PCI DSS Compliance

Web applications have become a "soft spot" for cybercriminals intent on stealing credit card information. To combat the proliferation of online fraud, the Payment Card Industry (PCI) Security Standards Council (SSC) was formed to make sure that merchants who accept credit cards meet minimum security levels in how they accept, process, and transmit credit card information.



FAQs

Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at support@applicure.com.


Featured Blog Posts

Google Codelab

It may seem counterproductive for Google to teach people to think like a cyber criminal ... read more ...

Database Security Best Practices

Today, many tools make it easy for anyone to quickly set up a data-driven website, ... read more ...

Who is Minding Your Data in the Cloud?

In a recent post titled Data Security Considerations in the Cloud, problems related to who ... read more ...

These minimum standards came to be known as the PCI Data Security Standards (DSS).

When it comes to Ecommerce, merchants make use of web applications to handle credit cards. Protecting these web applications to comply with PCI compliance requirements may present technical and business challenges, depending on the existing network architecture and chosen solution. In many cases, the path to PCI compliance can entail expensive consulting engagements and massive infrastructure overhauls.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was developed by payment brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. International. It defines a set of 12 requirements for enhancing payment account data security to include the policies, tools, and controls needed to protect cardholder data.

Compliance with the PCI DSS is not optional, nor are small companies exempt. Any company that processes or stores credit card data is required to comply with these requirements. Even a small business who process only one credit card sale a year must implement set of security mandates in order to ensure the safety of cardholder information such as account data, credit card numbers, customer names, and contact information to protect the cardholder from being exposed to unauthorized users.

Why is PCI Compliance Important?

The infamous TJX security breach disclosed in 2007 is a good example of what can happen to companies that do not have the proper security measures in place. This breach resulted in 94 million accounts being compromised with losses exceeding $70 million due to fraud.

According to court documents, the consultant retained by TJX to investigate the breach found that the company had failed to comply with nine of the twelve security measures mandated by the Payment Card Industry (PCI) Data Security Standard (DSS).

"There were ... many deficiencies and PCI DSS violations which the attacker was able to exploit in order to compromise data from the TJX network," the unnamed consultant stated. (source: Security Focus)

The monetary loss due to fraud was not the only cost of this security breach. A lawsuit was filed against TJX by over 300 banks and trust in the brand had taken a substantial downturn among customers.

PCI DSS Levels

PCI DSS affects merchants that handle credit card information from cards issued by any of the founder brands. It is most relevant to online merchants that process and store payment account data online.

For the majority of organizations, the standards set forth by Visa's CISP and MasterCard's SDP programs cover the qualifications for assigning both a merchant level and compliance level, along with incorporating PCI DSS.

The merchant level is based on transaction volume for the organization. The validation compliance level is based on the merchant level. It includes the validation actions and who needs to carry out these actions in order to be PCI DSS compliant.

  1. Level One: Visa U.S.A. and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who experienced a data breach. Level one merchants are required to have an annual on-site compliance assessment performed by a third-party Qualified Security Assessor (QSA). In addition they are required to have external network security scans performed quarterly by a certified third-party Approved Security Vendor (ASV).
  2. Level Two: Visa and MasterCard transactions totaling 1 million to 6 million per year. Level Two merchants are required to complete the PCI DSS Self Assessment Questionnaire annually and carry out a quarterly network security scan with an ASV.
  3. Level Three: Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year. Level Three merchants are required to complete the PCI DSS Self Assessment Questionnaire annually, and carry out a quarterly network security scan with an ASV.
  4. Level Four: Visa and MasterCard e-commerce transactions totaling up to 20,000 per year. Level Four merchants are required to complete the PCI DSS Self Assessment Questionnaire annually, and carry out a quarterly network security scan with an ASV.

Web Application Compliance

Since web applications account for such a high percentage of vulnerabilities, the PCI DSS specifically addresses them in Requirement 6.6. This states that organizations are to ensure the highest level of application security.

“Forensic analyses of cardholder data compromises have shown that web applications are frequently the initial point of attack upon cardholder data, through SQL injection in particular.

The intent of Requirement 6.6 is to ensure web applications exposed to the public Internet are protected against the most common types of malicious input.”

There are two methods that a company can take in order to be in compliance with PCI DSS 6.6: yearly code reviews or a web application firewall.

Code Review

The first alternative may provide a high level of security, but can end up being an extremely costly solution. Organizations typically use several applications and add new ones all the time. The total cost of code reviews is comprised of the review itself, and the effort needed to fix the vulnerabilities it identifies. The IT team will need to prepare the code for review, and be available for queries and support to the reviewers. After the consultants submit a vulnerabilities report, your organization will need to schedule fix and test cycles to make sure the changes work as expected.

This “find, fix, and test” cycle does not always find all of the vulnerabilities in an application, resulting in more cycles. What’s more, Quality Assurance will need to verify that security fixes does not interfere with business processes. Therefore, any organization choosing this alternative should allocate the following resources yearly:

More importantly, a code review finds vulnerabilities that are known to the reviewer at the time of the review. Zero-day vulnerabilities that have yet to be discovered are likely to be missed unless the code reviewer is highly proactive and goes well beyond their required duties.

Thus, the second alternative — deploying a web application firewall — becomes a more attractive solution as it provides a one-time compliance solution.

The Web Application Firewall Solution

Web application firewalls focus on protecting against, rather than identifying, vulnerabilities. They perform a deep packet inspection of incoming traffic to detect threats, thereby creating a security layer in front of the application itself.

This approach offers the following advantages:

How does dotDefender support your business to meet PCI DSS?

dotDefender enables companies to address challenging PCI requirements in a straightforward and cost-effective manner by utilizing a Security as a Service solution. dotDefender not only meets the application layer firewall requirement of PCI DSS 6.6, but also offers comprehensive protection against SQL injection, cross-site scripting and scores of other application-level attacks right out of the box.

dotDefender creates a security layer in front of the application to detect and protect against application-level attacks in incoming web traffic that could be used to compromise the server and steal credit card and other corporate data.


Related Articles:

IIS Server Security
Software WAF vs. Appliance WAF
Hacking Attacks

Please Wait...