What are the PCI Data Security Standards? PCI Data Security Standards (PCI-DSS) are general guidelines for any corporation that performs financial transactions with user data. Compliance is necessary to protect user financial data (mainly credit card numbers) from disclosure after a successful cyber-attack. Ecommerce sites are always under attack from cybercriminals that want to steal user data and use it for fraud and identity theft. For new eCommerce site owners, PCI-DSS provides general information to help them determine the best infrastructure and data security to limit risk and a potentially expensive data breach.
Your Network Infrastructure Must Be Secure
Hosting infrastructure in-house has been replaced with cloud services such as AWS or Azure, but cloud services can still be breached if configurations are incorrectly set up. For example, Amazon offers a service called S3. S3 is cloud storage that can be integrated into eCommerce infrastructure. One wrong setting on an S3 instance can leave all data stored open to the public Internet.
MarkNet Group works with a lot of eCommerce clients using Amazon Web Services and on too many occasions we first need to fix the AWS configuration.
Another important component that should be properly configured and placed in the right locations is a firewall (or multiple firewalls for larger organizations). Firewalls block public traffic from accessing internal resources. Along with an intrusion detection system, firewalls can also help identify ongoing attacks and log traffic for cybersecurity forensics.
In addition, avoid using vendor default security settings. For home users, default settings are usually sufficient to protect from external attacks, but corporate network security requires a much more precise approach. Most site owners have at least one resource that should be available to authorized users, and these settings must be done properly to allow only users who should have access or attackers could breach the system. Default security settings shipped with equipment covers basic cybersecurity protection, but it can be insufficient for corporate protection of sensitive user data.
Credit Card Data Must Be Properly Protected
For small eCommerce sites, it can be difficult for the owner to know what “proper” protection means. One missing component in many cybersecurity procedures is a human element. Employees should be trained in the many ways attackers use social engineering and phishing to obtain data or breach infrastructure. Some attackers use phishing emails to trick users into installing ransomware so that data can be encrypted and held hostage for a sizeable fee.
To help avoid disclosure of user credit card data, here are a few more tips:
- Always transmit credit card data using encryption (SSL/TLS over HTTP for eCommerce).
- Never store credit card numbers in cleartext. Store them in encrypted form.
- Educate employees on the dangers of storing data on personal devices, including USBs.
- Don’t communicate credit card numbers in emails or other unencrypted communication applications.
- Use strict authorization and authentication measures for anyone who needs access to credit card records.
- Keep audit trails of every user who accesses custom records, including ones with credit card information.
Use TLS v1.1 or Higher for Credit Card Data Transmissions
When users do not use HTTPS to transfer data, their data is transferred in cleartext. An attacker located on the same network as the user (e.g. coworkers on the same corporate network or public Wi-Fi) or one who is able to install malware on the corporate network can trivially intercept and steal credit card information. This attack is called a man-in-the-middle (MitM).
PCI requires eCommerce sites to use TLS v1.1 to stay compliant. Because many site owners install a TLS certificate for SEO reasons and to protect all user data, the cost to host a fully encrypted site is no longer hundreds of dollars per site. Some hosting services even offer TLS certificates for free with a monthly hosting subscription.
Use a “Need to Know” Standard for Credit Card Data Access
The “Need to Know” standard (also called the “least privilege” authentication model) means that only users who need credit card information for job productivity should have access to it. For customer service users, it might be better to show only the last four digits so that customers can verify their identity.
After privileges are assigned to users, they should be reevaluated often to ensure that users who move to different departments or who no longer work for the company have unnecessary permissions revoked. It’s common for employees to move to different departments and old permissions remain active. Privilege accumulation can lead to a user having excessive access. Even if the user is not malicious, the user account can be used by an attacker to obtain sensitive data.
Monitor and Track Systems That Store Credit Card Data
Authorization controls who can access data, but how do you know if a user account was compromised? Monitoring, audit trails, and tracking user authentications will trigger warnings should suspicious access be detected from any user account, including anonymous users. This requirement is one of the most important features your system should integrate because it can limit the amount of time an attacker has on the network, facilitate a quicker containment process, and help with the forensics and cleanup procedure when the vulnerability is patched. Monitoring systems can be expensive, but it can save organizations thousands when a compromise is detected and contained early after alerts are sent to the administrator.
All security systems along with monitoring applications should be regularly evaluated, tested and patched. It’s common for security staff to review cybersecurity equipment annually. Ecommerce site owners can hire a security expert to review configurations on the server and test site code for any vulnerabilities.
The above few items are the main compliance requirements for an eCommerce site owner to avoid costly fines from violating PCI standards. Small business websites are larger targets for attackers as these sites often have poor security and weak compliance standards. Ecommerce sites that run on templates are also bigger risks because vulnerabilities are made public and scripts can be downloaded to exploit issues. Although the following PCI standards will not make it impossible for an attacker to steal data, following them greatly reduces the chance of a successful data breach.