Achieving PCI Compliance for Your Site in Acquia Cloud



Similar documents
IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Why Is Compliance with PCI DSS Important?

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Merchant guide to PCI DSS

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

La règlementation VisaCard, MasterCard PCI-DSS

PCI Security Compliance

An article on PCI Compliance for the Not-For-Profit Sector

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Compliance. Top 10 Questions & Answers

PCI DSS Compliance Information Pack for Merchants

How To Protect Your Credit Card Information From Being Stolen

PCI Compliance Overview

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Credit Card Processing, Point of Sale, ecommerce

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard

PCI Standards: A Banking Perspective

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

How To Comply With The Pci Ds.S.A.S

Adyen PCI DSS 3.0 Compliance Guide

Becoming PCI Compliant

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI Compliance Top 10 Questions and Answers

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Data Security Standards

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Project Title slide Project: PCI. Are You At Risk?

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Frequently Asked Questions

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

How To Protect Your Business From A Hacker Attack

PCI Compliance: How to ensure customer cardholder data is handled with care

SecurityMetrics Introduction to PCI Compliance

Two Approaches to PCI-DSS Compliance

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

PCI DSS. CollectorSolutions, Incorporated

PCI DSS Gap Analysis Briefing

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

What a Processor Needs from a University to Validate Compliance

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry Data Security Standards Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

A Compliance Overview for the Payment Card Industry (PCI)

PCI DSS Compliance Services January 2016

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

North Carolina Office of the State Controller Technology Meeting

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Your Compliance Classification Level and What it Means

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

How To Ensure Account Information Security

The PCI DSS Compliance Guide For Small Business

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Registration and PCI DSS compliance validation

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry - Achieving PCI Compliance Steps Steps

IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry Data Security Standard Explained

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Transcription:

Achieving PCI Compliance for Your Site in Acquia Cloud Introduction PCI Compliance applies to any organization that stores, transmits, or transacts credit card data. PCI Compliance is important; failure to become PCI compliant may expose your businesses to legal and financial liabilities. This white paper summarizes roles and responsibilities regarding PCI compliance for Acquia Cloud hosted websites. The Payment Card Industry Security Standards Council The Payment Card Industry Security Standards Council was originally formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International in 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. The PCI-DSS Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The PCI-DSS Security Standard is essentially a set of controls across a broad swath of the technology and process domains determined to be important for protecting credit card data by the PCI Security Standards Council. SKU 0346-130425

2 Achieving PCI Compliance for Your Site in Acquia Cloud The following high-level controls are specified by the PCI-DSS; also noted is which party is responsible for that control in Acquia Cloud (Acquia or Customer): 1. Install and maintain a firewall configuration to protect cardholder data (establish a firewall and router configuration standards document). Responsibility: Acquia 2. Don t use vendor supplied defaults for system passwords and other security parameters. Responsibility: Acquia 3. Protect stored cardholder data do not store sensitive authentication data after authorization (form cache data) storing full CC data is not recommended. Responsibility: Customer 4. Encrypt transmission of cardholder data across open, public networks. Responsibility: Customer (enable SSL) 5. Use and regularly update antivirus software or programs. Responsibility: Acquia 6. Develop and maintain secure systems and applications; ensure separation of duties between development and production environments. Responsibility: Customer 7. Restrict access to cardholder data by business need to know. Responsibility: Acquia and Customer 8. Assign a unique ID to each person with computer access. Responsibility: Acquia and Customer 9. Restrict physical access to cardholder data. Responsibility: Acquia and Customer 10. Track and monitor all access to network resources and cardholder data (enable logging, manage time services, and retain audit trail history for at least three months). Responsibility: Acquia and Customer 11. Regularly test security systems and process use an Approved Scanning Vendor. Responsibility: Acquia and Customer 12. Maintain a policy that addresses information security for all personnel. Responsibility: Acquia and Customer

3 Achieving PCI Compliance for Your Site in Acquia Cloud These 12 controls are expanded upon and detailed in the PCI Security Standard, the latest version being 2.0. Download the PCI DSS v2.0 from the PCI Security Standards website at https://www. pcisecuritystandards.org/security_standards/pcidss_agreement.php?association=pcidss. Ensuring PCI Compliance of Your Acquia Cloud Hosted Drupal Site If you are processing or storing credit card data in your Drupal site, then PCI Compliance is required. Using a PCI Compliant hosting provider like Acquia Cloud accomplishes your compliance with a number of controls (see PCI Control Responsibility Matrix below). As the owner, developer, or manager of your Acquia Cloud site you will have numerous obligations to ensure PCI Compliance. How you have implemented e-commerce, whether you are storing credit card data, and how many transactions your site does in a year are factors that determine the effort involved in achieving PCI Compliance. There are several ways to implement e-commerce in your Acquia Cloud hosted Drupal site. The most popular involve leveraging e-commerce Drupal platforms such as Drupal Commerce or Ubercart. These platforms integrate a shopping cart within your Drupal site and use third-party payment gateways that process the credit card transaction. By enabling e-commerce while not storing credit card data, a site owner minimizes their PCI compliance requirements.

