WebSphere Commerce on premise not applicable for Commerce on Cloud offering

WebSphere Commerce and the PCI Data Security Standard

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to facilitate the global adoption of consistent data security measures.

The PCI DSS Version 3.0 standard lists twelve (12) requirements which retailers, online merchants, credit data processors, and other payment related businesses must implement to help protect cardholders and their data. The requirements include technology controls (such as data encryption, end-user access control and activity monitoring) as well as required procedures.

Most of the requirements focus on site security, but some of them apply to securing your applications. The WebSphere Commerce team has produced this technical overview document to assist you in understanding the PCI requirements, determining which requirements apply to WebSphere Commerce, and how WebSphere Commerce implements the applicable requirements.

Note:

Commerce on Cloud

Currently, the Commerce on Cloud does not support payment data, such as Card Holder Data (CHD) into the IBM-managed environments. You can neither process nor store CHD in the system.
When using Commerce on Cloud, you also cannot use WebSphere Commerce Payments Subsystem, Payments APIs, or plug-ins that are provided by a third party.
You can use the Commerce on Cloud PCI option on hosted payments pages that are provided by a third party.

The use of WebSphere Commerce Version 7 in your electronic commerce site, even if installed and configured correctly, does not guarantee that your site will be PCI compliant. The purpose of this document is to describe the relationship between WebSphere Commerce and the PCI Data Security Standard requirements, not about an entire operating environment. PCI compliance can also impose requirements on other components of your site involved in the storage, processing, or transmission of cardholder data, including firewalls, routers, Web servers, Operating Systems, storage databases and WebSphere Application Server. That is, although WebSphere Application Server is included with WebSphere Commerce, it is considered a separate component. PCI compliance remains solely the responsibility of the merchant.

For your reference, here is the outline of the standard:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know.

Requirement 8: Identify and authenticate access to system components.

Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

Where to find information about the Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/index.shtml
The complete standard can be found at https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
MasterCard Site Data Protection program:
VISA CISP Program Site: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

WebSphere Commerce and PCI compliance

The PCI Data Security Standard (DSS) addresses far more than the security of your WebSphere Commerce application. It covers broad security requirements such as virus protection, and restricting physical access to cardholder data.

It is important to recognize the scope of the requirements, and which of them are related to WebSphere Commerce.

PCI Data Security Standards and how they relate to WebSphere Commerce
Requirement	Relationship
1: Install and maintain a firewall configuration to protect cardholder data.	Related only to PCI DSS
2: Do not use vendor-supplied defaults for system passwords and other security parameters.	Focus area
3: Protect stored cardholder data.	Focus area
4: Encrypt transmission of cardholder data across open, public networks.	Focus area
5: Protect all systems against malware and regularly update anti-virus software or programs.	Related only to PCI DSS
6: Develop and maintain secure systems and applications.	Related only to PCI DSS
7: Restrict access to cardholder data by business need to know.	Focus area
8: Identify and authenticate access to system components.	Focus area
9: Restrict physical access to cardholder data.	Related only to PCI DSS
10: Track and monitor all access to network resources and cardholder data.	Focus area
11: Regularly test security systems and processes.	Related only to PCI DSS
12: Maintain a policy that addresses information security for all personnel.	Related only to PCI DSS

Different types of payment solutions for WebSphere Commerce

There are multiple ways of handling payments in a WebSphere Commerce store implementation:

The WebSphere Commerce Payments subsystem
Payments APIs or plug-ins that are custom or provided by a 3rd party
Hosted payments pages provided by a 3rd party

This guide addresses implementing WebSphere Commerce using the WebSphere Commerce Payments subsystem. If you are not using the WebSphere Commerce Payments subsystem, it is your responsibility to ensure that the payment API or hosted payment page is PCI compliant.

If you are using a WebSphere Commerce Payments subsystem plug-in other than SimpleOffline or have a custom payment plug-in using the WebSphere Commerce Payments subsystem, it must be certified by your PCI assessor. The payment plug-in you are using must be assessed while it is connected to the payment gateway you are using.

PCI Security Standards Council Notices: Legal Terms and Conditions

Acceptance of a given payment application by the PCI Security Standards Council, LLC (PCI SSC) only applies to the specific version of that payment application that was reviewed by a PA-QSA and subsequently accepted by PCI SSC (the "Accepted Version"). If any aspect of a payment application or version thereof is different from that which was reviewed by the PA-QSA and accepted by PCI SSC - even if the different payment application or version (the "Alternate Version") conforms to the basic product description of the Accepted Version - then the Alternate Version should not be considered accepted by PCI SSC, nor promoted as accepted by PCI SSC.

No vendor or other third party may refer to a payment application as "PCI Approved" or "PCI SSC Approved", and no vendor or other third party may otherwise state or imply that PCI SSC has, in whole or part, accepted or approved any aspect of a vendor or its services or payment applications, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with PCI SSC, or in a PA-DSS letter of acceptance provided by PCI SSC. All other references to PCI SSC's approval or acceptance of a payment application or version thereof are strictly and actively prohibited by PCI SSC.

When granted, PCI SSC acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC's goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the payment application vendor or the functionality, quality, or performance of the payment application or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include or imply any product warranties from PCI SSC, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement, all of which are expressly disclaimed by PCI SSC. All rights and remedies regarding products and services that have received acceptance from PCI SSC, shall be provided by the party providing such products or services, and not by PCI SSC or any payment brands.