Security Guideline 1a (PCI 1.1)

Security requirements mean that every online store should have a network diagram, identifying firewalls, segmentation, and the flow of cardholder data in and out of the environment. Additionally, once the network is understood, firewalls must be established to separate the database from the public internet, and rules must be configured to prevent any unauthorized access.

Who will do this?

Approach your hosting company to see if they are prepared to help with this requirement. Make sure that they have read and understood Requirement 1.1 of the current PCI-DSS SAQ.

Vortx covers this security requirement in all hosting plans.

Security Guideline 1b (PCI 1.2)

Security requirements mean that it's important to identify the traffic that should be allowed through the firewall and establish a process of setting permissions and 'length of stay' - i.e. establishing firewall rules and maintaining those same rules.

Who will do this?

Approach your hosting company to see if they are prepared to help with this requirement. Make sure that they have read and understood Requirement 1.2 of the current PCI-DSS SAQ. AspDotNetStorefront will cover this in our hosting coverage.

Vortx covers this security requirement in all hosting plans.

Security Guideline 1c (PCI 1.3)

Security requirements mean that an online store (which gets - of course - public traffic) must be completely separated from the database. All incoming traffic must be limited to just the public facing web site.

Who will do this?

Please ask your hosting company if they automatically limit the access to the public.

Vortx covers this security requirement in all hosting plans.

Security Guideline 1d (PCI 1.4)

All portable devices that are allowed access to the 'cardholder data environment' (CDE) must be enabled with personal firewall software.

Is this expensive?

Most good anti-virus/protection software includes a personal firewall and is not expensive.

Who will do this?

This is likely to apply to devices belonging to your hosting company (assuming that they are locking out 'strangers'). Please ask your hosting company if they install personal firewall software onto their access devices.

Vortx covers this security requirement in all hosting plans.

Security Guideline 2a (PCI 2.1)

All applications inside the CDE must have the default (vendor supplied) passwords removed

Who will do this?

Only your hosting provider can take care of this.

Vortx covers this security requirement in all hosting plans.

Security Guideline 2b (PCI 2.2)

Someone must list every 'element' in your CDE (cardholder data environment) and understand those elements well enough to 'harden' them. The rules about 'hardening' are assisted by organizations such as NIST

Who will do this?

Approach your hosting company to see if they are prepared to help with this requirement. Make sure that they have read and understood Requirement 2.2 of the current PCI-DSS SAQ. AspDotNetStorefront will cover this in our hosting coverage.

Vortx covers this security requirement in all hosting plans.

Security Guideline 2c (PCI 2.3)

When system/network administrators access your CDE (cardholder data environment) they must use 'strong cryptography'. Strong passwords and potentially multi-factor authentication are required

Who will do this?

Approach your hosting company to see if they are prepared to help with this requirement. Make sure that they have read and understood Requirement 2.3 of the current PCI-DSS SAQ. AspDotNetStorefront will cover this in our hosting coverage.

Vortx covers this security requirement in all hosting plans.

Security Guideline 2d (PCI 2.4)

It is judged that for anyone to protect your CDE (cardholder data environment) there must first be a complete awareness of the hardware and software in that environment. It is required that there is a complete inventory register.

Who will do this?

Approach your hosting company to see if they are prepared to help with this requirement. Make sure that they have read and understood Requirement 2.4 of the current PCI-DSS SAQ. AspDotNetStorefront will cover this in our hosting coverage.

Vortx covers this security requirement in all hosting plans.

Security Guideline 3a (PCI 3.1)

It is not forbidden to store cardholder data. That is a myth. However, the decision to store such data must go hand-in-hand with conscious decisions about how long such data is retained, and how carefully it is destroyed. There must be policies covering your conscious decisions.

Who will do this?

Only you, the merchant, can make these decisions and document and maintain these policies.

Security Guideline 3b (PCI 3.2/3.3/3.4)

This requirement covers the safekeeping of the credit card security code (CVV) - AspDotNetStorefront never, under any circumstances, stores the security code. The requirement also covers the ways in which the credit card number is 'hidden' (masked) and securely encrypted.

Who will do this?

If you use AspDotNetStorefront v10 then the handling of CVV and the masking/encryption of the credit card number is completely secure.

Security Guideline 3c (PCI 3.5)

In order to encrypt your cardholder data, you must set and PROTECT encryption keys. There are specific rules about how you should handle your keys. Please read requirement 3.5 of the PCI DSS manifesto.

Who will do this?

This is down to you, the storeowner. If you outsource your payment application, then the rules of your application will be locked down to support you.

