Secure > Overview: WebSphere Commerce and the PCI Data Security Standard

Addressing the PCI Data Security Standard within WebSphere Commerce

The following topics deal with each of the detailed requirements that pertain to WebSphere Commerce. Some of the requirements are directly related to the WebSphere Commerce software package. Other requirements are completely unrelated. Many fall in between, affecting the use of, for example, the operating system security features to secure WebSphere Commerce files.

For each requirement that directly affects WebSphere Commerce, the requirement is reprinted in italics and addressed point by point. In some cases, it is an explanation or confirmation that the requirement has been met. In others, take action to enable or disable features.

For several of the requirements that are related only to PCI compliance (and not to WebSphere Commerce) you are referred directly to the PCI DSS for details. It is important that you keep up with the rapid pace of changing security requirements. At the time of writing, the current PCI standard has already undergone significant changes. This document was written to version 1.2 of the PCI DSS document.

Tip: Each of the section numbers in this section correspond to the numbering of the subsections of the PCI DSS document.

Required fixes and modifications for PCI compliance

You must install the following iFixes to enhance the overall site security.

• APAR JR35136

• APAR JR35199

• APAR JR35192

• APAR JR35424

These APARs further protect encrypted data in WebSphere Commerce by using a different encryption key to encrypt external facing data (URL parameters and cookie values) than the encryption key that is used to encrypt data stored in the database. This strengthens the overall security of the product.

These fixes are included in WebSphere Commerce version 7 fix pack 1

Add the following to the ProhibitedCharacters element of WebSphere Commerce configuration file:

<Character display="false" regex=".*((%(25)+)|%)*((3C)|<)[\s]*+img.*"/> 
<Character display="false" regex=".*((%(25)+)|%)*((3C)|<)[\s]*+iframe.*"/> 
<Character display="false" regex=".*\x00.*"/>

For more details, refer to Enable cross-site scripting protection.

Summary of specific configuration actions required in the WebSphere Commerce implementation

While it is recommended to read each of the requirement sections to fully understand how WebSphere Commerce addresses the PCI-DSS, the following list summarizes the changes make to a typical WebSphere Commerce installation using default settings. Read each page carefully to understand how to make the changes.

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data

  • Ensure you implement WebSphere Commerce in a 3–tier configuration.

• Requirement 3: Protect stored cardholder data

  • Use DBclean periodically.

  • Use the Key Locator Framework to store the merchant encryption key.

  • Change the merchant encryption key when required, and at least annually.

  • Change the default number of plain text digits shown in the account number from 5 to 4.

• Requirement 4: Encrypt transmission of cardholder data across open, public networks

  • Disable SSLv2 encryption on the Web server.

• Requirement 6: Develop and maintain secure systems and applications

  • Verify the store error pages do not display stack traces, either visibly, or in the page source.

• Requirement 10: Track and monitor all access to network resources and cardholder data

  • To comply with the PCI-DSS, enable business auditing for the orders component.

  • To comply with the PCI-DSS, you must enable DB2 or Oracle auditing for the BUSAUDIT table.

This summary does not include changes make to your site operations. Review each requirement section carefully for details on operations and procedures perform in conjunction with using WebSphere Commerce (for example, reviewing the business audit logs daily or using secure removal tools to delete old encryption assets).

1. Requirement 1: Install and maintain a firewall configuration to protect cardholder data
   Many parts of requirement 1 such as the wireless network or router setup do not directly relate to WebSphere Commerce, but the requirements that relate to the site topology are extremely important. You must construct the WebSphere Commerce site so that you never store cardholder data on internet-accessible systems. Additionally, WebSphere Commerce sites should always use firewalls to separate themselves from the internet, internal networks, and any other system that is accessible to the internet. Refer directly to the PCI DSS for details on this requirement.

2. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

3. Requirement 3: Protect stored cardholder data
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

4. Requirement 4: Encrypt transmission of cardholder data across open, public networks
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

5. Requirement 5: Use and regularly update anti-virus software
   Although antivirus software is outside the scope of WebSphere Commerce, protecting the servers and network from malicious software should always be a priority for a responsible network administrator. WebSphere Commerce is designed, developed and tested on systems running antivirus software.

6. Requirement 6: Develop and maintain secure systems and applications
   As your business needs change, you or the business partners might customize the WebSphere Commerce site. As you do so, ensure that the customizations do not compromise the site security. Verify the developers understand the requirement to develop secure systems by referring to the PA-DSS and PCI-DSS.

7. Requirement 7: Restrict access to cardholder data by business need to know
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

8. Requirement 8: Assign a unique ID to each person with computer access
   The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

9. Requirement 9: Restrict physical access to cardholder data
   Requirement 9 deals with physical site security and is well beyond the scope of WebSphere Commerce. Refer directly to the PCI DSS for details on the requirement.

10. Requirement 10: Track and monitor all access to network resources and cardholder data
    The detailed requirements in this section are relevant to WebSphere Commerce. Review each point carefully.

11. Requirement 11: Regularly test security systems and processes
    While beyond the scope of WebSphere Commerce, it is important to regularly test security systems and processes. Refer directly to the PCI DSS for details on testing requirements.

12. Requirement 12: Maintain a policy that addresses information security for employees and contractors
    This requirement is not directly related to WebSphere Commerce. Refer directly to the PCI DSS for requirements and details on how to develop the information security policies.

+

Search Tips   |   Advanced Search