As of 2009, SurfShopPRO has officially become PCI compliant. In a growing effort to preserve the integrity of personal information, the PCI Security Standards Council has put forth a series of regulations online business must follow to ensure the security of online shopping. SurfShopPRO has met and surpassed all standards outlined by the PCI Security Standards council.
What is PCI Compliance?
The PCI security standards are a set of regulations set in place to safeguard payment account data security. The council that develops and monitors these regulations are comprised of the leading providers in the payment industry: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International. Essentially, they define the best practices for storing, transmitting, and handling of sensitive information over the internet.
How to make your SurfShopPRO installation PCI compliant:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These Passwords and settings are well known in hacker communities and easily determined via public information.
Requirement 3: Protect stored cardholder data
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed and not sending PAN in unencrypted e-mails. SurfShopPRO, by default, does not store credit card numbers.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit. SurfShopPRO does not transmit sensitive data over public networks. All information is handled within a secure SSL connection right on our secure server.
Requirement 5: Use and regularly update anti-virus software
Many vulnerabilities and malicious viruses enter the network via employees’ e-mail activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.
Requirement 6: Develop and maintain secure systems and applications
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses.
Requirement 7: Restrict access to cardholder data by business need-to-know
This requirement ensures critical data can only be accessed by authorized personnel. SurfShopPRO has multiple admin levels so that only people who need to know have access to your customers information.
Requirement 8: Assign a unique ID to each person with computer access
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.
Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
Requirement 11: Regularly test security systems and processes
Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.
Requirement 12: Maintain a policy that addresses information security
A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.
What does this mean for you?
Because SurfShopPRO maintains a secure network for all of our customers, you, as a merchant, can feel safe with the SurfShopPRO software. Essentially, if you want to process credit cards in your online store, you need to be PCI compliant, and SurfShopPRO helps you get compliant.
Configuring SurfShopPRO to meet PCI DSS
There are a few very important steps to take when implementing SurfShopPRO in a PCI compliant manner. The main two are:
- Do not use the Saved Credit Card module in a production environment (live site).
- Do not enable the Debugging profiler in a production environment.
If these modules are implemented the credit card data will be stored in the database, creating further requirements in order to meet the PCI DSS.
It is important to note that while SurfShopPRO is an integral part of the chain in obtaining PCI Compliance, it is necessary to implement SurfShopPRO in a PCI compliant hosting environment. We have given recommendations here on configuring SurfShopPRO to meet the PCI-DSS. For more information on PCI Compliance please visit the PCI Security Standards Council website.
