Posted by Allen Allison

Although the PCI DSS has been published and enforced for several years, there are still several organizations scrambling to deliver online credit card purchases in a PCI compliant, or even certified, environment.  Here are three important steps to becoming a PCI compliant online merchant:

1.      Choose the right hosting provider; PCI Compliance is not a checkbox.  Many hosting providers offer PCI compliant environments and others offer a PCI certifiable hosting environment.  What is the difference?  A PCI compliant deployment implies that, as the application, the networking devices and the operating systems are deployed in a manner consistent with the requirements of the PCI DSS.  For example, the firewall is deployed with NAT enabled, with filtering for RFC 1918 addresses, and with an explicit deny any any (among other requirements).  The common confusion is that this strategy does not provide a PCI certifiable environment.  Other managed hosting providers have painstakingly built PCI Certification solution sets that deliver any or all of the pieces necessary to achieve compliance to all 12 DSS requirements and their sub-requirements.  If you are looking to provide online credit card sales, you must determine what you want from your ISP and hosting provider.

2.      Application development is as important to a PCI certifiable environment as is the security infrastructure.  Many organizations fail to see the importance of following industry-recognized guidelines for secure application development.  It is because of this lack of familiarity with the security guidelines for coding, that the PCI Security Standards Council released the DSS Requirement 6.6, “Ensure that all web-facing applications are protected against known attacks by either of the following methods: 1) Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security; or 2) Installing an application-layer firewall in front of web-facing applications.  Requirement 6.6 was enforceable as of June 30, 2008.  The PCI Security Standards Council recommends developing applications to the standards of Open Web Application Security Project (www.owasp.org).

3.      Develop the right strategy for handling cardholder data.  Many online merchants believe that it is important to retain credit card information after the original transaction; however, by doing so, you must introduce controls and technology that are in line with the requirements of the PCI Security Standards Council for retaining cardholder data.  Adding these solutions, policies, and procedures can be expensive and difficult to maintain.  For example, all storage of cardholder data must be encrypted, access secured, and key management must be maintained in a secure manner.  Furthermore, by deciding to retain cardholder information, you are opening your organization to potential risk that may have other legal ramification beyond PCI such as state legislation regarding consumer data breach and notification (e.g., California Security Breach Information Act – formerly, SB 1386).  If there is no need to retain the cardholder data beyond the original transaction, it would behoove you to destroy that information upon completion of the transaction; there may be a significant reduction in cost and reduced liability. While there is much more that goes into providing an online PCI Compliant environment than can be covered here, these are decisions that must be made before you are able to turn up an online merchant store and begin accepting credit cards.

Allen Allison is the Vice President, Managed Services at NaviSIte, Inc.  Allison is a Cisco Certified Internetwork Expert (CCIE #6358), Certified Information Systems Security Professional (CISSP), and Cisco Certified Security Professional (CCSP).  Allison has been the lead architect in developing and delivering PCI Certified on-line environments and has led numerous security and compliance assessments, formerly as part of a PCI QSA organization.