PCI Compliance Issues and Solutions
I can’t even begin to tell you how many hours I have spent in the last 2 months on PCI Compliance issues. From server settings to SSL certificate formats, there is a lot to keep up with. If you are having trouble passing your quarterly PCI compliance scans or don’t have a clue what to do, perhaps this will help.
How to be Compliant
First, let me explain a bit about PCI compliance, as I have found that many people simply don’t have a clue about it. If you accept credit cards on your site (i.e. don’t send the customer off-site to pay), you are required to be PCI-DSS compliant. In a nutshell, this requires having your site/server scanned quarterly by an approved scanning company (complete list here) and filling out a yearly Self-Assessment Questionnaire (SAQ) (full documentation here). These SAQs can get extremely complex, but most of you will be able to file the ‘A’ form, which is the least complex. However, if you have a brick and mortar store along with your e-commerce store, life will get more difficult as you’ll most likely fall into the ‘D’ category. There are a lot of very technical questions on the SAQ, so you will probably need the help of your developer/cart provider.
Let me caution you that simply checking ‘yes’ to the questions without understanding them is not a good idea, as you could be subject to fines and/or loss of your merchant account all together. For example, if you are using a cart like Magento and you answer ‘Yes’ to the PA-DSS question, you will be wrong and will likely be dropped by your merchant bank. The odd thing is that some merchant banks don’t seem to care, while others take this to an extreme. I’m betting that as the security measures are enforced more, there will be fewer and fewer free passes.
The quarterly PCI scans will typically cause the biggest headache, particularly if your hosting company isn’t top notch. Below are some of the issues we’ve run into over the last few months, along with some solutions.
The biggest issue right now is that PHP 5.4 reached ‘end of life’ about 2 weeks ago. What that means is PHP is no longer supporting version 5.4 or releasing updates for it, so if there is a security vulnerability that is uncovered there will be no way to fix it. So if you are running PHP 5.4 or below in your server, this will automatically fail your PCI compliance scan. Unfortunately upgrading to PHP 5.5 isn’t as easy as it seems, as many older shopping cart platforms and plugins won’t work on PHP 5.5. If you are running Pinnacle Cart 3.8.x, you are good to go, but if you are on 3.7.15 or below, please contact us and we’ll evaluate your specific site and see what the options for upgrading PHP are. This is a critical issue that needs to be solved sooner rather than later, as if you fail your PCI compliance scan, your merchant bank will drop you.
For those of you who aren’t server experts, TLS is an encryption protocol used to secure data being transferred over the network. Recently, TLS V1 was deemed a security risk and if it is enabled on your server, it will fail a PCI scan. Here’s the problem – if you disable it, Microsoft Outlook will no longer be able to communicate with the server. For this reason, it is impossible to disable for most hosting companies as Outlook is a very popular email client. We were able to obtain a waiver form that can be presented to your scanning company informing them that TLS V1 needs to be present for Outlook to function, and that it is not used for any other reason. So if you are in this predicament, feel free to contact me and I’ll give you a copy of the form.
Related to the above issue, scanning companies are now requiring that all communication with the server (other than the web browser) is done via a secure protocol. That means you need to be sure to check the ‘my server requires a secure connection’ when setting up your email in Outlook, and all insecure protocols on the server such as standard FTP on Port 21 are disabled. Your host will need to help you with this.
SSL Certificate Encryption
Yet another issue that has come up recently is the security of security certificates. For the longest time, SSL certificates were issued with an SHA-1 algorithm. Recently though, that algorithm has been deemed too weak to be effective, so you’ll now see these certificates showing as insecure in Chrome (a yellow padlock instead of a green one). Obviously this is not ideal to present to your customers, so you’ll want to have your SSL certificate re-issued in SHA-2 format. Your SSL vendor shouldn’t charge for this, and your hosting company will be able to help you update the certificate on the server.
This is a more recent development, but the scanning companies are now picking up forms that collect personal data and are not in https mode. Make sure your registration, login and of course checkout are all delivered in secure (https) mode.
Backup files kept on the server
Many shopping carts give you the ability to create a backup file right from the admin area. The problem is, this file is stored on the server, so if a hacker get in they have one file to download and your whole store is compromised. Make sure all of your backups are kept off-site, preferably via an hourly automatic backup system.
While this process has become easier with the advent of Hosted Carts like Shopify (they handle the scanning for you), it is still no fun to fill out the SAQs yourself. I always recommend partnering with an expert to help you navigate the maze of PCI compliance, especially if you are hosting the cart yourself. Of course if we built your cart, we’ll always be there to help keep you compliant!
Questions? Feel free to Contact Us!