Achieving PCI Compliance for Your Site in Acquia Cloud

Transcription

1 Achieving PCI Compliance for Your Site in Acquia Cloud Introduction PCI Compliance applies to any organization that stores, transmits, or transacts credit card data. PCI Compliance is important; failure to become PCI compliant may expose your businesses to legal and financial liabilities. This white paper summarizes roles and responsibilities regarding PCI compliance for Acquia Cloud hosted websites. The Payment Card Industry Security Standards Council The Payment Card Industry Security Standards Council was originally formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International in 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. The PCI-DSS Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The PCI-DSS Security Standard is essentially a set of controls across a broad swath of the technology and process domains determined to be important for protecting credit card data by the PCI Security Standards Council. SKU

2 2 Achieving PCI Compliance for Your Site in Acquia Cloud The following high-level controls are specified by the PCI-DSS; also noted is which party is responsible for that control in Acquia Cloud (Acquia or Customer): 1. Install and maintain a firewall configuration to protect cardholder data (establish a firewall and router configuration standards document). Responsibility: Acquia 2. Don t use vendor supplied defaults for system passwords and other security parameters. Responsibility: Acquia 3. Protect stored cardholder data do not store sensitive authentication data after authorization (form cache data) storing full CC data is not recommended. Responsibility: Customer 4. Encrypt transmission of cardholder data across open, public networks. Responsibility: Customer (enable SSL) 5. Use and regularly update antivirus software or programs. Responsibility: Acquia 6. Develop and maintain secure systems and applications; ensure separation of duties between development and production environments. Responsibility: Customer 7. Restrict access to cardholder data by business need to know. Responsibility: Acquia and Customer 8. Assign a unique ID to each person with computer access. Responsibility: Acquia and Customer 9. Restrict physical access to cardholder data. Responsibility: Acquia and Customer 10. Track and monitor all access to network resources and cardholder data (enable logging, manage time services, and retain audit trail history for at least three months). Responsibility: Acquia and Customer 11. Regularly test security systems and process use an Approved Scanning Vendor. Responsibility: Acquia and Customer 12. Maintain a policy that addresses information security for all personnel. Responsibility: Acquia and Customer

3 3 Achieving PCI Compliance for Your Site in Acquia Cloud These 12 controls are expanded upon and detailed in the PCI Security Standard, the latest version being 2.0. Download the PCI DSS v2.0 from the PCI Security Standards website at pcisecuritystandards.org/security_standards/pcidss_agreement.php?association=pcidss. Ensuring PCI Compliance of Your Acquia Cloud Hosted Drupal Site If you are processing or storing credit card data in your Drupal site, then PCI Compliance is required. Using a PCI Compliant hosting provider like Acquia Cloud accomplishes your compliance with a number of controls (see PCI Control Responsibility Matrix below). As the owner, developer, or manager of your Acquia Cloud site you will have numerous obligations to ensure PCI Compliance. How you have implemented e-commerce, whether you are storing credit card data, and how many transactions your site does in a year are factors that determine the effort involved in achieving PCI Compliance. There are several ways to implement e-commerce in your Acquia Cloud hosted Drupal site. The most popular involve leveraging e-commerce Drupal platforms such as Drupal Commerce or Ubercart. These platforms integrate a shopping cart within your Drupal site and use third-party payment gateways that process the credit card transaction. By enabling e-commerce while not storing credit card data, a site owner minimizes their PCI compliance requirements.

4 4 Achieving PCI Compliance for Your Site in Acquia Cloud Step 1: Determine Your PCI Compliance Level PCI Compliance Levels All merchants fall into one of the four merchant levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of credit card transactions. Merchant Level Description 1 Any merchant regardless of acceptance channel processing over 6 million Visa or Mastercard, 1 million JCP, or 2.5 million American Express credit card transactions per year. (Level 1 merchants require an onsite review see Step 5.) 2 Any merchant regardless of acceptance channel processing 1 million to 6 million Visa or Mastercard, or 50,000 to 2.5 million Amex transactions per year. 3 Any merchant processing 20,000 to 1 million Visa or Mastercard, or less than 50 Amex transactions per year. 4 Any merchant processing fewer than 20,000 Visa or Mastercard transactions per year. Step 2: Determine Your PCI Compliance Type PCI compliance has five levels of responsibility: A, B, C, C-VT, and D. The first step is to determine PCI Compliance requirements pertaining to your Acquia Cloud Drupal site. Type A B C C-VT D Description Card-not-present (e-commerce or mail/telephone-order) merchants all cardholder data functions outsourced to a PCI Compliant Service Provider Imprint-only merchants with no electronic cardholder data storage; standalone dial-up terminal merchants, no electronic cardholder data Merchants with payment application systems connected to the Internet, no electronic cardholder data storage Merchants using only web-based virtual terminals, no electronic cardholder data storage All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete a self assessment questionnaire # Self Assessment Questions

