PCI DSS and some advice from the trenches

For a while now, my responsibilities at my work have revolved around the Payment Card Industry’s Data Security Standards (PCI DSS). As of publishing this article, PCCL are compliant as a Level 1 Service Provider, the highest possible level of compliance.

Ruby played an important part in our overall compliance and I’m going to talk about how Rack and Sinatra play an important part in our compliance in a later post. For now I’ll explain a bit about PCI DSS itself and give some general advice for anyone working towards compliance.

First, I need to give a semi-obligatory disclaimer. I am not a PCI DSS QSA, all of what you’ll find here is based on my own experience as part of the two man team in PCCL who were responsible for designing and building our compliant infrastructure. From this, I’ve gained a good understanding of the specification; but you will need to speak to a QSA if you want advice which you can make business decisions on.

What follows is from my own experience at PCCL and the work undertaken for us to be compliant at this level to the PCI DSS Standard.

What is PCI DSS?

In short, it’s a complicated and very generic set of security standards which you must follow if your organisation, company, product or service has anything at all to do with the storing, processing or transmission of Cardholder Data. This means the obvious stuff like credit (and debit) card numbers, expiry dates, CSV numbers, cardholder names (if stored with the card data) and some other items.

An important thing to bear in mind is that while this post is fairly tech heavy, PCI Compliance isn’t just an IT issue; it affects an entire organisation in every way and in some cases will require changes to business practices. The technology aspects of PCI make up less than half of the 12 PCI DSS requirements.

The definitive source for anything to do with PCI is the PCI Security Council’s website which is where you’ll find the latest version of specifications and be able to search through a list of approved QSAs and ASV Scan Vendors.

Can you really become compliant using just FOSS software?

Yes, you can. We did. I’ll post more on this subject later; for now, check out:

  • OSSEC, a IDS and FIM tool
  • Logwatch, a log monitoring and notification tool

Quick Compliance Wins / Tips

The following list details some instant-gratification things you can do to help your compliance and some tips I have based on my experience at PCCL:

  1. Don’t use WiFi in your office at all. Period. Ever. If you do have it, you’re going to need to secure it properly; and by that I mean proper enterprise-level RADIUS keys and all manner of other horrors. It really is more trouble that it’s worth.
  2. Have separate production, and staging environments for your application. If you don’t already have these then you’re going to need to implement them.
  3. Virtual Servers count as ‘servers’ for the purposes of PCI DSS, which means a potentially big saving in additional hardware costs.
  4. You’re going to need sign-offs and code reviews to be in place for any application deploy that has to do with your compliance, as well as generally having organisation-wide change management procedures. Implement them before hand and get used to them first; they’re good practice and make good sense.
  5. If you can manage it, don’t have anything to do with card data in any way shape or form. If you’re not processing payments, you don’t need a card number. If you want to take payments, outsource the processing (and the worry) to a PCI Compliant provider (like SagePay).
  6. If you are outsourcing the payment processing part, you do still need to comply with the rest of the applicable parts of PCI DSS, especially the parts about building secure web applications, so don’t think that you’re off the hook!
  7. The penalties that can come from a data security breach in cases where you must be PCI DSS compliant are huge. If you are in any doubt about needing to be PCI Compliant, at the earliest possible opportunity, you should seek out a QSA near you who will be able to give you advice.