passwords and be sure you use something that is sufficient to ward off hack attempts. A good mix of numeric and alphanumeric characters at least 8 to ten characters in length is recommended. Change your passwords occasionally to be sure they don't get compromised.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
- Cartweaver NEVER stores this data, and neither should you. It is handed off to the payment gateway and then promptly "forgotten". No matter what your client may say, never be persuaded to alter your site to store the credit card type, number, expiration date, or security code... ever! Just don't go there. In a shared hosting environment there is no way to store this data securely. Treat it like the hot potato it is, let Cartweaver hand it off as quickly as possible and be free of it.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Yes - by all means get an SSL Certificate and have it properly installed in the root directory of your site. Resist the temptation to use the host's shared SSL if they offer one. Instead, get your own 124-bit encryption certificate and have it installed before your first transaction. If the host does not provide a dedicated IP address for your site when your SSL certificate is installed, request one.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
- These items are the responsibility of your hosting provider. Have in-depth, frank discussions with your host, and make sure you know what steps they take in this regard. Be sure they continually monitor and maintain security. If they don't provide clear and detailed information about these requirements, or get annoyed with your insistence of getting this information... change hosts!
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
- Again, Cartweaver does not store this data. Ever.
Requirement 8: Assign a unique ID to each person with computer access
- Cartweaver allows you to create individual administrator accounts. Be sure your host does the same. Each customer also has unique identifying credentials. Again, overall risk is greatly minimized by the fact that credit card data is not stored. With the exception of the email address, the data in your Cartweaver customer database is no more than what is freely accessible in the local telephone directory.
Requirement 9: Restrict physical access to cardholder data
- Once again - this is not stored. If you choose a reputable payment gateway this data is secure. Neither the developer, the merchant nor their employees have any access to this data. You can't steal or tamper with something you don't have.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
- The credit card data is not stored in any way shape or form, and with the SSL encryption it is securely transferred to your payment gateway - that takes care of it from the application and development standpoints. Just be sure to use a qualified, reputable payment gateway and hosting provider.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
- Be proactive! Your application (Cartweaver) is secure, provided your database is adequately secured and you have SSL in place, and usernames and passwords properly set. Beyond that, talk frankly with your host and payment gateway provider to be sure their end is taken care of.
Being able to transact business safely and securely is the right of every person that chooses to spend their hard earned money online. Internet shoppers are showing a high degree of trust when they make an internet purchase. It is the responsibility of every online merchant, application developer, website developer and designer to do all they can to fulfill that trust, by providing a safe, secure "place" to do business. We encourage you to take some time to focus on what is perhaps the single most important aspect of your ecommerce website, making sure your site meets PCI standards, with or without official third party certification. You and your customers will be glad you did.