Security Guideline 3d (PCI 3.6)

Having set your encryption keys, you are required to limit the number of custodians, handle the retirement and retention of the keys. Please read requirement 3.6 of the PCI DSS manifesto.

Who will do this?

This is down to you, the storeowner. If you outsource your payment application, then the rules of your application will be locked down to support you.

Security Guideline 4a (PCI 4.1)

It is required that you secure the transmission of confidential data uisng the latest, safest transport protocols, or explain why not. The 'latest, safest' protocol is currently TLS 1.2

Does this cost much?

There isn't a direct cost to using TLS 1.2, but there might be an indirect cost, since you might need to upgrade your payment application.

Who will do this?

Only your hosting provider can take care of setting the transport protocol, BUT the hosting provider can be instructed by you - so therefore you, the merchant, have direct control over this.

Vortx covers this security requirement in all hosting plans, but to take advantage of it, your storefront needs to be powered by AspDotNetStorefront 9.5 or above.

Security Guideline 4c (PCI 4.2)

When a 'PAN' (this is the credit card number - Primary Account Number) is transmitted using end-user messaging, it must be protected by 'strong crypotography'

Who will do this?

Your payment application does not transmit the PAN using end-user messaging - therefore any such transmission will be a conscious decision by you, and the security is under your control.

Security Guideline 5a (PCI 5.1)

Security regulations include the need to install anti-virus protection on EVERY element connected to your CDE (cardholder data environment). The anti-virus software must be constantly updated, documented and maintained.

How much will this cost?

Anti-virus software carries a cost, although this may be included in a professional hosting plan.

Who will do this?

Who? Only the network administrators for your hosted environment can handle this.

Vortx covers this security requirement in all hosting plans.

Security Guideline 6a (PCI 6.1)

Your payment application ('shopping cart') MUST be carefully architected to avoid all known vulnerabilities. Furthermore, as new coding vulnerabilities are identified, the payment application must be promptly patched. Therefore, the manufacturers of your payment application must be constantly vigilant about watching for global awareness of new 'holes'. Equally, anyone who modifies the code for your shopping cart must also be on the alert for vulnerablities.

How much will this cost?

There is usually an annual cost for keeping a software product patched against vulnerablities. In the case of AspDotNetStorefront that is the cost of our 'Year Round Benefits' program.

Who will do this?

If you power your online store with the latest version of AspDotNetStorefront and if you never modify the code, then AspDotNetStorefront will take care of this for you. However, if you employ a developer to work on the code, then that developer must be interviewed to make sure that he/she is keeping abreast of vulnerabilities.

Security Guideline 6b (PCI 6.2)

Definition: See 6a. Once patches are identified, then the application MUST be patched promptly and in compliance with PA-DSS regulations, which include the need for a roll-back plan.

How much will this cost?

There is usually an annual cost for keeping a software product patched against vulnerablities. In the case of AspDotNetStorefront that is the cost of our 'Year Round Benefits' program.

Who will do this?

If you power your online store with the latest version of AspDotNetStorefront and if you never modify the code, then AspDotNetStorefront will take care of this for you. However, if you employ a developer to work on the code, then that developer must be interviewed to make sure that he/she is patching your storefront application promptly and in accordance with PA-DSS regulations.

Security Guideline 6c (PCI 6.3/6.4/6.5)

The way your payment application (shopping cart) is developed is absolutely critical to the safety of your shoppers' credit card data. The latest version of AspDotNetStorefront has been officially certified as having been developed using methodologies and recording vehicles that include a SDLC, change control and review policies. ANYONE else who works on your code MUST follow regulations that include these principles.

How much will this cost?

There is usually an annual cost for keeping a software product patched against vulnerablities. In the case of AspDotNetStorefront that is the cost of our 'Year Round Benefits' program.

Who will do this?

Who will do this?

If you power your online store with the latest version of AspDotNetStorefront and if you never modify the code, then AspDotNetStorefront will take care of this for you. However, if you employ a developer to work on the code, then that developer must be interviewed to make sure that he/she is patching your storefront application promptly and in accordance with PA-DSS regulations.

Security Guideline 6d (PCI 6.6)

As a final safeguard, either a professional assessor should be appointed at least annually (or after any change in the code), or alternatively a Web Application Firewall should be employed.

How much will this cost?

There is a cost for a Web Application Firewall. This cost is included in the security services offered by AspDotNetStorefront.

Who will do this?

You, the merchant, will need to either employ a professional after any change, or make sure that a Web Application Firewall (WAF) is installed.

Security Guideline 7a (PCI 7.1)

One of the greatest security vulnerabilities is that your access to your CDE (Cardholder data environment) will be placed in the wrong hands. Therefore, there are strict regulations around the decisions you make about allowing access, including your need to document your decisions and maintain policies and logs.

