What to do with PCI compliance

Well I haven’t really looked into what PCI compliance is and how it affects me, but I did a scan using Comodo and I passed. I am pretty sure that is a good thing.



Now that I know that I am PCI compliant, what do I do with this information?



I use authorize.net to process my credit cards.



Any advice would be great.



Thanks,



Brandon

Hi,

I had a scan on both the IP of my cart (not cs-cart) and the IP address of my Verizon home router. The scan is a minor part of PCI compliance. The questionnaire has to be filled out and you have to verify you comply with every sub section. There are 12 sections and each one with many sub sections or requirements requirements.

I process manually and use QuickBooks. The application is pci compliant, but there are pages of requirements that have to be done to actually be compliant.

Since I take credit card by phone and use Quickbooks, I have many requirements for my home network. Been spending days on this. There are requirements that logs be looked at on a daily basis. I am not even sure which logs. So far I just look at the Router security logs, Norton 360 security logs and QuickBooks audit logs.

From what I understand, the only things that the scans do is to fulfill one of many requirements. The scan helps to verify that all the other requirements have been performed. I really don’t see how people working from home and processing credit cards can handle all the requirements.

I don’t even know who to give my PCI certificate of compliance to either. Maybe Intuit merchant services since I don’t use a gateway. No one has asked for documentation yet.

Bob

[quote name=‘brandonvd’]Well I haven’t really looked into what PCI compliance is and how it affects me, but I did a scan using Comodo and I passed. I am pretty sure that is a good thing.



Now that I know that I am PCI compliant, what do I do with this information?



I use authorize.net to process my credit cards.



Any advice would be great.



Thanks,



Brandon[/quote]



Brandon,



We also use authorize.net - Since it’s owned by VISA I believe this saves a lot of work on your/our behalf.



I’ve just started implementing PCI-DSS Validation.

The PCI has two major elements, physical security and virtual security.



25%

Our first PCI scan against our server returned a

compliant result (hackerguardian.com). This contains approximately of the compliance requirement.



50%

The physical data-integrity requirements: Locks on doors, locks on filing cabinets, authorization, passwords, SSL, data security, need-to-know basis.



The last 25% is focused on procedures - system patches, security scanning (ie services), anti-virus, firewall, login sessions, in-house proxy server, one-use-per-machine (servers), What happens in the event of a breach, whom is notified.



Those whom are interested in hosting whom can provide assistance with PCI-DSS compliance can signup through www.securecarthost.com - It’s not a requirement however I do know that we’ve had at least 7 scans through multiple hosting accounts come back as approved.



Those who want to be PCI-DSS validated should contact their ‘acquiring bank’ for more information - The standard is widespread however fees for non-compliance vary accordingly. Speak to your bank manager for more information.



Last Line

We currently turn off enough to make this implementation a little troublesome due to the system setup so implementation for an organization of approximately 20 employees could take roughly 1 month to implement.

Jesse,



Unfortunately I just don’t get this whole PCI thing. Personally I feel it is a big giant crock of crap, but I guess it is just my opinion. Of course my opinion doesn’t really matter to VISA, but still.



So this is what authorize.net says:







The way I interput this is that I don’t need to do squat. I know it says that I need to be PCI compliant, but I don’t need to validate it, so I don’t know how they would even know if I was compliant or not. It also says that the “recommend” an annual assesment. I do know that recommend is not the same as require, so once again I don’t think I really have to do anything.



It wouldn’t hurt my feeling though just to be PCI compliant.



The things you said are the PCI scan through hackerguardian.com, I did this and I passed, so I guess that is one step?



The other steps sound like the self assesment part. Where on authorize.net or hackerguardian.com do I get the self assesment thing? Once I get it who do I turn it into.



It sounds like we both use Comodo and authorize.net and if you have already gone through the steps I’m hoping you might be able to point me in the right direction.



I’d sure appreciate the help.



Thank you,



Brandon



P.S. I thought about contacting you privately, but I’m hoping that if you post the steps on here it will help out other people besides just me.

