Best Practices (Top Security Tips)



Similar documents
GFI White Paper PCI-DSS compliance and GFI Software products

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI COMPLIANCE GUIDE For Merchants and Service Members

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Two Approaches to PCI-DSS Compliance

How To Protect Your Business From A Hacker Attack

Payment Card Industry Data Security Standards.

Data Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

Josiah Wilkinson Internal Security Assessor. Nationwide

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Why Is Compliance with PCI DSS Important?

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

University of Sunderland Business Assurance PCI Security Policy

PCI Data Security Standards

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Project Title slide Project: PCI. Are You At Risk?

How To Comply With The Pci Ds.S.A.S

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

La règlementation VisaCard, MasterCard PCI-DSS

How To Protect Your Data From Being Stolen

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Compliance: How to ensure customer cardholder data is handled with care

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

PAI Secure Program Guide

Frequently Asked Questions

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI Requirements Coverage Summary Table

Payment Card Industry (PCI) Data Security Standard

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

Payment Card Industry Data Security Standards Compliance

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

March

PDshop.NET Installation Guides (ASP.NET Edition)

Becoming PCI Compliant

How To Protect Visa Account Information

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI Compliance for Cloud Applications

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI Compliance: Protection Against Data Breaches

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

How To Protect Your Credit Card Information From Being Stolen

Payment Card Industry Data Security Standard

And Take a Step on the IG Career Path

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Industry (PCI) Data Security Standard

North Carolina Office of the State Controller Technology Meeting

How to complete the Secure Internet Site Declaration (SISD) form

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

PCI DSS Requirements - Security Controls and Processes

PCI Security Compliance

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

PCI Requirements Coverage Summary Table

CSP & PCI DSS Compliance on HP NonStop systems

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry (PCI) Compliance. Management Guidelines

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Catapult PCI Compliance

CONTENTS. PCI DSS Compliance Guide

Accelerating PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

PCI Compliance Tutorial - Virtual Terminal

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Payment Card Industry Self-Assessment Questionnaire

Merchant guide to PCI DSS

PCI: It Never Ends. Why?

MITIGATING LARGE MERCHANT DATA BREACHES

Transcription:

Best Practices (Top Security Tips) For use with all versions of PDshop Revised: 10/1/2015 PageDown Technology, LLC / Copyright 2002-2015 All Rights Reserved. 1

Table of Contents Table of Contents... 2 Best Practices... 3 1. Periodically check that your database is properly secured and protected against unauthorized access.... 3 2. Rename your "admin" directory to help protect against unauthorized access.... 3 3. Change your passwords often, and do not use the same username/password combinations more than once.... 3 4. Make sure your web server is properly firewalled and all of its software is kept up-to-date.... 3 5. Download and Install the latest version of PDshop periodically.... 3 6. Enable all Security Settings and Security (PCI-DSS) Features.... 4 Special Notes... 4 PCI Compliance... 5 Payment Card Industry Data Security Standard (PCI DSS)... 5 Overview of PCI DSS Requirements... 5 What am I required to do?... 5 PCI-DSS Features... 6 Overview... 6 Enabling PCI Features... 6 Terms & Conditions... 7 2

Best Practices 1. Periodically check that your database is properly secured and protected against unauthorized access. MSSQL (SQL Server) If you have PDshop configured to use an SQL Server database, make sure that the SQL server is properly firewalled. Be sure to use strong passwords when creating your SQL Users. MSAccess (Microsoft Access) If you have PDshop configured to use an Access database, make sure it is impossible for someone (other than you) to download/access your database file. Your database directory should be configured with appropriate permissions (Security) so that only PDshop can read/write to the database, but no one else can see or download it. We recommend that your database be kept in a special directory that not accessible to web users. Consult with your web host or server administrator for their procedures and suggestions for securing database directories. IMPORTANT: We strongly recommend that you rename your database file and rename the directory it is in. You should use unique names that only you would know, do not use the default names. For example, do not leave your database with a name like "pdshoppro.mdb". Don t forget to update your web.config connection string paths accordingly. 2. Rename your "admin" directory to help protect against unauthorized access. The PDshop Admin is a very sensitive area because anyone with access can modify the content in your storefront, view customer information, change settings, upload files, and more. It is important to make sure that no one except you knows the directory (location/url). We highly recommend that you rename the admin directory to something unique that only you would know. This will make your PDshop Admin invisible to bots and hackers. You will need to update your web.config file s pdadminfolder value accordingly. Do not include the new name in any robots.txt files. 3. Change your passwords often, and do not use the same username/password combinations more than once. Change your passwords at regular intervals and make sure your PDshop Admin username/password is not the same as your FTP, hosting account, or server control panel logins. This can be devastating if your password is ever found or discovered thru some of the various hacking techniques. Your PDshop Admin logins, FTP logins, and hosting account/server logins should all be different. And always use strong passwords. 4. Make sure your web server is properly firewalled and all of its software is kept up-to-date. A web server with inadequate firewall protection, insufficient permissions, support for weak/outdated encryption, support for outdated protocols, or with unpatched/outdated software, can make your website vulnerable to unauthorized access, hacking, malicious attacks, and malware/virus infection. See the "PCI Compliance" section of this guide for more information regarding important standards and practices. 5. Download and Install the latest version of PDshop periodically. Our developers are always improving how PDshop works, for this reason revisions to each edition of PDshop are released from time to time. These revisions/updates are full versions that often contain 3

