Addressing the PCI Data Security Standard within HCL Commerce

The following topics deal with each of the detailed requirements that pertain to HCL Commerce. Some of the requirements are directly related to the HCL Commerce software package. Other requirements are unrelated, or indirectly relate to the HCL Commerce software package. For example, indirect requirements can affect your use of the operating system security features to secure HCL Commerce files.

For each requirement that directly affects HCL Commerce, the requirement is reprinted in italics and addressed point by point. In some cases, it is an explanation or confirmation that the requirement is met. In others cases, you must enable or disable features.

For several of the requirements that are related only to PCI compliance (and not to WebSphere Commerce) you are referred directly to the PCI DSS for details. Ensure that you keep up with the rapid pace of changing security requirements.

Tip: Each of the section numbers in this section corresponds to the numbering of the subsections of the PCI DSS document.

Required fixes and modifications for PCI compliance

In addition, it is recommended that you apply security fixes as recommended in the HCL Commerce Security Bulletins.

You can subscribe to security bulletin notifications using your IBMid:

Go to My notifications.
Lookup and subscribe to notifications for your HCL Commerce product. For example, HCL Commerce Enterprise.
Select Options > Edit.
Ensure that the Security bulletin document type is selected.
Note: All document types are selected by default.
Click Submit.

Summary of specific configuration actions required in your HCL Commerce implementation

While it is recommended to read each of the requirement sections to fully understand how HCL Commerce addresses the PCI-DSS, the following list summarizes the changes that you must make to a typical HCL Commerce installation by using default settings. Read each page carefully to understand how to complete the changes.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Ensure that you implement HCL Commerce in a 3-tier configuration.
Requirement 3: Protect stored cardholder data
- Use DBclean periodically.
- Use the Key Locator Framework to store the merchant encryption key.
- Change your merchant encryption key when required, and at least annually.
- Change the default number of plain text digits that are shown in the account number 5 - 4.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Disable SSLv2 encryption on your web server.
Requirement 6: Develop and maintain secure systems and applications
- Ensure that your store error pages do not display stack traces, either visibly, or in the page source.
Requirement 10: Track and monitor all access to network resources and cardholder data
- To comply with the PCI-DSS, you must enable business auditing for the orders component.
- To comply with the PCI-DSS, you must enable DB2 or Oracle auditing for the BUSAUDIT table.

Note: This summary does not include changes that you must make to your site operations. Review each requirement section carefully for details on operations and procedures that you must complete in conjunction with using HCL Commerce. For example, reviewing your business audit logs daily or using secure removal tools to delete old encryption assets.