eCommerce store owners need to find out if the new PCI rules are being followed for their storefront website and hosting. eCommerce platform companies are scrambling to update their software, and many eCommerce developers don't understand or aren't taking the initiative to find out what needs to be done. Don't get caught with your PCI pants down.
In April 2015, a new guide to compliance standards, version 3.1, was published by the PCI Security Standards Council. Beginning July 1, 2016, new PCI standards go into place for all existing eCommerce websites and platforms. So double check your eCommerce software and your web host because they may not meet new regulation standards. Many of the newer platforms have a lot of these changes in place, but close to no one has the detailed tracking that is required. And version 3.1 requires evidence to prove you have done these things:
THE BIGGEST CHANGES
Look at your eCommerce software or talk to your IT people to see if these requirements are being met.
Your eCommerce platform must:
Ask your eCommerce hosting company if this requirement is being met.
- Log all user access and link activities to individual users
- Provide automated audit trails to reconstruct access to:
- All individual user accesses to Cardholder data
- All actions taken by any individual with administrative privileges
- Access to application audit trails
- Invalid access attempts
- Use and changes to the applications identification and authentication mechanisms
- All changes, additions and deletions to application accounts with administrative privileges
- Initialization, stopping or pausing of the application audit logs
- Creation and deletion of system level objects within or by the application (tables, stored procedures, etc.)
- Must facilitate centralized logging
- Passwords change every 90 days (7 characters with numeric and alphabetic characters minimum)
- Record and maintain password history
- Include settings for repeated failed attempts to an account causes the account to be locked after not more than six logon attempts
- Lockout duration is a minimum of 30 minutes or until and administrator enables the id.
- Your eCommerce website server is set to only allow TSL version 1.2 security. Read more on hosting
The list above does not outline every change to PCI DSS Compliance, but I have highlighted the ones that I believe are going to affect most of our clients and which require the most attention. Let us know if you need help meeting the new 3.1 standards. Call equaTEK at 585-485-0780.
Read Additional Information:
“Security Logging and Monitoring (PCI DSS Requirement 10): Why all the Fuss?
Payment Card Industry (PCI) Data Security Standard