4 Achieving PCI Compliance for Your Site in Acquia Cloud Step 1: Determine Your PCI Compliance Level PCI Compliance Levels All merchants fall into one of the four merchant levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of credit card transactions. Merchant Level Description 1 Any merchant regardless of acceptance channel processing over 6 million Visa or Mastercard, 1 million JCP, or 2.5 million American Express credit card transactions per year. (Level 1 merchants require an onsite review see Step 5.) 2 Any merchant regardless of acceptance channel processing 1 million to 6 million Visa or Mastercard, or 50,000 to 2.5 million Amex transactions per year. 3 Any merchant processing 20,000 to 1 million Visa or Mastercard, or less than 50 Amex transactions per year. 4 Any merchant processing fewer than 20,000 Visa or Mastercard transactions per year. Step 2: Determine Your PCI Compliance Type PCI compliance has five levels of responsibility: A, B, C, C-VT, and D. The first step is to determine PCI Compliance requirements pertaining to your Acquia Cloud Drupal site. Type A B C C-VT D Description Card-not-present (e-commerce or mail/telephone-order) merchants all cardholder data functions outsourced to a PCI Compliant Service Provider Imprint-only merchants with no electronic cardholder data storage; standalone dial-up terminal merchants, no electronic cardholder data Merchants with payment application systems connected to the Internet, no electronic cardholder data storage Merchants using only web-based virtual terminals, no electronic cardholder data storage All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete a self assessment questionnaire # Self Assessment Questions 13 29 80 51 288

5 Achieving PCI Compliance for Your Site in Acquia Cloud Typically, a website would fall into A, C, or D. Which one your site falls into will depend on how you implement e-commerce into your Drupal site. Typically, a website falls into A, C, or D, depending on how you implement e-commerce on your Drupal site. Step 3: Implement the Required Controls and Complete the Relevant SAQ and AOC Complete the relevant Self Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) A, C, or D as determined by step 2. The SAQ and AOC may be downloaded from the PCI Security Standards site at https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs. Step 4: Conduct Quarterly Vulnerability Scans with a PCI SSC Approved Scanning Vendor Regardless if you are PCI compliance type A, C, or D, you must validate adherance to part 11 of the PCI-DSS standard by performing vulnerability scans of your Internet facing website on a quarterly basis by an PCI Security Standards Council Approved Scanning Vendor (ASV). The list of approved scanning vendors is available on the PCI Security Standards site at https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning vendors.php. Step 5: Complete Onsite Review by Qualified Security Assessor (Only Required if Merchant Level 1) If you process over 6 million Visa or Mastercard, 1 million JCP, or 2.5 million American Express credit card transactions per year, then you are a Merchant Level 1, which necessitates hiring a third-party Quality Security Assessor (QSA) to conduct an assessment of your PCI compliance. During a PCI assessment, the QSA determines whether your organization has met the PCI control requirements, either directly or through compensating controls. The QSA then completes a Report on Compliance (ROC) to verify your organization s compliance. The ROC is sent to your bank, which then sends it to the appropriate credit card company for verification.

6 Achieving PCI Compliance for Your Site in Acquia Cloud The list of QSAs can be found on the PCI Security Standards Council site at https://www. pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php. Acquia Cloud PCI-DSS Control Responsibility Matrix Acquia Cloud provides a PCI Complaint platform that customers can leverage to build PCI compliant Drupal sites. At the platform layer, Acquia is responsible for and ensures compliance with many of the controls and control families, which are specified by the PCI Security Standard. PCI-DSS v2 Control Responsibility Acquia Customer Network Security 1.1 1.1.1 x 1.1.2 x 1.1.3 x 1.1.4 x 1.1.5 x 1.1.6 x 1.2 1.2.1 x 1.2.2 x 1.2.3 x 1.3 1.3.1 x 1.3.2 x 1.3.3 x 1.3.4 x 1.3.5 x 1.3.6 x 1.3.7 x 1.3.8 x 1.4 1.4 x Platform Best Practices 2.1 2.1 x 2.1.1 x 2.2 2.2 x 2.2.1 x 2.2.2 x 2.2.3 x 2.2.4 x 2.3 2.3 x 2.4 2.4 x

7 Achieving PCI Compliance for Your Site in Acquia Cloud Protect Cardholder Data 3.1 3.1.1.a x 3.1.1.b x 3.1.1.c x 3.1.1.d x 3.1.1.e x 3.2 3.2.a x 3.2.b x 3.2.1 x 3.2.2 x 3.2.3 x 3.3 3.3 x 3.4 3.4.a x 3.4.b x 3.4.c x 3.4.d x 3.4.1 x 3.5 3.5 x 3.5.1 x 3.5.2 x 3.6 3.6.a x 3.6.b x 3.6.1 x 3.6.2 x 3.6.3 x 3.6.4 x 3.6.5 x 3.6.6 x 3.6.7 x 3.6.8 x Encrypt Cardholder Data in Transit 4.1 4.1 x 4.1.a x 4.1.b x 4.1.c x 4.1.d x 4.1.e x 4.1.1 x 4.2 4.2.a x 4.2.b x Use Antivirus Software 5.1 5.1 x 5.1.1 x

