What is PCI-DSS?

PCI-DSS (Payment Card Industry Data Security Standard) is a set of actionable rules defined by the Payment Card Industry Security Standards Council to encourage the broad adoption of consistent data security measures around the world with an aim to reduce credit card fraud.

These rules apply to anyone who is storing, processing or transmitting credit card data, therefore merchants who wish to take Credit Card payments on their sites directly need to be aware of PCI-DSS.

For more information about PCI-DSS see here.

Do I need to be PCI-DSS Compliant?

If you are transmitting credit card data; yes. Your site needs to be PCI-DSS compliant.

If, however, you are taking payments off site by using a gateway that uses its own servers to take payments (Authorize.net DPM, PayPal Standard, etc.), you are not transmitting card data and do not need to take steps to comply. If you are not comfortable about becoming PCI Compliant, use a gateway which handles PCI for you.

PCI-DSS Core Requirements

The 12 core PCI-DSS requirements are as follows:

Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security

Reporting Compliance

Typically, PCI compliance reports are enforced by your payment processor – they may require that you fill out questionnaires (Self Assessment Questionnaire – or SAQ) or be scanned by an ASV (approved scanning vendor) of their choosing.

CoreShop and PCI Compliance

Ultimately, PCI and all of the above points are the responsibility of the store owner, however, we can offer advice on compliance. It should be noted that CoreShop is not PCI-DSS certified – however, this does not prevent your site from becoming PCI compliant. CoreShop is written with security in mind. Also Pimcore and Zend Framework 1 are tested and very secure.

Regarding the PCI-DSS requirements, many of the points above are beyond the scope of Pimcore and CoreShop – instead falling into the area of hosting and business policies/best practice for the website owner to abide by. Referencing the core PCI-DSS requirements above:

  1. Out of scope. Firewalls would be the responsibility of the hosting provider or network administrator
  2. Out of scope. Passwords would need to be set responsibly by yourself – use strong passwords at all times and ensure the hosting environment is 100% secure.
  3. CoreShop helps with this requirement by never storing card details.
  4. Pimcore has options to enforce SSL on your checkout pages. You should of course ensure your hosting provider implements SSL to work with this.
  5. Out of scope. Virus protection would be down to your hosting provider.
  6. Out of scope. Maintaing a secure system to avoid threats would be down to your hosting provider.
  7. CoreShop uses Pimcore Objects for authorization. No customer can every access your database..
  8. Out of scope. Work with the host/network admin to ensure all admin access to systems containing credit card details is logged and trackable. Users need to be traceable and accountable for their actions. Access should be limited to only those who need it.
  9. Out of scope. Access to physical stored and transmitted data should be restricted by the hosting provider.
  10. Out of scope. Monitoring access would need to be taken care by the network admin or hosting provier.
  11. Out of scope. Use an ASV (approved scanning vendor) to regular scan your site for issues.
  12. Out of scope. Creating, maintaining and distributing a policy on addressing the PCI-DSS requirements, as well as a risk assessment is the responsibility of the merchant/store owner.

Therefore, considering the above points, the following steps should be taken if you aim to achieve compliance:

  1. Choose a trusted, secure hosting provider – preferably one which claims and actively promotes PCI compliance. Cheap, shared hosts are unlikely to cover this.
  2. Use security best practices when setting passwords and limit access to your server.
  3. Never store credit card details anywhere.
  4. With the aid of your hosting provider, implement SSL to keep your checkout secure.
  5. Keep installed plugins to a minimum; remember, compliance covers all installed software so that includes plugins and CoreShop/Pimcore itself.
  6. Keep plugins up to date to ensure latest security fixes are present.
  7. Working with your payment processor, use an ASV (approved scanning vendor) to scan your site and find issues – fixing any identified issues until passing the scan.