What is PCI compliance?
Adhering to a set of security standards created by the Payment Card Industry for companies that process, store, accept, or transmit payment card information. It is meant to assure this is done in a secure environment.
What do I need to do to be considered PCI compliant?
Proper penetration testing
Penetration testing is testing the ability to gain access to the server without access to user names, passwords, and access keys.
Penetration Test tools
Keep all transmissions over ssl
Lock all transmissions down and use a reputable certificate provider like that from Symantec.
Regularly monitor access to cardholder data
This can be done with DAM tools, like pimcore.
What do I need to have to be considered PCI compliant?
Properly Configure IPTables, to manage access to the server
- Add to configuration file management system (mentioned below)
- A Firewall/Security toolkit
System Vulnerability Management
- Change default passwords
- Remove unncessary software and services
- Multiple layer architecture
- Have each layer on a different server. This way, if one server gets compromised, the other layers are still protected.
Regular software patching
Stay on top of updates, run the updates in a test environment, first to assure there are no negative consequences to updating the system.
Configuration file management
Use Ansible, Puppet, or Chef for consistency and testing before hand. Using these also provide the ability for incremental improvement.
Nagios and ModSecurity can do this,
How do I store card data in a PCI compliant manner for recurring charges?
### Use one way hashing to save to the database - PAN - CVV - Expiration Date (Unix Timestamp)
BCrypt is the hashing algorithm I like to use
BCrypt is a hashing function that incorporates a salt. It can also be adaptive. Over time, the iteration count can be increased to make it slower. This makes it resistent to brute force.