improvements, bug fixes, security updates, and even new features. To download the latest revision, login to your account and click 'My Downloads'. See the Installation Guides for help with installation or upgrading procedures. If you need assistance with installing these revisions/updates, contact PageDown Technology. NOTE: If you are using a customized version of PDshop or made your own script changes, consult with your web developer before installing any revisions. 6. Enable all Security Settings and Security (PCI-DSS) Features. Since you may be hosting PDshop on a public or shared web server, as a general precaution, we do not recommend storing sensitive credit/debit card information in your PDshop database. If you are processing these cards, you should do so thru one of the payment gateways that PDshop supports. When processing thru the supported payment gateways, PDshop DOES NOT need to store any credit card information; it is securely passed to the payment gateway's own system for processing. Storing credit card data on your own web site can put your customer's information at higher risk. If you do choose to store or process payments, be sure to enable all PCI-DSS features and make sure you are in compliance; see the "PCI Compliance" section of this guide. Below is a partial list of recommended features. If your version does not have these features we recommend upgrading to a version that supports these: Recommended Security Features Do Not Display Credit Card Numbers Do Not Save Credit Card Numbers Require Card Security Code Enforce Transaction Limits Recommended Advanced Security Features Enforce Strong Passwords (enable in your web.config) Enforce Strong Admin Security (enable in your web.config) 3DES Encryption (enable in your web.config) Password Hashing (enable in your web.config) Captcha (enable in your web.config) Event Logging (Audit Trail) (enable in your web.config) Web.config Encryption Database Cleanup (Remove Credit Card Data) Special Notes If your copy of PDshop was installed by a 3rd party, or by PageDown Technology, you may need to contact the person or company who handled your installation, or order the "Installation Service" from PageDown Technology. To order our Installation Service, please login to your account. Next, click on "My Account" from anywhere on the PageDown Technology website. 4

PCI Compliance Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes. Overview of PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security What am I required to do? If you are a merchant and you are accepting credit/debit card payments, you should contact your merchant bank/processor to determine what level of Compliance is required. Depending on the level, usually determined by the number of transactions you process, you may need to be validated by a QSA, although (for smaller businesses) you might only need to complete a Self-Assessment Questionnaire (SAQ). As far as PDshop, make sure you have enabled all of the PCI-DSS features. See the "PCI-DSS Features" section in this guide. Because PCI Compliance encompasses many aspects of security, which may be beyond the scope of PDshop, other action may be required by you. For more information, contact your merchant bank/processor or the Payment Card Industry Security Standards Council at www.pcisecuritystandards.org. 5

PCI-DSS Features Overview PDshop was developed to meet the PCI DSS. While most features are "behind the scenes" and require no action by you, you will need to enable the features described below during installation. Enabling PCI Features Admin Settings The setting(s) below are found in the PDshop Administrator on the "Payment Gateways" page, under the "Settings" tab: "Do Not Display Credit Card Numbers" Web.Config Settings The settings and features below need to be enabled in your web.config file. See the "Advanced Settings" and "web.config" sections in the Installation guide for the keys required and instructions for editing your web.config. 1. Enforce Strong Passwords 2. Enforce Strong Admin Security 3. Enable 3DES Encryption 4. Password Hashing 5. Captcha 6. Event Logging (Audit Trail) 7. Web.config Encryption Version Notice If you are using version 9 or earlier of PDshop, your version might not meet the most recent PCI requirements. If you are accepting or processing credit cards using PDshop with an older version, you must upgrade in order to be in compliance. 6

Terms & Conditions This guide is intended for licensed users only. All copies of the software that powers your Storefront & Admin must be properly licensed by the software vendor. Unauthorized duplication of this material, including the software or scripts that power your Storefront & Admin, is strictly prohibited. Contact your web master or systems administrator for more information. Copyright Notice: All Text and Images contained on this document is copyrighted property and cannot be reproduced, copied, or used without written permission from the software vendor. Contact your web master or systems administrator for more information. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information