8 Achieving PCI Compliance for Your Site in Acquia Cloud 5.2 5.2 x Secure Development Lifecycle 6.1 6.1 x x 6.2 6.2 x x 6.3 6.3 x 6.3.1 x 6.3.2 x 6.4 6.4.1 x 6.4.2 x 6.4.3 x 6.4.4 x 6.4.5 x 6.5 6.5 x 6.6 6.6 x x Restrict Access to Cardholder Data by Need to Know 7.1 7.1 x x 7.2 7.2 x x Access Control 8.1 8.1 x x 8.2 8.2 x x 8.3 8.3 x 8.4 8.4.a x x 8.4.b x x 8.5 8.5.1 x x 8.5.2 x x 8.5.3 x x 8.5.4 x x 8.5.5 x x 8.5.6 x x 8.5.7 x x 8.5.8 x x 8.5.9.a x x 8.5.9.b x x 8.5.10.a x x 8.5.10.b x x 8.5.11.a x x 8.5.11.b x x 8.5.12.a x x 8.5.12.b x x 8.5.13.a x x 8.5.13.b x x 8.5.14 x x

9 Achieving PCI Compliance for Your Site in Acquia Cloud 8.5.15 x x 8.5.16 x x Physical Security 9.1 9.1 x 9.1.1 x 9.1.2 x 9.1.3 x 9.2 9.2 x 9.3 9.3.1 x 9.3.2 x 9.3.3 x 9.4 9.4 x 9.5 9.5 x 9.6 9.6 x 9.7 9.7 x 9.7.1 x 9.7.2 x 9.8 9.8 x 9.9 9.9 x 9.9.1 x 9.10 9.10 x 9.10.1.a x 9.10.1.b x 9.10.2 x Testing and Monitoring 10.1 10.1 x x 10.2 10.2.1 x x 10.2.2 x x 10.2.3 x x 10.2.4 x x 10.2.5 x x 10.2.6 x x 10.2.7 x x 10.3 10.3 x x 10.4 10.4.a x x 10.4.1 x x 10.4.2 x x 10.4.3 x x 10.5 10.5.1 x 10.5.2 x 10.5.3 x

10 Achieving PCI Compliance for Your Site in Acquia Cloud 10.5.4 x 10.5.5 x 10.6 10.6 x 10.7 10.7 x Vulnerability Scans and Processes 11.1 11.1.a x 11.1.b x 11.1.c x 11.1.d x 11.1.e x 11.2 11.2.1.a x 11.2.1.b x 11.2.1.c x 11.2.2.a x 11.2.2.b x 11.2.2.c x 11.2.3.a x x 11.2.3.b x x 11.2.3.c x x 11.3 11.3.a x 11.3.b x 11.3.c x 11.3.1 x x 11.3.2 x x 11.4 11.4.a x x 11.4.b x x 11.4.c x x 11.5 11.5 x Security Policies and Procedures 12.1 12.1 x x 12.1.1 x x 12.1.2 x x 12.1.3 x x 12.2 12.2 x x 12.3 12.3.1 x x 12.3.2 x x 12.3.3 x x 12.3.4 x x 12.3.5 x x 12.3.6 x x 12.3.7 x x

11 Achieving PCI Compliance for Your Site in Acquia Cloud 12.3.8 x x 12.3.9 x x 12.3.10 x x 12.4 12.4 x 12.5 12.5 x 12.5.1 x 12.5.2 x 12.5.3 x 12.5.4 x 12.5.5 x 12.6 12.6 x x 12.7 12.7 x x 12.8 12.8 x x 12.9 12.9.1 x x 12.9.2 x x 12.9.3 x x 12.9.4 x x 12.9.5 x x 12.9.6 x x Shared Service Provider Addendum A.1 A.1.1 x A.1.2.a x A.1.2.b x A.1.2.c x A.1.2.d x A.1.2.e x A.1.3 x A.1.4 x

12 Achieving PCI Compliance for Your Site in Acquia Cloud About Acquia Acquia empowers enterprises with the open-source social publishing system Drupal. Co-founded by Drupal s creator in 2007, Acquia helps customers manage their growth and scale their online properties with confidence. Acquia s products, cloud infrastructure, and support enable companies to realize the full power of Drupal while minimizing risk, as it s done for nearly 2,000 enterprise customers including Twitter, Al Jazeera, Turner, World Economic Forum, Stanford University, New York Senate, and NPR. See who s using Drupal at http://drupalshowcase.com, and for more information please visit www.acquia.com or call 888-9-ACQUIA. Copyright 2013, Acquia, Inc. Acquia, Inc. 25 Corporate Drive, 4th Floor Burlington, MA 01803 USA www.acquia.com sales@acquia.com +1.781.238.8600

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information