What is PCI DSS and how does the standard compliance check occur?

At the end of 2015, the PayOnline electronic payment system for the eighth time proved that merchants and taxpayers are under reliable protection. And in May 2016, the company received a physical certificate of compliance with the requirements of the PCI DSS version 3.1, confirming the highest global security level.

Against the background of this event, we would like to tell you more about what PCI DSS is, what criteria are used to verify compliance with the standard and how, without having your own certificate, an online store can ensure the security of users' financial data.



If you try to score the PCI DSS abbreviation in Google or search it in Habré, you can find quite a few articles describing this standard. It will immediately become clear that the target audience of all these materials will be those who are somehow connected with e-commerce. These are mainly payment aggregators and processing centers, and only then the developers of online stores.
')
Any type of e-commerce is somehow based on the fact that buyers who want to purchase a product will have to pay for it. Despite the fact that the opportunity to pay in an archaic way (to give money to the courier at the meeting) is most popular in Russia, there is a high probability that the buyer will prefer to use his payment card. Here, store developers will have to deal with such delicate matter as personal user data, which is also related to their finances. It is unlikely that one of the customers of the store will want all this to be made public, so here you have to resort to thoughtful and repeatedly proven solutions.

Creating a whole online store from scratch - to put it mildly, the task is not easy. Therefore, there are quite a few frameworks on the market that help developers with this (everyone has heard Magento, for example). The task of accepting payments, as one of the most important, because it is associated with money, includes all e-commerce solutions. Developers who have dealt with this know that this is a fairly simple sequence of steps, which often looks like “download the library code for the XYZ payment gateway”, “configure it” (it usually comes down to receiving and using a special key, which allows the gateway to understand with which he is dealing with a shop), “finish off a little” and “unload on production”.

As a rule, it does not cause significant problems. However, after the user of your store went to the payment page of the selected payment gateway, entered their payment card details and clicked on the “Pay” button, it will not work to intervene - unless you can process the response of the gateway on your side and show the user a beautiful page gratefully (if everything went well) or apologize (if something went wrong).

A qualified user knows, for example, that https is better than http and checks this, many browsers will show site certificate data in the address bar. However, when the payment gateway starts its “internal” transactions with the issuing bank (the one that issued the card) and the acquiring bank (the one that should receive payment), a completely logical question may arise - how much is all this safe? After all, data transmission via https is not a guarantee of security, but only one of the hundreds of parameters that protect information.

Maybe the guys from this gateway were able to set up https for themselves, bought a certificate and even wrote in large letters on their website that everything is very good and everything is very secure. But the only truly reliable way to verify this is to perform some procedures that certify the security of the internal code of the payment gateway. And, of course, it is desirable that it would be more difficult to pass such a check than to write some beautiful HTML on your website - “100% safety guarantee”.

We will describe this procedure and try to understand why it is a standard in the e-commerce industry. All this will be hidden under the abbreviation PCI DSS, and it is the availability of this certificate at the payment gateway that may well mean that the payment card data (yes, there is, simply speaking, the payer's money) will reach the addressee without any problems.

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is the data security standard for the payment card industry. In other words, this is a documentation with a list of criteria that the service must satisfy if it somehow manages such things as the card number, its expiration date and CVV code.

There are quite a few payment cards (everyone knows Visa and MasterCard), and since we are talking about the industry standard, it would be useful for all companies to agree on what they would consider safe. To do this, there is the PCI SSC (Payment Card Industry Security Standards Council) - the Council for Payment Card Industry Security Standards, formed by the five largest payment systems. It is he who creates the rules of the “safe game”, and it is his rules that companies that want to get the coveted “PCI-DSS Certified” label must follow. Certification is required every year.

What exactly is checked?

In fact, it will be difficult to describe all the verification criteria - there are 288. The procedure itself is rather lengthy because it involves checking a number of complex technical issues. The complete list of criteria, divided into 12 groups, is as follows:

• Protection of the computer network.
• Configuration of information infrastructure components.
• Protection of stored cardholder data.
• Protection of data transmitted on cardholders.
• Antivirus protection of information infrastructure.
• Development and support of information systems.
• Manage access to cardholder data.
• Authentication mechanisms.
• Physical protection of information infrastructure.
• Logging of events and actions.
• Monitoring the security of information infrastructure.
• Information Security Management.

It is clearly seen that we are talking about the program part and the “physical component” - in other words, everything is checked. In this case, the word “verification” means the literal presence of the person who performs this verification in the office of the company being checked. An authorized auditor with QSA status (Qualified Security Assessor - and this statute is confirmed by the PCI SSC) has the right to talk with the payment gateway employee (there is a special interview procedure for this), examine the settings of the system components, take screenshots and just see “how it works” . In recent years, Deiteriy has been the auditor of PayOnline . Its findings are recognized by international payment systems Visa, MasterCard, MIR, American Express, Discover and JCB.

The program code of the libraries itself is checked selectively, the most attention is paid to the kernel directly processing payment card data, while paying attention to compliance with the external security standard OWASP, which describes the basic requirements for searching and exclusion in the code of vulnerabilities. Also in the business development process, there is a Code Review link, which, in fact, undergoes additional testing by another developer who is not involved in writing the code.