Turn on “request logging” in your store (which is on by default) and go look at your Anet logs… You’ll see full CC numbers, CVV codes, etc. in full view and kept unencrypted in the DB…



Just because a scan doesn’t know the quirks of a system does not mean that you are compliant with the requriements as written.



I believe there is something in thier about not storying CC info in a db unencrypted. Just have to know where to look! :slight_smile:



Reported this issue months ago and like most, it just ended up in a black hole.

I’ve never looked at the logs before, but I see what you mean. All the credit card info is there.



I’d assume that since I can just read the numbers that it isn’t encrypted. I’d also take it that this is bad, right?



If this is part of the PCI comliance thing, you’d think CS-Cart would do something about it.



Brandon

Maybe this should be put in as a bug. I don’t think it would be intentional to be able to read credit cards numbers after an order has been processed and you have remove cc in statuses checked. Logs should only show ******* for the numbers.

Bob

There are 12 mandated security requirements to PCI-DSS.


  1. Install and maintain a firewall configuration to protect data
  2. Do not us vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored data
  4.   Encrypt transmission of cardholder data and sensitive information across public networks (i.e. SSL)
  5.   Use and regularly update anti-virus software
  6.   Develop and maintain secure systems and applications
  7.   Restrict access to data by business need-to-know
  8.   Assign a unique ID to each person with computer access
  9.   Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security.



    [URL]https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html[/URL]



    This type of CC data CAN BE STORED on your PCI-DSS compliant server (all methods require security protection)



    a. Account Number

    b. Cardholder Name

    c. Expiration Date

    d. Service Code



    The following CC data [COLOR=Red]CAN NOT BE STORED FOR ANY REASON[/COLOR] to be PCI-DSS compliant



    a. Magnetic Strip

    b. CVV, CCV, CVVC, CVC, CSC, CVD (This is the 3 digit code or 4 digit verification code on the CC itself)

    c. PIN Data (Debit Card PIN or CC Cash Advance PIN)



    What can happen to you if you are not in compliance?


  13.   Fines up to $500,000 per incident
  14.   Remediation costs estimated at $90 to $302 per record
  15.   Potential customer lawsuits
  16.   Company reputation and brand damage

[B]Should you be afraid?[/B]

In my opinion not at all. You just need to be aware and follow the PCI-DSS protocol.

[B]Merchant Levels:[/B]

[B]Level 1[/B] = (This is the highest level and requires the most scrutiny. Unless you are a Wal-Mart you don’t have to fear) Def: More than 6 million transactions annually across all channels, including e-commerce. Req: Annual Onsite PCI Data Security Assessment and Quarterly Network Scans

[B]Level 2[/B] = Def: 1,000,000 – 5,999,999 transactions annually (You will defiantly need to have a dedicated server and some beefy security but I assume you can afford to hire a specialist to handle this all for you by then if not you should probably not be doing this) Req: Annual Self-Assessment and Quarterly Network Scans

[B]Level 3[/B] = Def: 20,000 – 1,000,000 e-commerce transactions annually. Req: Annual Self-Assessment and quarterly Network Scans. (Some of you may fall into this category. If you do you should be on a VPS or Dedicated Server with a company that guarantees PCI-DSS compliance or run and maintain your own servers) NOTE: You will also see that Level 3 is specific about e-commerce as most fraud with CC is online so this focuses in on the bulk of the fraud they deal with.

