What is PCI Compliance?
In order to legally store their customer’s credit & debit cards payment data, all e-commerce businesses are required to have the PCI Compliance (Payment Card Industry Compliance), or the PCI DSS (Payment Card Industry Data Security Standard).
When a company decides to go for the PCI Compliance certification, they must fulfil, in a demonstrable way, some key aspects of their platform. These aspects usually address the security of the platform that hosts the web application and where economic transactions with clients’ private data take place.
To get the PCI Compliance certification, companies usually choose to work with license-based third-party tools that have associated additional costs. These tools aren’t the best choice when working on AWS environments, so we developed and implemented a solution that covers all the required and relevant aspects of a PCI audit.
Which are its benefits?
- Increases client’s trust in the online shop that will manage the personal data required to do the online payment.
- Improves shop’s reputation, as it ensures that it storages and treats all this critical data under strict security procedures.
- Maximises application and infrastructure security to face threats, protecting its data and providing any required action for event traceability.
Which aspects must be ensured to get the PCI Compliance certification?
The PCI Compliance certification is complex and tedious to get, but it is key to any e-commerce that wants to achieve a relevant improvement in their business.
This certification audit will ensure that the company:
1. Builds and maintains a secure network
- Installing and maintaining a firewall configuration to protect cardholder data.
- Not using vendor-supplied defaults for system passwords and other security parameters.
2. Protects cardholder data
- Protecting stored cardholder data.
- Encrypting transmission of cardholder data across open, public networks.
3. Maintains a vulnerability management program
- Use and regularly update anti-virus software. Develop and maintain secure systems and applications.
- Develop and maintain secure systems and applications.
4. Implements strong access control measures
- Restricting access to cardholder data by business need-to-know.
- Assigning a unique ID to each person with computer access.
- Restricting physical access to cardholder data.
5. Regularly monitors and tests networks
- Tracking and monitoring all access to network resources and cardholder data.
- Regularly testing security systems and processes.
6. Maintains an information security policy
- Maintaining a policy that addresses information security.