If your website processes card payments, you are required to protect cardholder data (CHD) from cybersecurity threats. Compliance with various Payment Card Industry (PCI) regulatory frameworks—most commonly the Data Security Standards (DSS)—helps secure card payment transactions. Read on to learn how to make websites PCI compliant.
How to Make Websites PCI-Compliant Using the DSS Requirements
The PCI DSS Requirements provide guidelines to help secure card payment transactions. Here’s how to make websites PCI compliant using a four-step approach:
- First, safeguard all cardholder data comprehensively
- Next, secure access controls to CHD environments
- Then, manage vulnerabilities to CHD-related websites
- Finally, test and monitor networks used to host websites
These steps will help secure any website in the CHD environment, especially with the guidance of a PCI compliance partner. But first, you’ll need to understand the PCI DSS Requirements.
Download Our PCI DSS Checklist
Context: What are the PCI DSS Requirements?
- Requirement 1 – Secure cardholder data using firewalls
- Requirement 2 – Avoid using default security parameters supplied by vendors
- Requirement 3 – Safeguard stored cardholder data
- Requirement 4 – Encrypt cardholder data during transit across networks
- Requirement 5 – Implement malware protections and update antivirus software
- Requirement 6 – Establish secure systems and applications
- Requirement 7 – Create strict access controls for cardholder data
- Requirement 8 – Establish identity and access management for system components
- Requirement 9 – Secure physical access to cardholder data
- Requirement 10 – Implement tracking and monitoring of networks and cardholder data
- Requirement 11 – Routinely test security processes
- Requirement 12 – Maintain an organization-wide information security policy
The recommendations and controls listed across all of the 12 PCI DSS Requirements specify how to make websites PCI compliant. This guide will focus on six: 3, 4, 6, 7, 8, 10, and 11.
Step #1 Safeguard Cardholder Data at All Times
The first step in determining how to make websites PCI compliant is to ensure that CHD is secured at all times—whether at rest or in transit. CHD is considered highly sensitive and must not be stored anywhere in your website’s infrastructure unless there is a specific business need.
PCI DSS Requirements 3 and 4 provide recommended best practices to secure CHD.
Secure CHD Storage
Here’s how to make your website PCI DSS compliant, per PCI DSS Requirement 3:
- Minimize CHD storage – Any storage of CHD on your website infrastructure (e.g., the back end) must be governed by data retention and disposal policies that address:
- Strict minimization of CHD storage, except for legal, regulatory, or business reasons
- Retention of CHD for specified durations
- Secure disposal of CHD when it is no longer needed
- Processes to identify data that has surpassed defined retention periods
- Avoid sensitive authentication data (SAD) storage – SAD should not be stored following payment authorization—regardless of encryption—and should be securely deleted beyond recovery once payments are authorized. SAD includes:
- Magnetic stripe data (e.g., cardholder name, primary account number (PAN), service code), which must only be stored when necessary
- Card verification code (i.e., CVC, CVV)
- Personal identification number (PIN)
- Prevent PAN display – Full PANs should not be displayed throughout your website, especially during card payment processing. PCI compliance PAN display involves:
- Limiting PAN display to only the first six and last four digits
- Restricting access to full PANs to only personnel with business need authorization
- Encrypt PAN – Likewise, PAN should not be legible anywhere it is stored within your website infrastructure (e.g., databases) and must be secured using:
- One-way hashing protocols that hash the entire PAN
- Truncation of PAN segments to desensitize the full PAN
- Tokenization via indexes and use of pads
- Cryptographic keys to provide high-level encryption
- Cryptographic key storage – All cryptographic keys must be securely stored, restricting access to only a few custodians and ensuring:
- Encryption of stored keys with similar standards as the CHD encryption
- Separated storage of keys, minimizing compromise of multiple keys
- Key storage in only a few locations to prevent any unauthorized access
Securing the storage of CHD will help make your website PCI compliant and mitigate threats to sensitive data, including CHD and SAD.
Sometimes, your website may transmit CHD across open, public networks. Here’s how to make your website PCI compliant in such instances. PCI DSS Requirement 4 recommends establishing cryptographic protocols to secure all network transmissions of CHD.
Robust encryption protocols include those with:
- Trusted keys and certificates
- Secure configurations or versions of protocols
- Robust, industry-standard encryption
NOTE: Although some websites still use encryption protocols such as Secure Sockets Layer (SSL) or early Transport Layer Security (TSL), the PCI DSS guidelines recommend using a more secure encryption protocol to secure CHD transmission.
For updated guidance on the most secure PCI website encryption, you can consult a PCI compliance advisor, who can recommend and help optimize website security protocols.
Step #2 Establish Secure Access Controls
After safeguarding CHD, the next step is to secure access controls to CHD environments (CDE). Requirements 7, 8, and 10 of the PCI DSS specifically address how to make websites PCI compliant by implementing rigorous access, identity, and monitoring controls in the CDE.
Access to CHD by Business Need to Know
PCI DSS Requirement 7 mandates organizations to limit access to CDE to only personnel that require CHD access to perform their jobs. Any back- or front-end work on your website infrastructure should align with PCI DSS compliance solutions for access control.
Best practices to establish robust access controls include:
- Define access controls – Any access to CDE should be delegated by role-based needs such as:
- Jobs requiring access to system components and CHD resources
- Privilege required to access CHD (e.g., administrator, user)
- Limit access specifications – Access controls should also account for:
- Least privilege limitations to only necessary job responsibilities
- Alignment between job responsibilities and access level
- Requirement of documented approval for all authorized privileges
Securing CHD and SAD depends on restricting access to only those users requiring access to do their jobs.
