PCI Compliance with Drupal

PCI Compliance with DrupalI am here in beatiful Denver Colordo manning our gold sponsor Promet Booth at Drupal Camp Denver 2011.  I had an opportunity to  jump into some good sessions.  Below are some notes I took at the Drupal PCI Compliance session.  
 

PCI Security standards 

 

PCI-DSS

 

Notes from the Drupal Camp: 

  • More than 80% of the instances of unauthorized access to card data have involved small merchants

  • These businesses account for 85% of the merchant

  • http://online.wsj.com/article/SB119042666704635941.html

  • PCI applies to any one who stores, transmits or transacts a Primary Account Number (PAN)

  • You can self certify if you have a standard 'low' volume E-Commerce setup

  • Annual SAQ A (13 Questions) or SAQ C (40 Questions) and the associated Attestation of Compliance

  • Quarterly network scans

12 key requirements for PCI: 

  1. Install and maintain a firewall configuration to protect cardholder data (establish a firewall and router configuration standards, document)

  2. Don't use vendor supplied defaults for system passwords and other security parameters

  3. Protect stored cardholder data - do not store sensitive authentication data after authorization (form cache data) - there is a right way to store full CC - its hard and not recommended) 

  4. Encrypt transmission of cardholder data across open, public networks

  5. User and regularly update anti-virus software or programs

  6. Develop and maintain secure systems and applications (seperation of duties between development and production environments)

  7. Restrict access to cardholder data by business need to know

  8. Assign a unique ID to each person with computer access

  9. Restrict physical access to cardholder data

  10. Track and monitor all access to network resources and cardholder data (log stuff, know what time it is, retain audit trail histor for at least three months)

  11. Regularly test security systems and process - Approved Scanning Vendor

  12. Maintain a policy that addresses information security for all personnel

Basic Principals:

  • Document everything 

  • Don't be dumb

Bed Time reading:

 

 


Promet Source is a Chicago based full service Drupal Web Development Company focusing on open source technologies to build complex websites and web applications. Promet uses Drupal to build a broad variety of websites, web applications and mobile application development.  Along with their Drupal expertise Promet Source differentiates themselves by providing a superior customer experience throughout all facets of the development process, including design, software engineering, project management, quality assurance as well as hosting & online marketing services.