Secure e-commerce and PCI Certification for web stores
In late 2009, I had forecasted that security breaches in 2010 and 2011 would increase significantly in spite of more advanced security technology. The recent spate of hack attacks underscores the importance of security for ecommerce merchants and retailers that have online stores. The latest organization to fall victim is the IMF where hackers obtained sensitive documents including e-mail and other documents during the intrusion. However, other high profile organizations that have been hacked in the recent weeks have included security expert RSA, defense contractor Lockheed Martin, Citi where the personal details of about 210,000 Citi Group cardholders were stolen after a security breach via Citi's web portal, Sony, Epsilon, the world's largest permission-based e-mail marketer. Certainly all of these large organizations had well-defined security policies and several safeguards in place and yet the fell to hackers. How then do smaller companies that are running e-commerce stores with smaller IT budgets and fewer people manage the security of the store?
A good first step is to ensure your ecommerce vendor has PCI Certified software or rather meet the PA-DSS standard. For many the definition of PCI-DSS, PA-DSS and PABP can be confusing. The excerpt below from the Ignify ecommerce PCI Implementation guide should help explain the difference between the three
What is PABP? – Payment Application Best Practices (PABP) was developed by Visa to provide software vendors guidance in developing payment applications that help merchants mitigate compromises, prevent storage of sensitive cardholder data and support overall compliance with PCI Data Security Standard. In October 2008, the PCI Security Standards Council adopted Visa’s PABP and released the standard as the Payment Application Data Security Standard (PA-DSS).
What is PA-DSS? – Payment Application Data Security Standard (PA-DSS) is derived from PCI DSS. Traditionally PCI DSS compliance may not apply to software vendors since most software vendors do not store, process or transmit cardholder data. In such cases, PA-DSS applies to software vendors and consultants who develop payment applications that store, process, or transmit cardholder data as part of authorization & settlement.
Many organizations make the mistake of assuming that PCI Certified and PCI compliant software mean the same thing. There is a very significant difference between the two! PCI certification involves not just self-audit but also involves rigorous auditing by a Qualified Security Assessor (QSA) that is certified by the PCI Standards Council and then a final validation is done by the PCI Standards Council. Additionally PCI Certified Vendors have to publish guides on how the product deploys in a way that is PCI Compliant. Finally PCI Certified Vendors will typically build in security and its impact in every release. The combination of these things makes for a very significant different and can increase your level of security by choosing the right platform.
PA-DSS Certification by the PCI Standards Council for Ignify has been a four year journey. We started our preparation and self-assessments in 2007, contracted with our QSA in 2008 and completed our security audit and PCI Certification in 2009. In 2010 we went through a PCI update of the latest version that was released then Version 4.11. In 2011 we are now going through the PCI update of Version 5.0 which we are just in the process of finalizing. The difference between PCI Compliance and PCI certification for us was 2 years. In 2007 we were PCI Compliant but it took till 2009 to become PCI certified. And there was a lot of learning, improvements in the software that we bundled in between those 2 years.
If you wish to find the PCI Certified vendors, please visit the PCI Standards Council Website that lists all of the PCI Certified applications.
Here are some basics that are important for PCI Certification
Separation of Database Servers and web servers: This is very basic and almost something that everyone knows.. You need separate servers and your database server should be behind the firewall and the web server should be in the DMZ. It’s the obvious flossing rule of security – but just like flossing we find many sites where it is not done – so if you’re not doing it, start with this one.
Encryption and Key Management: Card holder information needs to be encrypted (PA DSS requirement 2.5, 2.6 and PCI DSS requirement 3.5, 3.6). Ideally this means customer name, credit card information etc. You also need encryption during transmission and you need it for storage and while having web servers connect to the database server to protect credentials. So there are at least 3 points that you want to ensure you have encryption.
For Transmission, you would typically use an HTTPS SLL Certificate. HTTPS encryption keys are managed by public SSL certificate providers. Since HTTPS, uses Asymmetric Cryptography, private key is available on the web server while public key is distributed in the form of HTTPS certificate to browsers. For storage encryption (or database encryption) you would need to use your ecommerce systems native encryption mechanism or if it doesn’t provide one then a 3rd party solution. Ignify ecommerce uses AES 128 encryption for database encryption. In addition, you need to have a key management process so you can update your encryption keys on a regular basis. You should regenerate your keys at least once a year and ideally every quarter. These keys should be stored in a safe place and not anywhere where a hacker can get to them from the server hosting the information being encrypted. Ideally you’d put this on paper (even though that is old-fashioned) and put it in some sort of safe that is accessible by a limited set of custodians.
User Login and Session timeouts: To be compliant with the PCI DSS requirement 8.5.15 the duration of session time out should be no more than 15 minutes. Both the Ignify eCommerce Store Front and Manager Panel Applications permit configurable session time out duration – this setting requires the user to login again using his credentials in case the user’s system is idle for specified time duration. To be compliant, By default this setting is 15 minutes with an out of box installation of Ignify eCommerce.
Disabling unnecessary services and Daemons on the server: Minimum services / daemons required to support technologies mentioned against each server should be kept running on each server. All other services are recommended to be disabled to meet PCI DSS requirement 2.2
Audit Trail and Application log: PCI DSS (requirement 10.1 to 10.3) and PA DSS (requirement 4) require that the application maintain an audit trail. This is required in multiple places. For example, Ignify ecommerce maintains the following
- a security audit trail with logs of who logged in when, for how long and what they did. Ignify ecommerce comes with the audit trail enabled by default.
- Application log: listing any uncommon events in the application
- Order Log: A log of all changes done on the order including price updates, ship method updates, address updates. This ensures that if any customer service representative engages in fraud then the system essentially captures every action they did.
Figure 1. Audit Trail on an Order in Ignify eCommerce showing every change made on the order by a sales person or a CSR
Though this article covers the highlights, there are several other requirements required for PCI compliance. If you are in the market for a PCI certified ecommerce solution, web store or order entry solution please email us at email@example.com so we can have a great discussion on security.
Pankaj Kumar is the Chief Technology Officer at Ignify. Ignify eCommerce is the only PCI certified eCommerce solution in the market that integrates with mid-market ERP systems including the Microsoft Dynamics ERP and Sage ERP. Ignify has been included as the fastest growing business in North America for four years in a row by Deloitte, Inc Magazine and Entrepreneur Magazine. Ignify was ranked in the Red Herring Global 100 in 2011 – this list represents the top businesses world-wide with disruptive and innovative technology.