What is PCI Compliance?

Sucuri aims at keeping the internet safe. That is why we are so keen on informing our customers of potential threats. We have posted many articles regarding ecommerce security breaches that steal credit card information, as well as the risks for ecommerce site owners.

There can be many dangers when purchasing through a website, and with so many cyber threats attacking ecommerce platforms and payment gateways, it’s more important than ever to reassure your customers by implementing and maintaining Payment Card Industry (PCI) Compliance.

What if Your Site is Compromised?

Have your sales plummeted? Are customers complaining that their credit card information has been stolen after purchasing from your site? Our article on the Impacts of a Hack on a Magento Ecommerce site describes the sudden and devastating consequences. When your site is compromised, taking steps to understanding how the compromise occurred will be the most important clue in preventing this going forward.

PCI Forensic Investigators (PFI) can help determine when and how a compromise occurred. Once you understand the vulnerability, you can start implementing the PCI standards to protect you and your customers in the future.

What Exactly is PCI Compliance?

Securing online payments is what the Payment Card Industry aims to do. In 2006, American Express, Discover, JCB International, MasterCard, and Visa Inc. founded the Security Standards Council (PCI SSC) in order to create a comprehensive and evolving set of standards to help vendors protect their payment systems.

The PCI Data Security Standards (PCI DSS) includes general practices, such as restricting cardholder information and the need for creating safe, non-default passwords, as well as more in-depth practices like encryption and the use of a firewall.

The full list of requirements can be found on the PCI Security Standards Site.

PCI Requirements
PCI Requirements

The Importance of a Website Application Firewall

You can see that the number one requirement in the PCI standards is to maintain a firewall in order to protect cardholder data.

The Sucuri Firewall is a cloud-based Intrusion Prevention/Detection System that helps block web-based attacks looking to exploit weaknesses in websites via code vulnerabilities, access control, or other configuration issues. Our Website Application Firewall (WAF) routes all incoming traffic through our global network of servers, allowing us to see all good and bad traffic. Through our distributed nodes, we can filter out all the bad traffic and pass all good traffic to the hosting provider for the website.

We offer a Website Application Firewall that not only protects your site’s traffic but includes a free SSL certificate to help secure information in transit. The Sucuri firewall also acts as a Content Delivery Network (CDN) which will boost performance on the site.

The Sucuri Firewall will help you achieve many of the PCI standards by providing a cloud-based Firewall for your websites. Some of the standards you can achieve through our Virtual Patching, Hardening, and security options provided are:

  • Requirement 1: Establish and implement a firewall.
  • Requirement 2: Harden your environment, disable unnecessary services & configure system parameters to prevent misuse.
  • Requirement 6: Ensure that system components are protected from known vulnerabilities.
  • Requirement 6: Address common coding vulnerabilities.
  • Requirement 10: Implement audit trails.
  • Requirement 10: Review logs.

PCI and SSL

With an SSL certificate, your website can leverage the HTTPS protocol to securely transfer information between point A and B. This is crucial when transferring sensitive information, like credit card data on checkout pages and Personally Identifiable Information (PII) on login and contact forms.

The SSL certificate will validate the ownership of a website, and secure transmission of cardholder data, which is the fourth requirement for PCI Compliance.

Be careful: Although the encrypted connection secures data transmission, the site itself is not protected.

Website security is complex and an SSL certificate is only one piece of the whole security puzzle. Keeping PCI compliant using an SSL certificate, as well as maintaining a secure website environment, all work in tandem to create a safe internet.

If you are looking to implement a secure connection on your site by using an SSL certificate, click here for our comprehensive article on how to do so.

Conclusion

Preventing a compromise rather than cleaning up after one is much more economical – not only for you but for your customers as well. Save your brand reputation and your sales initiatives by keeping PCI Compliant and upholding a good security posture!



*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Celise Davison. Read the original post at: https://blog.sucuri.net/2018/05/pci-compliance.html