For a while now, my responsibilities at my work have revolved around the Payment Card Industry’s Data Security Standards (PCI DSS). As of publishing this article, PCCL are compliant as a Level 1 Service Provider, the highest possible level of compliance.
Ruby played an important part in our overall compliance and I’m going to talk about how Rack and Sinatra play an important part in our compliance in a later post. For now I’ll explain a bit about PCI DSS itself and give some general advice for anyone working towards compliance.
First, I need to give a semi-obligatory disclaimer. I am not a PCI DSS QSA, all of what you’ll find here is based on my own experience as part of the two man team in PCCL who were responsible for designing and building our compliant infrastructure. From this, I’ve gained a good understanding of the specification; but you will need to speak to a QSA if you want advice which you can make business decisions on.
What follows is from my own experience at PCCL and the work undertaken for us to be compliant at this level to the PCI DSS Standard.
In short, it’s a complicated and very generic set of security standards which you must follow if your organisation, company, product or service has anything at all to do with the storing, processing or transmission of Cardholder Data. This means the obvious stuff like credit (and debit) card numbers, expiry dates, CSV numbers, cardholder names (if stored with the card data) and some other items.
An important thing to bear in mind is that while this post is fairly tech heavy, PCI Compliance isn’t just an IT issue; it affects an entire organisation in every way and in some cases will require changes to business practices. The technology aspects of PCI make up less than half of the 12 PCI DSS requirements.
The definitive source for anything to do with PCI is the PCI Security Council’s website which is where you’ll find the latest version of specifications and be able to search through a list of approved QSAs and ASV Scan Vendors.
Yes, you can. We did. I’ll post more on this subject later; for now, check out:
The following list details some instant-gratification things you can do to help your compliance and some tips I have based on my experience at PCCL: