Secure > Overview: WebSphere Commerce and the PCI Data Security Standard > Address the PCI Data Security Standard within WebSphere Commerce
Requirement 4: Encrypt transmission of cardholder data across open, public networks
4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
Examples of open, public networks that are in scope of the PCI DSS are:
- The Internet,
- Wireless technologies,
- Global System for Mobile communications (GSM), and
- General Packet Radio Service (GPRS).
All payments in WebSphere Commerce are submitted via SSL requests.
For information on controlling and protecting WebSphere Commerce Payments, see:Protect WebSphere Commerce Payments
For information on controlling and protecting WebSphere Commerce Payment Plugin Controller, see:Payment plug-in specification
To meet the requirements of the PCI-DSS, disable weak keys and SSLv2 encryption on the Web server. These encryption types are considered too weak for PCI-DSS compliance.
- IBM HTTP Server
In the httpd.conf, add the following lines in each virtual host that is SSL enabled:
SSLProtocolDisable SSLv2 SSLCipherSpec 34 SSLCipherSpec 35 SSLCipherSpec 3A
- Microsoft IIS
- Create the following registry keys in the system registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/56] "Enabled"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] "Enabled"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
- For new wireless implementations, it is prohibited to implement WEP after March 31, 2009.
- For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
Although the network itself is transparent to WebSphere Commerce, it is important to protect the wireless network from intrusion. An unsecured wireless network could allow an attacker to circumvent your other security measures.
4.2 Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat).
WebSphere Commerce does not provide any default capability to send the PAN by e-mail.
Previous topic: Requirement 3: Protect stored cardholder data
Next topic: Requirement 5: Use and regularly update anti-virus software