By Rachel Murphy, Bayshore Solutions’ Accounting Team
Does your company accept credit card payments? If so, you are required to comply with standards set by the Payment Card Industry, i.e.: be PCI compliant.
There are multiple items that will transition from best practices to requirements on July 1, 2015 in accordance with the Payment Card Industry’s Data Security Standards. Below are some of the key changes you (and your IT department) should be aware of, especially when it comes to your online presence.
“Assure Your Secure Sessions”
Broken Authentication and Session Management (Section 6.5.10)
Typically, when you visit an eCommerce website that accepts credit cards, enhanced security is put into place to ensure the details of your transaction or credit card information cannot be exposed. The new standards require that coding techniques address security issues related to authentication and session management. Some of these include:
- Flagging session tokens (i.e. cookies) as “Secure.”
- Not exposing session IDs in the URL.
- Incorporating appropriate time-outs and rotation of session IDs after a successful login.
If you are using a content management system (CMS) or shopping cart that is widely available, it is very likely that these security measures are already integrated into those systems. For instance, nopCommerce is a very popular .NET eCommerce solution that is PCI compliant and one that Bayshore Solutions uses for many of our implementations. However, there are still some custom-built eCommerce platforms out there that may not use these techniques and could lead to exposure and data breaches.
You should engage your development firm to thoroughly examine your current software and coding to ensure any data or authentication risks have been properly addressed.
“Sharing is Not Caring”
Additional Requirement for Service Providers (Section 8.5.1)
If you allow any service providers with remote access to your premises (for example, for support of POS systems or servers), each provider must use a unique authentication credential (such as a password/phrase) to access your systems.
Otherwise, it becomes too difficult to identify the user of the account in the event of a breach. Using shared authentication is one of the easiest ways to access vulnerable data, and this change will provide increased security over previous non-password methods.
Penetration Testing (Section 11.3)
Of all the mandated changes, this one has the potential to be the most challenging and costly to implement. Merchants (that’s you) will be required to regularly test their security systems and the related processes surrounding their entire network. It’s known as penetration testing, and you are essentially trying to test the network for vulnerabilities. To simplify, you’re paying someone to hack your network.
Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses.
For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a point to stage a new attack based on the resources the server has access to. In this way, a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment.
The excerpts listed above are just a few of the upcoming changes that may affect your firm, and you should be aware of all of the standards in place and how each one impacts your business. Remember, if you accept credit cards in any fashion, even if it is through a web site, you are required as a company to be PCI compliant. Not doing so can open your company to financial and legal risk in the event of a data breach.
Bayshore Solutions Offers PCI compliant web development and hosting infrastructure. Learn how we can help your eCommerce business stay compliant and competitive in the marketplace. Contact us today!
Source: Payment Card Industry (PCI) Data Security Standard, v3.0, © PCI Security Standards Council