WebSphere Commerce and the PCI Data Security Standard

The Payment Card Industry (PCI) Data Security Standard (DSS), developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, facilitates the global adoption of consistent data security measures.

The PCI DSS Version 3.0 standard lists 12 requirements which retailers, online merchants, credit data processors, and other payment-related businesses must implement to help protect cardholders and their data. The requirements include technology controls (such as data encryption, user access control, and activity monitoring) and required procedures.

Most of the requirements focus onsite security, but some of them apply to securing your applications. This technical overview document assists you in understanding the PCI requirements, determining which requirements apply to WebSphere Commerce, and how WebSphere Commerce implements the applicable requirements.

On-premises:

The PCI documentation applies to WebSphere Commerce on-premises. If you are using WebSphere Commerce in a IBM Commerce on Cloud environment, note the following limitations:

IBM Commerce on Cloud does not support payment data, such as card holder data into IBM-managed environments. You cannot process or store card holder data in the IBM Commerce on Cloud system.
IBM Commerce on Cloud does not support the Payments subsystem, payment plug-ins provided by a third-party.
IBM Commerce on Cloud supports the IBM Payment Gateway, you can use the PCI option on payments processed through this gateway.

The use of WebSphere Commerce in your electronic commerce site, even if installed and configured correctly, does not guarantee that your site is PCI-compliant. The purpose of this document is to describe the relationship between WebSphere Commerce and the PCI Data Security Standard requirements, not about an entire operating environment. PCI compliance can also impose requirements on other components of your site that is involved in the storage, processing, or transmission of cardholder data, including firewalls, routers, web servers, Operating Systems, storage databases and WebSphere Application Server. That is, although WebSphere Application Server is included with WebSphere Commerce, it is considered a separate component. PCI compliance remains solely the responsibility of the merchant.

For your reference, here is the outline of the standard.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

Where to find information about the Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/index.shtml
The complete standard can be found at https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
MasterCard Site Data Protection program: http://www.mastercard.com/us/merchant/security/sdp_program.html
VISA CISP Program Site: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

WebSphere Commerce and PCI compliance

The PCI Data Security Standard (DSS) addresses far more than the security of your WebSphere Commerce application. It covers broad security requirements such as virus protection, and restricting physical access to cardholder data.

It is important to recognize the scope of the requirements, and which of them are related to WebSphere Commerce.

PCI Data Security Standards and how they relate to WebSphere Commerce
Requirement	Relationship
1: Install and maintain a firewall configuration to protect cardholder data.	Related only to PCI DSS
2: Do not use vendor-supplied defaults for system passwords and other security parameters.	Focus area
3: Protect stored cardholder data.	Focus area
4: Encrypt transmission of cardholder data across open, public networks.	Focus area
5: Protect all systems against malware and regularly update anti-virus software or programs.	Related only to PCI DSS
6: Develop and maintain secure systems and applications.	Related only to PCI DSS
7: Restrict access to cardholder data by business need to know.	Focus area
8: Identify and authenticate access to system components.	Focus area
9: Restrict physical access to cardholder data.	Related only to PCI DSS
10: Track and monitor all access to network resources and cardholder data.	Focus area
11: Regularly test security systems and processes.	Related only to PCI DSS
12: Maintain a policy that addresses information security for all personnel.	Related only to PCI DSS

Different types of payment solutions for WebSphere Commerce

There are multiple ways of handling payments in a WebSphere Commerce store implementation:

The WebSphere Commerce Payments subsystem
Payments APIs or plug-ins that are custom or provided by a third party
Hosted payments pages that are provided by a third party

If you are not using the WebSphere Commerce Payments subsystem, it is your responsibility to ensure that the payment API or hosted payment page is PCI-compliant.

If you are using a WebSphere Commerce Payments subsystem plug-in other than SimpleOffline or have a custom payment plug-in by using the WebSphere Commerce Payments subsystem, it must be certified by your PCI assessor. The payment plug-in that you are use must be assessed while it is connected to the Payment Gateway you are using.

PCI Security Standards Council Notices: Legal Terms and Conditions

Acceptance of a given payment application by the PCI Security Standards Council, LLC (PCI SSC) only applies to the specific version of that payment application that was reviewed by a PA-QSA and subsequently accepted by PCI SSC (the "Accepted Version"). If any aspect of a payment application or version thereof is different from that which was reviewed by the PA-QSA and accepted by PCI SSC - even if the different payment application or version (the "Alternate Version") conforms to the basic product description of the Accepted Version - then the Alternate Version should not be considered accepted by PCI SSC, nor promoted as accepted by PCI SSC.

No vendor or other third party may refer to a payment application as "PCI Approved" or "PCI SSC Approved", and no vendor or other third party may otherwise state or imply that PCI SSC has, in whole or part, accepted or approved any aspect of a vendor or its services or payment applications, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with PCI SSC, or in a PA-DSS letter of acceptance provided by PCI SSC. All other references to PCI SSC's approval or acceptance of a payment application or version thereof are strictly and actively prohibited by PCI SSC.

When granted, PCI SSC acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC's goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the payment application vendor or the functionality, quality, or performance of the payment application or any other product or service. PCI SSC does not warrant any products or services that are provided by third parties. PCI SSC acceptance does not, under any circumstances, include, or imply any product warranties from PCI SSC, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement, all of which are expressly disclaimed by PCI SSC. All rights and remedies regarding products and services that have received acceptance from PCI SSC, shall be provided by the party providing such products or services, and not by PCI SSC or any payment brands.