The Payment Card Industry Data Security Standard (PCI-DSS) is a way to standardize a set of security measurements in order to keep consumers’ credit card information and other personal information safe when exchanging information online. Anybody can easily create a website and sell goods or services from that website, but not everyone can as easily be PCI-DSS compliant without responsibly following industry standards that consumers rely on that allows them to trust websites when providing sensitive information.
Among obvious consequences for business owners such as losing customers’ trust or having company data compromised, major fines (anywhere from $5-500,000), performing time consuming investigations and stoppage of business operations are other consequences that can follow if PCI-DSS compliance is not diligently addressed.
How the PCI-DSS Standards Got Started
The founding members of the PCI-DSS Security Standards Council including Visa, MasterCard, Discover Financial Services, JCB International and American Express got together in 2004 to create the set of PCI-DSS standards in order to proactively protect cardholders against misuse of their personal information. According to an official PCI-DSS guide, “PCI applies to ANY organization or merchant, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI-DSS requirements apply.”
Who Needs To Be Compliant
Any business or organization that accepts, transmits, or stores cardholder information should be PCI-DSS compliant. Regarding one of the more prominent concerns about PCI-DSS compliance, network security and Web Application Firewalls (WAF) also have a set of qualifiers they need to pass in order to be considered PCI-DSS compliant. With that said, two parties need to be PCI-DSS compliant: the online merchant who sets up their transaction service in order to meet the requirements, and the WAF security solution that provides themselves to the online merchant. In fact, there are various levels in which cardholder data falls into and is determined by how many transactions are performed by the merchant. For more information about the different levels and the series of steps each merchant must go through in order to meet the PCI requirements, you can find a simple guide by Dharma Merchant Services here.
Choosing the Right WAF for PCI-DSS Compliance
There are six major concerns that the PCI-DSS standards address; a secure network, data storage, cybersecurity, administrative control, continuous monitoring and updating, and formal security policy. PCI-DSS Requirement 6.6 covers an in-depth overview of how to protect and actively test any online environment looking to keep cardholders’ data safe from untrusted activity. Of the six major concerns, PCI-DDS 6.6 is arguably the most complex and commonly questioned section of all the PCI-DSS standards.
For WAF providers, manual security testing is required to prove that PCI-DSS standards are being strongly met. These include testing covering the following areas:
- Injection flaws, particularly SQL injection
- OS Command Injection, LDAP and XPath injection flaws, as well as other injection flaws
- Buffer overflows
- Insecure cryptographic storage
- Insecure [communications] channels
- Improper error handling
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Broken authentication and session management
- Improper access control (insecure direct object references, failure to restrict URL access).
The checklist above is a good checklist for WAF providers to address when looking to become PCI-DSS certified. For online merchants and other website owners, the checklist above is a good reference to discuss with 3rd party WAF providers when choosing security solutions that meet PCI-DSS standards.
Business Owners Should Rely on PCI-DSS
Any business owner that takes credit card information needs to follow PCI-DSS standards in order to successfully operate business online successfully, safely, and ethically. Finding a reliable WAF solution can help mitigate the risk of handling cardholders’ information and will also eliminate any security questions with PCI-DSS 6.6 in the future.