Who will do this?

Only you can decide about granting access. Most hosts will work on the basis that the 'customer is always right', although you should be well advised that granting access needs very serious thought.

Security Guideline 7c (PCI 7.2)

Part of security is to maintain a locked down 'access control system' with a default 'deny-all' setting.

Who will do this?

Since you will tell your hosting company about access to your cardholder data, the responsibility for this falls on you, the merchant.

Security Guideline 8a (PCI 8.1/8.2)

'Rogue' access to the admin console of your shopping cart is undeniably your greatest vulnerability. There are strong regulations about preventing the sharing of login details, and about the care that you should take over the maintenance of login accounts. Please read the regulations of PCI DSS 8.1 and 8.2 very carefully

Who will do this?

This is wholly the responsibility of the merchant.

Security Guideline 8b (PCI 8.3)

Even your hosting company should be locked out of your cardholder data environment unless they have implemented multi-factor authentication. Please ask your hosting company if they take responsibility for PCI DSS regulation 8.3

Who will do this?

This falls upon your hosting provider.

Vortx covers this security requirement in all hosting plans.

Security Guideline 8c (PCI 8.4/8.5)

The use of 'weak' or 'repeated' passwords can be a blight upon your security. You must understand this, and have policies in place to train your staff about the importance of this issue.

Who will do this?

Security Guideline 8d (PCI 8.7)

The database for your payment application is, in itself, hugely vulnerable. You should only ever access it programatically and with an identifiable login, so that all data movement is audited.

Who will do this?

Unless you outsource your payment application (as in preFIX) your hosting provider is always likely to allow you insecure database access. This is ill-advised and breaks the security regulations, but only you, the merchant, can determine the way that access is granted.

Security Guideline 9a (PCI 9.1)

Wherever credit card data is stored, there must be entry controls to the facility. (This page does not stretch to your own building - but as a responsible merchant, you should read regulation 9 and consider the weaknesses in your own facility.)

Who will do this?

Whoever hosts your payment application should take responsibility for facility security. AspDotNetStorefront takes this role very seriously on your behalf.

Vortx covers this security requirement in all hosting plans.

Security Guideline 9b (PCI 9.2/9.3/9.4)

Wherever credit card data is stored, there must be separate handling techniques for onsite staff, and for visitors. Badges, door controls, checkin/out policies must all be in place.

Who will do this?

Whoever hosts your payment application should take responsibility for facility security. AspDotNetStorefront takes this role very seriously on your behalf.

Vortx covers this security requirement in all hosting plans.

Security Guideline 9c (PCI 9.5/9.6/9.7)

The way that material is backed up and stored is an essential part of your security program. There must be secure policies in place.

Who will do this?

Whoever hosts your payment application should take responsibility for backup/storage. AspDotNetStorefront takes this role very seriously on your behalf.

Vortx covers this security requirement in all hosting plans.

Security Guideline 9d (PCI 9.8)

Data that has been stored for business reasons MUST be carefully destroyed. This means having a data retention policy, and a destruction process that renders all data permanently unreadable.

Who will do this?

Whoever hosts your payment application should take responsibility for retention and destruction of data. AspDotNetStorefront takes this role very seriously on your behalf.

Vortx covers this security requirement in all hosting plans.

Security Guideline 10a (PCI 10.1/10.2/10.3)

There must be audit trails in place in your cardholder data environment that track ALL movements. Every firewall, router, server and application must be generating audit trails.

How much does this cost?

There is a significant cost in either software or personnel to ensure that the audit trails are functioning correctly

Who will do this?

Either your hosting company needs to manage this for you, or you need to take control of it yourself. Please ask your hosting company if they take responsibility for Regulation 10. AspDotNetStorefront offers this as part of our security services

Vortx covers this security requirement either as part of preFIX or as part of our security services.

Security Guideline 10b (PCI 10.5)

The audit trails as defined in 10a must be locked down in such a way that a rogue operator cannot tamper with them.

How much does this cost?

There is a significant cost in either software or personnel to ensure that the audit trails are functioning correctly

Who will do this?

Either your hosting company needs to manage this for you, or you need to take control of it yourself. Please ask your hosting company if they take responsibility for Regulation 10. AspDotNetStorefront offers this as part of our security services

Vortx covers this security requirement either as part of preFIX or as part of our security services.

Security Guideline 10c (PCI 10.6)

The audit trails as defined in 10a must be centralized and examined daily, with a view to spotting alarming activity in advance of a breach, or for identifying the breacher post-event.

How much does this cost?

