PCI-DSS / PA-DSS Compliance & Kentico CMS
As we receive numerous questions on PCI compliance I would like to explain some basic terms and requirements. We would also welcome your ideas related to Kentico CMS compliance.
PCI DSS
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements meant to ensure that companies involved in the process of card payment maintain a certain level of security to protect the cardholder data. It was designed by major card brands in response to the growing number of data security breaches and the resulting unlawful uses of this data.
PCI DSS in its current version (2.0) is defined as a set of twelve rules, which the involved entities must adhere to. The following table lists the requirements organized into logically related groups, called control objectives.
|
Control Objectives |
PCI DSS Requirements |
|
Build and Maintain a Secure Network |
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters |
|
Protect Cardholder Data |
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks |
|
Maintain a Vulnerability Management Program |
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6.Develop and maintain secure systems and applications
|
|
Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data |
|
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes |
|
Maintain an Information Security Policy |
12. Maintain a policy that addresses information security |
Who must comply?
PCI DSS is a mandatory standard which applies to all entities that take part in payment card processing. This includes retailers, acquiring organizations, card issuers and any other subject that accepts, transmits or stores cardholder information.
PA DSS
What is PA DSS?
Payment Application Data Security Standard enforces
the security of software used to process, transmit and store cardholder data. Similarly to PCI DSS, it defines a list of requirements the applications have to comply with. The current version (2.0) of PA DSS comes with the following requirements:
|
Requirements |
|
1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data. |
|
2. Protect stored cardholder data. |
|
3. Provide secure authentication features. |
|
4. Log payment application activity. |
|
5. Develop secure payment applications. |
|
6. Protect wireless transmissions. |
|
7. Test payment applications to address vulnerabilities. |
|
8. Facilitate secure network implementation. |
|
9. Cardholder data must never be stored on a server connected to the Internet. |
|
10. Facilitate secure remote software updates. |
|
11. Facilitate secure remote access to payment application. |
|
12. Encrypt sensitive traffic over public networks. |
|
13. Encrypt all non-console administrative access. |
|
14. Maintain instructional documentation and training programs for customers, resellers, and integrators. |
Who must comply?
PA DSS aims at software developers and integrators that deliver online payment applications, which are sold, distributed or licensed to third parties.
PCI DSS vs. PA DSS
Both these standards ensure cardholder security, but at different levels. PA DSS is for software vendors, while PCI DSS is required for all merchants who handle cardholder information.
Although PA DSS is based on the PCI DSS requirements,
using PA DSS certified software does not make a merchant PCI DSS compliant!
Kentico CMS compliance
Basic facts
Since
PCI DSS is focused on merchants and the institutions that process card payments, this
standard is not directly related to Kentico CMS.
Despite the fact that
Kentico CMS is currently not PA DSS certified, it is built in a way that
doesn’t prevent retailers from obtaining the required PCI DSS certification.
Give us your feedback
As PCI DSS or PA DSS compliance might be a requirement as a part of certain local laws and we do not plan to go through the PA DSS certification of the Kentico CMS at this moment (we do still plan that for the future, though), we would like to ask you if there is anything we can improve on or change in Kentico CMS payment processing to make it easier for you to pass the PCI DSS certification (should you need it).
We are currently
considering the following options:
1)
Integrating one of the 3rd party PA DSS payment connectors to process all payments in your Kentico CMS on-line store. Unfortunately, if you do use such a connector in your on-line store, you will probably need to pay a fee to the 3rd party, based on its licensing model. Of course, using such a payment connector would be optional. You could still use our built-in integrations of payment gateways without any extra fee.
2)
Replacing our current integration of Authorize.NET (in which customers have to enter details of their credit cards using a Kentico built-in web form) with an alternative integration using an Authorize.NET hosted form (in which case customers would enter details of their credit cards "outside the web" using a hosted Authorize.NET form). This latter approach could probably be applied to all new integrations of payment gateways where customers need to enter details of their credit card.
What do you think? Any feedback is really appreciated!
We will appreciate receiving your feedback below this blog post or by e-mail to
petrv@kentico.com
PS: To learn more about the PCI / PA DSS standards and for information on how to validate your compliance, visit the PCI Security Standards Council’s website at
https://www.pcisecuritystandards.org.