Addressing the PCI Data Security Standard within WebSphere Commerce

The following topics deal with each of the detailed requirements that pertain to WebSphere Commerce. Some of the requirements are directly related to the WebSphere Commerce software package. Other requirements are unrelated, or indirectly relate to the WebSphere Commerce software package. For example, indirect requirements can affect your use of the operating system security features to secure WebSphere Commerce files.

For each requirement that directly affects WebSphere Commerce, the requirement is reprinted in italics and addressed point by point. In some cases, it is an explanation or confirmation that the requirement is met. In others cases, we must enable or disable features.

For several of the requirements related only to PCI compliance (and not to WebSphere Commerce) we are referred directly to the PCI DSS for details. Ensure that you keep up with the rapid pace of changing security requirements. Tip: Each of the section numbers in this section corresponds to the numbering of the subsections of the PCI DSS document.

Required fixes and modifications for PCI compliance

In addition, it is recommended that you apply security fixes as recommended in the WebSphere Commerce Security Bulletins. We can subscribe to security bulletin notifications using your IBMid:

1. Go to My notifications.

2. Lookup and subscribe to notifications for the WebSphere Commerce product. For example, WebSphere Commerce Enterprise.

3. Select Options > Edit.

4. Ensure that the Security bulletin document type is selected.

   Note: All document types are selected by default.

5. Click Submit.

Summary of specific configuration actions required in the WebSphere Commerce implementation

While it is recommended to read each of the requirement sections to fully understand how WebSphere Commerce addresses the PCI-DSS, the following list summarizes the changes that we must make to a typical WebSphere Commerce installation by using default settings. Read each page carefully to understand how to complete the changes.

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data

  • Ensure that you implement WebSphere Commerce in a 3–tier configuration.

• Requirement 3: Protect stored cardholder data

  • Use DBclean periodically.

  • Use the Key Locator Framework to store the merchant encryption key.

  • Change your merchant encryption key when required, and at least annually.

  • Change the default number of plain text digits that are shown in the account number 5 - 4.

• Requirement 4: Encrypt transmission of cardholder data across open, public networks

  • Disable SSLv2 encryption on your web server.

• Requirement 6: Develop and maintain secure systems and applications

  • Ensure that the store error pages do not display stack traces, either visibly, or in the page source.

• Requirement 10: Track and monitor all access to network resources and cardholder data

  • To comply with the PCI-DSS, we must enable business auditing for the orders component.

  • To comply with the PCI-DSS, we must enable DB2 or Oracle auditing for the BUSAUDIT table.

Note: This summary does not include changes that we must make to the site operations. Review each requirement section carefully for details on operations and procedures that complete in conjunction with using WebSphere Commerce. For example, reviewing your business audit logs daily or using secure removal tools to delete old encryption assets.

1. Requirement 1: Install and maintain a firewall configuration to protect cardholder data
   Many parts of requirement 1 such as your wireless network or router setup do not directly relate to WebSphere Commerce, but the requirements that relate to the site topology are extremely important. We must construct the WebSphere Commerce site so that you never store cardholder data on internet-accessible systems. Additionally, WebSphere Commerce sites should always use firewalls to separate themselves from the internet, internal networks, and any other system that is accessible to the internet. Refer directly to the PCI DSS for details on this requirement.

2. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

3. Requirement 3: Protect stored cardholder data
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

4. Requirement 4: Encrypt transmission of cardholder data across open, public networks
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

5. Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
   Although antivirus software is outside the scope of WebSphere Commerce, protecting your servers and network from malicious software should always be a priority for a responsible network administrator. WebSphere Commerce is designed, developed and tested on systems running antivirus software.

6. Requirement 6: Develop and maintain secure systems and applications
   As your business needs change, you or your business partners might customize the WebSphere Commerce site. As you do so, ensure that the customizations do not compromise the site security. Ensure that your developers understand the requirement to develop secure systems by referring to the PA-DSS and PCI-DSS.

7. Requirement 7: Restrict access to cardholder data by business need to know
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

8. Requirement 8: Identify and authenticate access to system components
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

9. Requirement 9: Restrict physical access to cardholder data
   Requirement 9 deals with physical site security and is well beyond the scope of WebSphere Commerce. Refer directly to the PCI DSS for details on the requirement.

10. Requirement 10: Track and monitor all access to network resources and cardholder data
    The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

11. Requirement 11: Regularly test security systems and processes
    While beyond the scope of WebSphere Commerce, it is important to regularly test security systems and processes. Refer directly to the PCI DSS for details on testing requirements.

12. Requirement 12: Maintain a policy that addresses information security for all personnel
    This requirement is not directly related to WebSphere Commerce. Refer directly to the PCI DSS for requirements and details on how to develop your information security policies.

Related concepts
PCI Assessment Services for WebSphere Commerce
WebSphere Commerce and the PCI Data Security Standard