Secure > Overview: WebSphere Commerce and the PCI Data Security Standard > Address the PCI Data Security Standard within WebSphere Commerce


Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

2.1 Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.

In addition to changing default passwords, we recommend that you do not use any default ID names for the administrator accounts. For example, do not use wcsadmin, webadmin, root, or db2admin for any user IDs. The administrator account is created when you create the instance.

For information on changing passwords in WebSphere Commerce, see:

Changing a WebSphere Commerce password

2.1.1For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission..

WebSphere Commerce is not dependent on, or aware of, whether the network is wireless or not. If the internal network is wireless, ensure that you have taken sufficient steps to harden the wireless network against security threats.

Hardening is a procedure where you tighten security on the server by disabling unnecessary services and ports, making it harder to get into the system through unused features. Depending on the operating system, there are many hardening guidelines available on the Internet.


2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards..

Develop a set procedure for ensuring that the servers on which WebSphere Commerce is running follow a consistent security setup and test plan.


2.2.1 Implement only one primary function per server.

In WebSphere Commerce this is known as a three-tier configuration. For more information, see the following topics:


2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device's specified function).

Before you install WebSphere Commerce software, harden the operating system. Hardening is a procedure where you tighten security on the server by disabling unnecessary services and ports, making it harder to get into the system through unused features. Depending on the operating system, there are many hardening guidelines available on the Internet.

For the reference, a popular site for downloading security benchmarks and tools for many different operating systems is www.cisecurity.org.

2.2.3 Configure system security parameters to prevent misuse.

WebSphere Commerce has provided a set of enhanced security features documented here: Enhance site security

2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

WebSphere Commerce contains a rich set of features that can be enabled and disabled selectively. To disable WebSphere Commerce components, see: Disable WebSphere Commerce components

2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for webbased management and other non-console administrative access.

SSL is used for the Management Center, Administration Console and WebSphere Commerce Accelerator. Refer to the following Web site for a list of the ports used:Quick reference to user IDs, passwords, and Web addresses

The ports for administrative access should not be available outside the firewall. You should require remote users to use a technology such as VPN to access their network before accessing any WebSphere Commerce administrative function.

2.4 Shared hosting providers must protect each entity's hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

Although this requirement is not directly applicable to WebSphere Commerce, if you are using WebSphere Commerce as a hosting environment, meet the additional responsibilities of a hosting provider.


Previous topic: Requirement 1: Install and maintain a firewall configuration to protect cardholder data


Next topic: Requirement 3: Protect stored cardholder data


+

Search Tips   |   Advanced Search