Secure >
WebSphere Commerce and the PCI Data Security Standard
Overview
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by the PCI Security Standards Council to facilitate the global adoption of consistent data security measures.
The standard lists twelve requirements which retailers, online merchants, credit data processors, and other payment related businesses must implement to help protect cardholders and their data.
Most of the requirements focus on site security, but some of them apply to securing the applications. The WebSphere Commerce team has produced this technical overview document to assist you in understanding the PCI requirements, determining which requirements apply to WebSphere Commerce, and how WebSphere Commerce implements the applicable requirements.
The use of WebSphere Commerce v7 in the electronic commerce site, even if installed and configured correctly, does not guarantee that the site will be PCI compliant. The purpose of this document is to describe the relationship between WebSphere Commerce and the PCI Data Security Standard requirements, not about an entire operating environment. PCI compliance can also impose requirements on other components of the site involved in the storage, processing, or transmission of cardholder data, including firewalls, routers, Web servers, Operating Systems, storage databases and WebSphere Application Server. That is, although WebSphere Application Server is included with WebSphere Commerce, it is considered a separate component. PCI compliance remains solely the responsibility of the merchant.
PCI DSS requirements
Category Req Description Relation to Commerce Build and maintain a secure network 1 Install and maintain a firewall configuration to protect cardholder data. Related only to PCI DSS 2 Do not use vendor-supplied defaults for system passwords and other security parameters. Focus area Protect cardholder data 3 Protect stored cardholder data. Focus area 4 Encrypt transmission of cardholder data across open, public networks. Focus area Maintain a vulnerability management program 5 Use and regularly update anti-virus software. Related only to PCI DSS 6 Develop and maintain secure systems and applications. Related only to PCI DSS Implement strong access control measures 7 Restrict access to cardholder data by business need to know. Focus area 8 Assign a unique ID to each person with computer access. Focus area 9 Restrict physical access to cardholder data. Related only to PCI DSS Regularly monitor and test networks 10 Track and monitor all access to network resources and cardholder data. Focus area 11 Regularly test security systems and processes. Related only to PCI DSS Maintain an information security policy 12 Maintain a policy that addresses information security for employees and contractors. Related only to PCI DSS See:
- Payment Card Industry Data Security Standard, v1.2
- MasterCard Site Data Protection program
- VISA CISP Program Site
Different types of payment solutions for WebSphere Commerce
There are multiple ways of handling payments in a WebSphere Commerce store implementation:
- WebSphere Commerce Payments subsystem
- Payments APIs or plug-ins that are custom or provided by a 3rd party
- Hosted payments pages provided by a 3rd party
This guide addresses implementing WebSphere Commerce using the WebSphere Commerce Payments subsystem. If you are not using the WebSphere Commerce Payments subsystem, it is your responsibility to ensure that the payment API or hosted payment page is PCI compliant.
If you are using a WebSphere Commerce Payments subsystem plug-in other than SimpleOffline or have a custom payment plug-in using the WebSphere Commerce Payments subsystem, it must be certified by the PCI assessor.
The payment plug-in you are using must be assessed while it is connected to the payment gateway you are using.
Related
- Address the PCI Data Security Standard within WebSphere Commerce
- PCI Assessment Services for WebSphere Commerce