All relationships and responsibilities within the framework of PCI DSS requirements between service providers, namely, between the processing center and data center, as well as acquirer banks, are recorded in the so-called responsibility matrices. The existence of signed liability matrices between service providers has become imperative since version 3.1 of the PCI DSS standard. Among other things, of course, the data center should also have an actual PCI DSS compliance certificate for the infrastructure components used by the processing center - virtualization, services, physical equipment, and so on.

The servers themselves, as well as all other components of the infrastructure, for example, network equipment, are also subject to mandatory verification. The main requirement here is the relevance of the PCI-DSS status, which is directly dependent on the frequency of software changes, hardware configurations or / and virtual machines, and, equally important, from known vulnerabilities, such as the infamous HeartBleed. Infrastructure administrators are required to audit the system to find internal / external vulnerabilities and bring the infrastructure components into compliance with the PCI DSS standard.

Security audit is performed twice. The first time an automated scanner for known vulnerabilities is used, which is provided by an ASV (Approved Scanning Vendor) organization. In case of successful completion of this test, the system is checked for safety a second time by experts, which is called, manually, with the issuance of an official conclusion.

Possible difficulties

Here I would like to give an example from personal experience. During the latest PCI-DSS certification, our specialists organized a special monitoring service, which ensured that transactions between our data center and banks were carried out continuously. The source of potential problems was that some banks report that their TLS 1.0 certificate has been updated to version 1.2 after the fact. Potentially it could happen that we are trying to communicate with the bank, having an old certificate, while on their side it has already been renewed. Due to the fact that we now have a separate transaction continuity monitoring service, this problem is no longer possible.

In general, there are several examples of how verification works and how we adjusted our infrastructure to requirements. As it is known, according to PCI-DSS, the payment system should not keep the so-called Critical authentication data (CR), which include, for example, a CVV or PIN-code (the latter usually comes from POS-terminals of supermarkets). It is implemented this way:

When a transaction receives a special status from the processing center, indicating that it is completed (regardless of whether it is successful or not), a special program code that solves two tasks is initiated in the system. If during a transaction, for any reason, its data was written to disk, then the special operation that deletes this record receives the maximum priority and is performed by a special worker. If there was no disk access, it is still simpler: the transaction process is deleted from the server’s memory and thus the CAD does not occur. The only data that can be stored is the PAN (Primary Account Number) card number, and then only in encrypted form.

Another example is directly related to one of our users (although in fact there are many such stories, just this latest one), who bought goods from the online store. After something “went wrong”, he did not read sufficiently detailed error messages, but simply took a picture of his payment card on both sides (probably because they explained to him that they had to enter the last three digits after the magnetic strip on the back side) and sent it to our support service. According to the buyer, this was supposed to help us find out the status of his payment - “money withdrawn” or not. I must say that even such funny and at the same time sad cases are stipulated by the PCI-DSS standard.

In the event of a compromise of user data, the payment system is obliged to notify him and the issuing bank that issued the "illuminated" card. In addition, it was necessary to delete the letter with attachments-pictures from the client’s mail program of the support service operator, as well as on the mail server. All this was done in order to follow the golden rule of ensuring the security of the payment card industry - "If you do not need this information, then do not keep it."

PayOnline integration with an online store

As mentioned above, the task of integrating a particular online store with the payment system can hardly be called complex. There are many examples on the Internet for many gateways. Everything usually comes down to installing a specially written library on the server (we have a lot of them and for different platforms) and writing some client code that will collect user form information and send it to the payment gateway. The only point to which I would like to draw attention should be the location of the payment form itself - will it be on the side of the online store or will it work on the side of PayOnline. Despite the fact that many decisions may well allow accepting payments directly on your website, if the merchant does not have a PCI-DSS certificate, it will be necessary to arrange everything so that payments are made on the side of the payment gateway. The rationale is one thing - the security of the user's financial data. In this case, the payment form can be customized for the company, so that the end user will not be rejected.

We have libraries for organizing payments for desktop and mobile solutions, including Windows Phone (although the position of this platform in terms of popularity with users is much weaker than that of Android or iOS). Talking about a library for PHP, we will not even - it is practically implied by itself. We also have an SDK for .NET solutions. People often ask why a non-traditional approach is chosen for Android — a Java library — and Node.js is used. This decision was made some time ago - it is a bit easier to integrate such code than written in Java, as well as to meet the requirements of the PCI PA-DSS sub-standard. As for future integrations, we now have adaptive payment forms that work perfectly in native mobile applications integrated into the application via WebView, and meet all the requirements of PCI PA-DSS.

What gets online store

Among the main advantages of the PayOnline electronic payment system, we can highlight our technical capabilities, aimed at increasing conversion to successful payments. First and foremost, of course, this is fine work with 3-D Secure, which allows you to maintain a high level of protection against fraudulent transactions and at the same time increase payment conversion.

We carefully study the behavior of taxpayers, which changes from year to year following technological progress. Thanks to the ability to measure conversion and human behavior on the payment page at the time of filling in the data and making a payment, we technologically allow our customers to track the customer’s way step by step, present themselves in their place and simplify their user experience as much as possible based on the statistics obtained. In the event that when making a payment with a buyer for some reason fails to make a payment, the store receives the exact reason for the deviation from the processing center, then the store transmits the reason for the deviation to the payer in any customized form. Thus, the client immediately understands why the payment failed and what he needs to do in order to purchase a product or service.

If you are interested in this opportunity, please contact us , our specialists will provide additional information and, if necessary, will help set up payment acceptance on the site and in the mobile application via a secure gateway that meets the requirements of the PCI DSS 3.1 standard.