Payment Card Industry Data Security Standard (PCI) Compliance

If your business relies on payment by credit cards, compliance to the PCI security standards will be required by September 2007. Non compliance means you can lose your merchant account, and what’s more you open up your company to fines, lawsuits and bad publicity. You must comply with all security standards by September 2007 or risk loosing your merchant account!

TJX - an illustration of the real world need for PCI
PCI compliance is not just another bureaucratic standard to comply to. It’s a standard to protect consumers and the future of online business, based on real world needs.

The TJX Companies Inc. breach is the largest known data theft to date. Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver's license numbers of another 455,000 customers who returned merchandise without receipts.

TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. TJX were clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.

Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.

To avoid similar cases such as TJX happen again, major credit card companies including VISA and Mastercard have established a strict set of rules called the Payment Card Industry Data Security Standard (PCI DSS). This standard will govern retail, mail orders, telephone orders and most importantly e-commerce.

The PCI security standards cover several security areas, a detailed document of the standards can be found here

PCI compliance requires that you audit your web site security

If your company has a website and does business online, PCI compliance requires that you ensured that your web site and other web applications are secure.

You are required to scan your shopping cart and other web applications for vulnerabilities!

Acunetix Web Vulnerability Scanner version 5 helps you meet the following PCI requirements:

• (Requirement 2.2.4) Remove all unnecessary functionality
• (Requirement 2.3) Encrypt all non-console administrative access
• (Requirement 4) Encrypt transmission of cardholder data across open, public networks
• (Requirement 6) Develop and maintain secure systems and applications
• (Requirement 6.5.1) Unvalidated Input
• (Requirement 6.5.2) Broken Access Control
• (Requirement 6.5.3) Broken Authentication and Session Management
• (Requirement 6.5.4) Cross Site Scripting (XSS) Flaws
• (Requirement 6.5.5) Buffer Overflows
• (Requirement 6.5.6) Injection Flaws
• (Requirement 6.5.7) Improper Error Handling
• (Requirement 6.5.8) Insecure Storage
• (Requirement 6.5.9) Denial of Service
• (Requirement 6.5.10) Insecure Configuration Management

Acunetix will check your web site and alert you to any issues you need to fix. Once fixed, it will create a detailed report which will allow you to easily prove that you meet these particular PCI standards.

A sample of such a report (of a web site application that does NOT meet the standards) can be found here.

Only a Web Vulnerability Scanner such as Acunetix can help you meet the above requirements; Network Security Scanners will not be able to check the above requirements!

Acunetix Web Vulnerability Scanner is a crucial tool to help you meet PCI compliance. Its easy to use and inexpensive – take a product tour or download the evaluation version!

Articles on Website Security

White Papers on Web security