PCI Compliance with Drupal

I am here in beautiful Denver Colorado manning our gold sponsor Promet Booth at Drupal Camp Denver 2011. I had an opportunity to jump into some good sessions. Below are some notes I took at the Drupal PCI Compliance session.

PCI Security standards 

Here are my notes on PCI-DSS.

PCI-DSS

• More than 80% of the instances of unauthorized access to card data have involved small merchants.

• These businesses account for 85% of the merchant.

• WSJ article: In Data Leaks, Culprits Often Are Mom, Pop

• PCI applies to anyone who stores, transmits or transacts a Primary Account Number (PAN).

• You can self-certify if you have a standard 'low' volume E-Commerce setup.

• Annual SAQ A (13 Questions) or SAQ C (40 Questions) and the associated Attestation of Compliance.

• Quarterly network scans must take place.

12 key requirements for PCI: 

1. Install and maintain a firewall configuration to protect cardholder data (establish a firewall and router configuration standards, document).

2. Don't use vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data—do not store sensitive authentication data after authorization (form cache data)—there is a right way to store full CC—it is hard and not recommended.

4. Encrypt transmission of cardholder data across open, public networks.

5. User and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications (separation of duties between development and production environments).

7. Restrict access to cardholder data by business need to know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data (log stuff, know what time it is, retain audit trail history for at least three months).

11. Regularly test security systems and process—Approved Scanning Vendor.

12. Maintain a policy that addresses information security for all personnel.\

Basic Principles:

• Document everything.

• Don't be dumb.

Additional Resources:

• Navigating PCI DSS

• Glossary of Terms, Abbreviations, and Acronyms

• PCI DSS Quick Reference Guide Order Form

• Document Library

Want to understand if open source is secure for government sites?

Open Source vs Proprietary for Government Websites