The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
Merchant levels as defined by Visa:
1: Any merchant processing over 6M Visa transactions per year
2: Any merchant processing 1M to 6M Visa transactions per year.
3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year and other merchants processing up to 1M Visa transactions per year
Best Practices
Merchant levels as defined by Visa:
1: Any merchant processing over 6M Visa transactions per year
2: Any merchant processing 1M to 6M Visa transactions per year.
3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year and other merchants processing up to 1M Visa transactions per year
Best Practices
·
Process transactions immediately online or hand
off the processing to your bank
·
Do not store any
CC numbers, ever. If they must be stored, you must follow the PCI guidelines to
the letter.
·
If you are using
a shared host for your site, you cannot comply with the PCI guidelines. You
must have your own infrastructure to comply with the PCI guidelines.
If you do end up storing CC numbers:
- Encrypt them.
- follow merchant agreement.
- for recurring payments, limit term to 1 year.
Other considerations:
- PCI only allows presentation of first six ( the BIN) or last four digits.
- Must nore store CCV etc.
- Must patch system within 1 month of a patch becoming available.
- reversals should be signed off by two distinct employees.
Build and maintain a secure network
|
|
|
|
Protect Cardholder Data
|
|
|
|
Maintain a Vulnerability Management Program
|
|
|
|
Implement Strong Access Control Measures
|
|
| |
|
|
Regularly Monitor and Test Networks
|
|
| |
Maintain an Information Security Policy
|
|
PCI Sections Addressing Application Security
- 3.1 Protect stored cardholder data
- 3.2 Protect authentication data
- 3.4 Protect Personal Account Numbers (PAN) data
- 4.1 Encrypt transmission of cardholder data across public networks
- 6.3 Develop and maintain secure applications
- 6.5 Develop web applications using secure coding
- 6.6 Protect web applications against known attacks
- 8.1 Assign a unique ID to each person with computer access
- 10.1 Track and monitor all access to network resources and cardholder data
- 10.2 Implement automated audit trails
- 10.3 Record audit trail events
- 11.3 Regularly test security systems and processes
- 11.4 Use intrusion detection/ prevention systems
PA-DSS Summary
- Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
- Protect stored cardholder data
- Provide secure authentication features
- Log payment application activity
- Develop secure payment applications
- Protect wireless transmissions
- Test payment applications to address vulnerabilities
- Facilitate secure network implementation
- Cardholder data must never be stored on a server connected to the Internet
- Facilitate secure remote access to payment application
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain instructional documentation and training programs for customers, resellers, and integrators