Securing Your Website for PCI
Securing your website, no matter what kind of website, can be a big job. Most of things you need to do are common sense and awareness. We don't expect you to know how to sanitize database queries, but rather that you know and realize that there are resources and standards to to use and follow. This most, designed to be very simple will help you get on board with PCI DSS compliance. Remember, June 30th 2012 is D-Day, all merchants accepting credit cards will be required to to PCI compliant.
I suggest that you first start with our first post in this series, PCI, Passwords & Aggravation.
Welcome back. Now lets get on with securing your website.
If you accept credit cards on your website (people enter a credit card number on your website) you are required to be PCI/DSS compliant as of June, 30th 2012. There are no excuses, exclusions, nor, get out of jail free cards. Man up and get to work.
- The very first thing you need to do is limit and control access to your website and web hosting. Whenever possible limit access to a task level access. So don't give the order processor access to your whole admin & don't give the guy uploading images in FTP access to the root. Each person must have their own individual and unique access, so all 10 employees cannot use the same login credentials.
- Use strong 8 characters or more passwords with upper & lower case, number and symbols when possible. Do not use names or real words in them. Do not use the same password for more than one application. Do not store them unsecured or send them electronically.
- Change ALL passwords associated with your website every 60-90 days. Log the changes with a date, per person.... But NOT the passwords. This means PayPal, gateways, admin, hosting, email etc.
- Contact your merchant bank and find out what they wish you to do to provide your compliance credentials. They may have a specific PCI scanner they want you to use (which is really BS, you should be allowed to use whomever you want as long as they are an Approved PCI Compliance Scanning Vendor). Fill out your SAQ (help with SAQ), get your scans done at least quarterly and submit them to your merchant bank. We use Trust Guard because we like the seals, they use a approved scanning vendor and the price is very reasonable (not the cheapest, but excellent service and less than average price).
- Keep server software, website software and computer software of any kind up to date. For example, if you use Zen Cart, when you click on version in the top right of your admin it should say 1.5.0... if not you are required to upgrade now.
- ALL login forms and checkout must be secured with SSL. So, that sidebox login you may have on your main page has to go!
- Make sure you stay up to date with software upgrades and patches. Most software platforms have a RSS or newsletter you can sign up for or follow to be informed of software updates and patches. Here is Zen Cart's update forum is here, either check it frequently or subscribe to the thread. WordPress can be checked from your dashboard or check here, and here.
- Check Secunia for advisories about the software you run.... Below is a shortlist.
CKEditor / FCKeditor ~ Security Advisories
Coppermine Photo Gallery ~ Security Advisories
CubeCart ~ Security Advisories
Drupal ~ Security Advisories
Joomla (all versions) ~Security Advisories & Joomla Vulnerable Extensions List (VEL)
Mambo ~ Security Advisories
osCommerce ~ Security Advisories
phpBB ~ Security Advisories
TinyMCE ~ Security Advisories
WordPress ~ Security Advisories
Zen Cart ~ Security Advisories
- Have your web host or other trusted company deep scan your website for malware and infected files quarterly. Securi has an excellent malware scanning service that we recommend. They will even remove it for you if found.
- Implement and enforce a company Information Security Policy. Believe it or not, you actually have to tell employees not to share customer's information.... common sense is NOT so common any more. Here is an example of one of our data policies (https://pro-webs.biz/data/).
- Restrict physical access to company systems and records with cardholder data to only those employees with a business "need-to-know."
- DO NOT store cardholder data... Just don't, it's not smart for them or for you.
- Develop and maintain a vulnerability management program. This sounds worse than it is. Basically, set forth a policy of the things you are doing, need to do and want to to to reduce vulnerabilities within your company.
- If you accept credit cards on the phone and enter them in a gateway or terminal you must also have your office IP(s) scanned.
- NEVER allow access to your website using WiFi or an employee working from home.
- Your web hosting CANNOT have ANY plain text logins. This means all hosting control panel functions, e,ail access (even through software such as Outlook) and FTP must be secured with a SSL3 or TLS connection.
- Use your head.... if it seems unsafe or dumb, IT IS!
While PCI compliance is not a law (yet), there are state laws that are already in effect to force portions of the PCI Data Security Standard (PCI/DSS) into law. In addition, there has been a big push by legislatures and industry trade association to enact a federal law around data security and breach notification.
Many businesses only implement the rigid letter of the PCI DSS standards, "kinda like "state minimum car insurance". They have technology and processes in place that satisfy the exact letter of PCI standards, but do nothing else to provide real security for their business. It is crucial you YOU and all of your company's assets embrace the spirit of the standards. Call it a hyper vigilance, or awakening, but the days of "I did what I had to so we're cool are over". Just like any other set of standards or rules PCI can only account for most, or many potentially vulnerable situations, they do not work for you.... know your routines etc. You and the people you work with must develop a sense of urgency and awareness to catch potential vulnerabilities with your own organization.
Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.