Unique IDs for Access to CDE
PCI DSS Requirement 8 provides guidelines for implementing access controls for all website administrators and users. Here’s how to make websites PCI compliant per Requirement 8:
- All users (administrators and non-consumers) should have unique IDs to access critical website components and CDE.
- Any modifications to user IDs or credentials should be monitored and managed.
- Terminated users (e.g., former employees, temporary users) should have all access privileges removed.
- User IDs used by third-party vendors to access CDE should also be monitored and managed.
User authentication procedures for all website access to CDE should also extend to:
- Use of cryptographic tools that are not easily decipherable when stored or transmitted
- Verification of any attempts to change user credentials (e.g., password resets, new key generation)
- Password policies that require:
- Use of strong, complex passwords
- Password changes at least once every 90 days
- Different passwords from those previously used
- Multifactor authentication (MFA) to secure any remote access to CDE
- Avoiding the use of shared, generic passwords for multiple users accessing the website’s back end containing CDE
- Restricted access to databases containing CDE, such that:
- Programmatic methods are used to access databases
- Direct databases queries can only be performed by administrators
- Database applications are only accessible via application IDs, preventing access by individual users or non-application processes
- Establishment of security policies to manage the identification and authentication of all access to CDE throughout the website architecture
The access control guidelines in Requirement 8 of the PCI DSS will help implement best practices on how to make websites PCI compliant and secure.
Track Access to CHD Environments
The last set of access control PCI DSS compliance solutions is covered under Requirement 10, which mandates tracking and monitoring access to networks and CHD. Specifically, it entails:
- Tracing all individual user access events via audit trails
- Automating audit trails to include:
- Individual access to CHD
- Actions based on administrative user privileges
- Failed logical access attempts
- Accessibility of all audit trails
- Changes to and uses of identification and authentication processes (e.g., new account creation, elevation of privileges)
- Modification of system components (i.e., via creation or deletion)
- Logging of user events to include:
- Type of event
- Date and time of the event
- Origin of the event
- User ID involved in the event
- Identity of affected system or data
- Securing of audit trails to prevent any unauthorized modification
- Reviewing audit logs to identify any unusual activity
- Storing audit history for a minimum of three months before analysis and at least one year for other audit-related purposes
By securing access controls to the CDE on your website, you can safeguard the sensitivity of CHD and minimize the risks of data breaches. An experienced PCI compliance advisor can help guide access control optimization and determine how to make websites PCI compliant.
Step #3 Manage Website Vulnerabilities
With CHD secured and access controls in place, the next step in how to make websites PCI compliant is to assess vulnerabilities to your website and address any security gaps.
PCI DSS Requirement 6 contains several guidelines for managing vulnerabilities to CDE.
Vulnerability Management Methodology
PCI DSS compliance solutions for managing vulnerabilities to your website architecture include:
- Risk rankings – When ranking risks to your website CDE, it is best to:
- Base rankings on industry best practices (e.g., risks listed by the Common Vulnerability Scoring System (CVSS))
- Assess potential risk impact on your website and related infrastructure
- Tailor risk rankings to your organization-specific CDE
- Identify all possible risks to your CDE
- Rank risks to all critical systems (e.g., CDE databases, public-facing website components, security systems)
- Patch management – Prompt installation of security patches to address vulnerabilities is essential to mitigating threats to CHD. All critical patches should be installed within one month of release for optimal website security.
- Secure coding – Development of internal or external software applications to support your website must be secured, ensuring:
- Use of industry-standard coding workflows and best practices
- Integration of security processes throughout development
- Addition of PCI-compliant tools and processes (e.g., user authentication, logging)
- Custom code should be reviewed before release to identify and remediate any vulnerabilities
- Address coding vulnerabilities – Application development should also be secured by adhering to industry-standard coding guidelines and avoiding web application vulnerabilities, including:
- SQL injection flaws that compromise website backends and CDE
- Buffer overflows that modify or expose CHD
- Gaps in cryptographic storage of CHD
Effective management of vulnerabilities to PCI websites or the software applications that support them will help safeguard the sensitivity of CHD.
Step #4 Test and Monitor Systems and Networks
The final step in how to make websites PCI compliant requires testing and monitoring systems and networks in CDE to identify and address cybersecurity threats—per DSS Requirement 11.
PCI DSS Requirement 11 recommends best practices for securing systems and networks:
- Access point tests – Testing for the presence of unauthorized wireless access points within CDE will help identify vulnerabilities to:
- Networks used to host CDE
- Systems that support websites
- Physical infrastructure (e.g., physical servers, routers)
- Vulnerability scans – Internal and external vulnerability scans of your website infrastructure should be conducted:
- At least quarterly, ensuring documentation of all scans
- After significant changes to networks or firewalls
- With the help of an Approved Scanning Vendor (for external scans)
- Penetration testing – To identify vulnerabilities and increase confidence in your website security, a penetration test can help. Considerations for pen testing include:
- Testing coverage for all CDE and critical website systems
- Internal and external testing
- Tests for validating the segmentation and scope-reduction of CHD
- Guidance from a penetration testing specialist
- Intrusion detection and prevention – All traffic to your website should be monitored to:
- Detect potentially malicious intrusions to CDE networks
- Identify threats to critical points of CDE
- Notify IT security if a threat intrusion is detected
As your website grows, it is helpful to outsource aspects of vulnerability management to a threat and vulnerability management specialist–allowing you to focus on developing a high-quality, PCI-compliant website to serve your customers.
Develop a High-Quality, PCI-Compliant Website
Establishing or optimizing controls to make your website PCI-compliant is critical to securing CHD. When determining how to make website PCI compliant, implementing security measures tailored to your organization’s needs and IT infrastructure will help streamline compliance.
Contact RSI Security today to learn more about optimizing your PCI compliance and strengthening your security posture.