[B]Level 4[/B] = Def: Less than 20,000 e-commerce transactions annually, and all merchants across channel up to 1,000,000 VISA transactions annually. Req: Annual Self-Assessment and Annual Network Scans. (Most mom & pop e-commerce sites will fall into this category however it was meant to also encompass brick and mortar stores who are getting into the e-commerce game, many of these already perform a lot of transaction but up until now they have all been in their stores. This makes PCI-DSS simpler to start even if you are a big merchant)

[B]What is a SAQ (Self-Assessment Questionnaire)?[/B]

INFO: When PCI-DSS was new there use to be just one questionnaire that everyone had to fill out. That was chaos and since 2008 they have created 4 different questionnaires based on the different types and sizes of merchants. Here they are:

[B]SAQ A[/B]: Addresses requirements applicable to merchant who have outsourced all processing, transmission and storage of cardholder data. (This would be the PayPal, Gateways, or similar users out there who do not store any CC data in their store databases or on file in their office)

[B]SAQ B[/B]: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or stand-alone dial-up terminals only. (If you have or seen the old machines that imprinted the CC data onto the hand forms you know what they are talking about). This type of questionnaire was not designed for e-commerce.

[B]SAQ C[/B]: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the internet. (Terminals via the Internet and not a phone line, built in card swipes via QuickBooks, you get the idea all data transmitted over the internet and not by mail or telephone line.)

[B]SAQ D[/B]: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C. (This is tricky so if you are an e-commerce merchant who uses a payment gateway but you still store the CC data on your server for customer convenience or you have a mixed environment. Best way to think of this is if you do not fit A, B or C definitions then you are a D)

Instructions for SAQ V1.1 and V1.2 here: [URL]https://www.pcisecuritystandards.org/saq/instructions.shtml[/URL]

[B]Network Vulnerability Scans:[/B]

The PCI Standard requires merchants to scan all outward facing IP addresses. These IP addresses are not protected by a firewall and can be hacked through an open port. The SAQ identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside.

See Demo Video from an ASV: [URL]http://www.qualys.com/products/demos/pci/demo.html[/URL]
(note: I am not affiliated nor have I ever used Qualys before but it's a good demo)

[B]How to get started:[/B]

1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes member from each area. (Mom & Pops this will be yet another hat for you to wear by yourself unless you hire someone)
2. Determine your merchant level (1-4)
3. Determine with SAQ your organization will need to complete
4. Evaluate whether your organization will try to achieve compliance internally or engage with a QSA (Qualified Security Assessor)
5. Engage with an ASV (Approved Scanning Vendor) to start the required external IP vulnerability scans.
6. Make sure that your organization has an Information Security Policy and that it is being enforced
7. Immediately address any significant deficiencies discovered during the assessment or scan
8. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.

[B]What should you do if you are breached? – (Immediate Action Required)[/B]

1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify:

a. Your Merchant Account Provider (i.e. PayPal)
b. Visa Fraud Control Group @ 1-(650)-432-2978
c. Local FBI Office
d. U.S. Secret Service (if Visa payment data is compromised)

3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report. (Here is a step by step from Visa: [URL]http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html[/URL] )

I realize many out there this is overwhelming but if you just take the time to understand the basics and know what questions to ask you can master this and put it behind you.

[B]If you are using a HOSTED server be certain to ask your provider a few questions:[/B]

1. Are they PCI-DSS compliant
2. If so what LEVELS of compliance are they
3. Also if so do they have specific instructions on how to make sure your site is PCI-DSS compliant on their servers.

CS-Cart is PCI-DSS compliant but with any software it’s going to have to be testing on your installation. You will have to pass a PCI-DSS scan and if you do not you will have to fix the issue and get scanned again. Once you pass you just have to pass the scans when they are required for you type of business.

[B]Here are a few links that may assist you in your research.[/B]

[B]PCI Quick Reference Guide:[/B] [URL]https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf[/URL]
[B]Docs for PCI DSS V1.2:[/B]
[B]PCI Security Standards Council Site: [/B][URL]https://www.pcisecuritystandards.org/index.shtml[/URL]
[B]PCI Compliance for DUMMIES (FREE DOWNLOAD):[/B] [URL]http://www.qualys.com/forms/ebook/pcifordummies/[/URL]
[B]ASV (Approved Scanning Vendor) that provides the free eBook:[/B] [URL]http://www.qualys.com/products/qg_suite/pci/[/URL]

You can use any ASV you wish I only noted the above because they have the FREE book.

Good luck on your TREK!