There is a significant cost in either software or personnel to ensure that the audit trails are functioning correctly

Who will do this?

Either your hosting company needs to manage this for you, or you need to take control of it yourself. Please ask your hosting company if they take responsibility for Regulation 10. AspDotNetStorefront offers this as part of our security services

Vortx covers this security requirement either as part of preFIX or as part of our security services.

Security Guideline 10d (PCI 10.7)

The audit trails as defined in 10a must be managed by policies that define the retention, upkeep and destruction of the audit trails.

How much does this cost?

There is a significant cost in either software or personnel to ensure that the audit trails are functioning correctly

Who will do this?

Either your hosting company needs to manage this for you, or you need to take control of it yourself. Please ask your hosting company if they take responsibility for Regulation 10. AspDotNetStorefront offers this as part of our security services

Vortx covers this security requirement either as part of preFIX or as part of our security services.

Security Guideline 11a (PCI 11.2)

Internal and external vulnerability scanning must happen at least quarterly or after any environmental change. The external scanning must be performed by an authorized scanning organization. Any failures identified must be remediated and re-tested to achieve a complete pass.

How much does this cost?

There is a cost to these scans. AspDotNetStorefront offers this as part of our security services

Who will do this?

Vortx covers this security requirement either as part of preFIX or as part of our security services.

Security Guideline 11b (PCI 11.3)

Penetration testing is required to check the cardholder data environment for vulnerablities. This is separate from, and additional to, vulnerability scanning (which targets the application, not the whole environment). Penetration testing must be carried out by an expert, either officially trained and in-house, or by an approved organization.

How much does this cost?

There is a cost to this testing. AspDotNetStorefront offers this as part of our security services

Who will do this?

You will always need the co-operation of your hosting company.

Vortx covers this security requirement either as part of preFIX or as part of our security services.

Security Guideline 11c (PCI 11.4)

All traffic must be monitored by Intrusion Detection / Intrusion Prevention techniques. IDS/IPS must be skilfully configured and kept constantly updated.

How much does this cost?

There is a cost to this testing. AspDotNetStorefront offers this as part of our security services

Who will do this?

You, the merchant, can arrange these scans, or ask your hosting company for help.

Vortx covers this security requirement either as part of preFIX or as part of our security services.

Security Guideline 11d (PCI 11.5)

Change detection (including file integrity monitoring) must be in place so that you/your host is alerted to suspicious changes in your cardholder data environment.

How much does this cost?

There is a usually a cost to this. AspDotNetStorefront offers this as part of our security services

Who will do this?

You will always need the co-operation of your hosting company.

Vortx covers this security requirement either as part of preFIX or as part of our security services.

Security Guideline 12a (PCI 12.1)

Your organization needs to have a declared security policy, which is carefully written, kept updated and distributed to your staff.

Who will do this?

Who? Only you, the merchant, can handle your own internal policies.

Security Guideline 12b (PCI 12.2)

Your organization should undergo an Annual Risk Assessment, which helps you to know where risk exists and have policies in place to compensate.

Who will do this?

Who? Only you, the merchant, can handle your own internal policies.

Security Guideline 12c (PCI 12.3 - 12.8)

In order to be considered really secure, your organization needs to manage the usage of all your technologies, including (but not limited to) the internet and your cardholder data. You need to have policies around recruiting and exiting your staff and you need to have a process in place for the secure and considered selection of all service providers.

Who will do this?

Who? Only you, the merchant, can handle your own internal policies.

Security Guideline 12d (PCI 12.10)

In the event of a data breach (or any other crisis for your organization) you should have an Incident Response Plan which has been carefully constructed with the involvement of your stakeholders and is routinely updated and tested.

Who can help with this?

Who? Only you, the merchant, can handle your own internal policies.

Why is Requirement 12 not covered by us, even when our clients are in the 'safe harbor' that we call preFIX? Well, there is good reason.

Requirement 12 is all about people and policies. As a compliant organization, you are expected to have an Incident Response Plan, for example. Having such a plan allows you to know what to do in the even of a breach, and ensures that the right people in your company are lined up to take the right steps in the event of foreseeable actions.

What else does Requirement 12 cover? It expects you to train your staff to know how to handle secure data. It expects your senior management to support the company security initiatives. It makes sure that you are choosing your 'service provider' very carefully. Any third party company that goes close to your cardholder data (your hosting company and your software developers, for example) should be carefully interviewed to make sure that their concern about your security is equal to your own concern, and that they are following regulations put in place by the PCI council.

So, here at Vortx we are proud of the way we keep our clients safe, but we can't vouch for other providers, and we can't talk about YOUR incident response plan.