5 5 Achieving PCI Compliance for Your Site in Acquia Cloud Typically, a website would fall into A, C, or D. Which one your site falls into will depend on how you implement e-commerce into your Drupal site. Typically, a website falls into A, C, or D, depending on how you implement e-commerce on your Drupal site. Step 3: Implement the Required Controls and Complete the Relevant SAQ and AOC Complete the relevant Self Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) A, C, or D as determined by step 2. The SAQ and AOC may be downloaded from the PCI Security Standards site at Step 4: Conduct Quarterly Vulnerability Scans with a PCI SSC Approved Scanning Vendor Regardless if you are PCI compliance type A, C, or D, you must validate adherance to part 11 of the PCI-DSS standard by performing vulnerability scans of your Internet facing website on a quarterly basis by an PCI Security Standards Council Approved Scanning Vendor (ASV). The list of approved scanning vendors is available on the PCI Security Standards site at vendors.php. Step 5: Complete Onsite Review by Qualified Security Assessor (Only Required if Merchant Level 1) If you process over 6 million Visa or Mastercard, 1 million JCP, or 2.5 million American Express credit card transactions per year, then you are a Merchant Level 1, which necessitates hiring a third-party Quality Security Assessor (QSA) to conduct an assessment of your PCI compliance. During a PCI assessment, the QSA determines whether your organization has met the PCI control requirements, either directly or through compensating controls. The QSA then completes a Report on Compliance (ROC) to verify your organization s compliance. The ROC is sent to your bank, which then sends it to the appropriate credit card company for verification.

6 6 Achieving PCI Compliance for Your Site in Acquia Cloud The list of QSAs can be found on the PCI Security Standards Council site at pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php. Acquia Cloud PCI-DSS Control Responsibility Matrix Acquia Cloud provides a PCI Complaint platform that customers can leverage to build PCI compliant Drupal sites. At the platform layer, Acquia is responsible for and ensures compliance with many of the controls and control families, which are specified by the PCI Security Standard. PCI-DSS v2 Control Responsibility Acquia Customer Network Security x x x x x x x x x x x x x x x x x x Platform Best Practices x x x x x x x x x

7 7 Achieving PCI Compliance for Your Site in Acquia Cloud Protect Cardholder Data a x b x c x d x e x a x 3.2.b x x x x x a x 3.4.b x 3.4.c x 3.4.d x x x x x a x 3.6.b x x x x x x x x x Encrypt Cardholder Data in Transit x 4.1.a x 4.1.b x 4.1.c x 4.1.d x 4.1.e x x a x 4.2.b x Use Antivirus Software x x

8 8 Achieving PCI Compliance for Your Site in Acquia Cloud x Secure Development Lifecycle x x x x x x x x x x x x x x x Restrict Access to Cardholder Data by Need to Know x x x x Access Control x x x x x a x x 8.4.b x x x x x x x x x x x x x x x x x x a x x b x x a x x b x x a x x b x x a x x b x x a x x b x x x x

9 9 Achieving PCI Compliance for Your Site in Acquia Cloud x x x x Physical Security x x x x x x x x x x x x x x x x x x a x b x x Testing and Monitoring x x x x x x x x x x x x x x x x x x a x x x x x x x x x x x

10 10 Achieving PCI Compliance for Your Site in Acquia Cloud x x x x Vulnerability Scans and Processes a x 11.1.b x 11.1.c x 11.1.d x 11.1.e x a x b x c x a x b x c x a x x b x x c x x a x 11.3.b x 11.3.c x x x x x a x x 11.4.b x x 11.4.c x x x Security Policies and Procedures x x x x x x x x x x x x x x x x x x x x x x x x

11 11 Achieving PCI Compliance for Your Site in Acquia Cloud x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x Shared Service Provider Addendum A.1 A.1.1 x A.1.2.a x A.1.2.b x A.1.2.c x A.1.2.d x A.1.2.e x A.1.3 x A.1.4 x

12 12 Achieving PCI Compliance for Your Site in Acquia Cloud About Acquia Acquia empowers enterprises with the open-source social publishing system Drupal. Co-founded by Drupal s creator in 2007, Acquia helps customers manage their growth and scale their online properties with confidence. Acquia s products, cloud infrastructure, and support enable companies to realize the full power of Drupal while minimizing risk, as it s done for nearly 2,000 enterprise customers including Twitter, Al Jazeera, Turner, World Economic Forum, Stanford University, New York Senate, and NPR. See who s using Drupal at and for more information please visit or call ACQUIA. Copyright 2013, Acquia, Inc. Acquia, Inc. 25 Corporate Drive, 4th Floor Burlington, MA USA [email protected]