By Rawlson O’Neil King, theWHIR.com
This article appears in the August 2005 issue of Web Host Industry Review magazine. Click here to subscribe for free.
August 2, 2005 — (WEB HOST INDUSTRY REVIEW) — In an effort to increase security, credit card companies have imposed a new set of rules to ease growing concerns surrounding identity theft and fraud. June 30 marked the deadline for businesses that process credit cards online to comply with the security requirements set forth by the payment card industry data security standard.
Under PCI regulations, all merchants that accept credit cards are required to comply with requirements that call for encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, activity monitoring and logging. The standard is intended to reduce fraud and identify security issues that could lead to the compromise of cardholder information. PCI is the amalgamation of two separate sets of security requirements: Visa’s Cardholder Information Security Program and MasterCard’s Site Data Protection program.
In order to comply with the new requirements, an organization must build and maintain a secure network, make a concentrated effort to protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain a detailed information security policy.
The PCI standard lays out strong rules that apply to any network component, server or application included in, or connected to, the cardholder data environment. As a consequence, hosting providers and online merchants are severely affected by the new regulations.
Firewalls, switches, routers and other network appliances and security devices need to comply with the standard. So do Web, database, authentication, DNS, mail, proxy and NTP servers. All purchased and custom Web applications, both internal and external, must also comply.
Mainly, service providers have to ensure that their applications do not hinder merchants’ abilities to implement them into the secure network environment. Applications should not interfere with the use of network address translation, port address translation, traffic filtering network devices, anti-virus protection or encryption.
Providers and merchants also need to follow specific information management protocols. For example, merchants are not allowed to retain full magnetic stripe or “CVV2″ security data. PIN blocks also must never be retained, even if encrypted, after verification of a transaction. This includes no storage in databases, flat files or logs.
All applications under the specification need to be designed to protect stored data. They should purge cardholder data temporarily
stored during processing. Stored cardholder data, specifically account numbers, should be encrypted, with strong encryption such as Triple-DES or AES. This applies to anyplace cardholder data is stored, even outside the payment application. The standard also specifies strict controls on passwords. Applications should require a username and complex password for all administrative access and access to cardholder data. Servers with payment applications must also require a username and complex password for access. All application passwords must be encrypted along with credit card transmissions. According to the standard, merchants must use encryption techniques such as secure socket layer when transmitting sensitive data over the Internet. Though this a normal and accepted practice, the regulation includes a new twist under the new rules, cardholder data must never be stored on a server directly connected to the Internet. Applications that process transactions may not require the database to reside on the same machine as or in a “demilitarized zone” with the Web server.
Providers also need to be proactive and continually test applications for vulnerabilities. Software vendors should have processes in place to identify security exploits, to test their applications for vulnerabilities and to develop timely security patches and upgrades. Similarly, merchants and service providers must run network-scanning tools on a regular basis.
Finally, in order for a merchant to stay in good standing, it is required to complete an annual self-assessment to measure its compliance with the PCI data security standard and undergo a quarterly system perimeter scan by a certified vendor. Service providers and merchants that wish to process credit card payments face penalties if they fail to comply. Larger organizations may suffer hefty fines. If a merchant is compromised, it may also be subject to liabilities such as the costs of card re-issuance and the cost of the fraud itself. Ultimately, It is in the best interest for merchants and providers to ensure that they apply all PCI rules.
About theWHIR.com
Since 2000, The Web Host Industry Review has made a name for itself as the foremost authority of the Web hosting industry providing reliable, insightful and comprehensive news, interviews and resources to the hosting community. TheWHIR is an iNET Interactive property. For more information on iNET Interactive, visit http://www.inetinteractive.com
No related posts.
