Addressing the PCI Data Security Standard within WebSphere Commerce

The following topics deal with each of the detailed requirements that pertain to WebSphere Commerce. Some of the requirements are directly related to the WebSphere Commerce software package. Other requirements are unrelated, or indirectly relate to the WebSphere Commerce software package. For example, indirect requirements can affect your use of the operating system security features to secure WebSphere Commerce files.

For each requirement that directly affects WebSphere Commerce, the requirement is reprinted in italics and addressed point by point. In some cases, it is an explanation or confirmation that the requirement is met. In others cases, you must enable or disable features.

For several of the requirements that are related only to PCI compliance (and not to WebSphere Commerce) you are referred directly to the PCI DSS for details. Ensure that you keep up with the rapid pace of changing security requirements.

Tip: Each of the section numbers in this section corresponds to the numbering of the subsections of the PCI DSS document.

Required fixes and modifications for PCI compliance

In addition, it is recommended that you apply security fixes as recommended in the WebSphere Commerce Security Bulletins.

You can subscribe to security bulletin notifications using your IBM ID:

Go to My notifications.
Lookup and subscribe to notifications for your WebSphere Commerce product. For example, WebSphere Commerce Enterprise.
Select Options > Edit.
Ensure that the Security bulletin document type is selected.
Note: All document types are selected by default.
Click Submit.

Summary of specific configuration actions required in your WebSphere Commerce implementation

While it is recommended to read each of the requirement sections to fully understand how WebSphere Commerce addresses the PCI-DSS, the following list summarizes the changes that you must make to a typical WebSphere Commerce installation by using default settings. Read each page carefully to understand how to complete the changes.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Ensure that you implement WebSphere Commerce in a 3-tier configuration.
Requirement 3: Protect stored cardholder data
- Use DBclean periodically.
- Use the Key Locator Framework to store the merchant encryption key.
- Change your merchant encryption key when required, and at least annually.
- Change the default number of plain text digits that are shown in the account number 5 - 4.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Disable SSLv2 encryption on your web server.
Requirement 6: Develop and maintain secure systems and applications
- Ensure that your store error pages do not display stack traces, either visibly, or in the page source.
Requirement 10: Track and monitor all access to network resources and cardholder data
- To comply with the PCI-DSS, you must enable business auditing for the orders component.
- To comply with the PCI-DSS, you must enable DB2 or Oracle auditing for the BUSAUDIT table.

Note: This summary does not include changes that you must make to your site operations. Review each requirement section carefully for details on operations and procedures that you must complete in conjunction with using WebSphere Commerce. For example, reviewing your business audit logs daily or using secure removal tools to delete old encryption assets.