Selling online? A guide to complying with the PCI

PCI-DSS compliance can leave retailers confused about how best to approach this daunting task. What is it they actually need to do?


  • Limit data retention
  • Protect networks
  • Secure applications
  • Monitor and control access
  • Protect stored data
  • Ensure controls are in place
  • Don’t take risks

Major payment brands joined forces to form the Payment Card Industry (PCI) Security Standards Council and created the PCI DSS (data security standard), a set of requirements designed to reduce credit card fraud.

The PCI Council recently released security guidelines for data security in e-commerce, sharing its view on the best approach for compliance.

Achieving the standard can be a long and costly exercise, leaving retailers confused about how best to approach this daunting task. 

So what is it they actually need to do?

Remove sensitive authentication data and limit data retention

When the IT department for a retailer is tasked with assessing its compliance, they must first minimise the risk of a breach.

The PCI Council advises that retailers implement data retention and disposal policies to reduce the amount of cardholder data stored. It is also forbidden to store sensitive authentication data, such as the full contents of any track from the magnetic stripe, the card verification code, or personal identification number (PIN), regardless of whether it is encrypted or not.

When media is no longer required, it is the responsibility of the retailer to destroy it, so it is impossible for old cardholder data to be restored.

Protect the perimeter, internal and wireless networks

There are multiple vulnerabilities in a company’s network. Building firewall and routed configurations is necessary, as this will restrict connections between untrustworthy networks and any system components in the cardholder data environment.

When installing a system on the network, at a minimum you must change vendor-supplied passwords and use strong cryptography and security protocols, such as SSL/TLS, IPSEC and SSH, to protect sensitive cardholder data during transmission.

Run regular vulnerability scans and perform penetration testing. Not only should these be conducted on a regular basis, it is important to run a scan and test after any significant change to the network.

Secure payment card applications

If cardholder application data is held externally, the PCI Council warns retailers to ensure that any shared hosting providers protect each entity’s hosted environment and cardholder data.

One of the most obvious steps for businesses to take, but one that unfortunately too many ignore, is to ensure that all system components and software are protected from known vulnerabilities by installing the latest security patches.

With the cyber sphere constantly evolving, retailers should address new threats and vulnerabilities on an ongoing basis and ensure payment card applications are protected against known attacks.


  • Analysis: Inside the new PCI DSS risk assessment
  • PCI validation: Requirements for merchants covered by PCI DSS
  • Meeting PCI DSS compliance requirements with a data management program
  • Top data management strategies to maintain PCI DSS compliance
  • PCI DSS 12 requirements
  • How an assessor validates the PCI DSS scope of compliance
  • PCI DSS cloud computing guidelines strike discord among would-be adopters

Monitor and control access to your systems

When valuable cardholder data is concerned, it is best to deny access by default than to allow it. Establish an access control system that is set to “deny all” unless specifically allowed. Give select users access to the system or cardholder data, but impose restrictions based on a user’s and the company’s requirements.

The PCI Council can request records to prove that you are compliant, so it is crucial that every company operating online implements, records and secures automated audit trails for all system components. Log reviews must include details of servers that perform security functions such as intrusion detection systems (IDS).

It is the automated approach to security that matters too. Companies are required to deploy file integrity monitoring tools to alert them to any unauthorised modifications to critical system files, configuration files or content files.

Protect stored cardholder data

Consumers and businesses making purchases online are still concerned that their card details are at risk of being compromised. It is imperative then, that every retailer, whether online or on the high street, masks the primary account number (PAN) when displayed and renders it unreadable anywhere it is stored.

Another requirement outlined by the PCI Council is to protect any keys used to secure cardholder data. Companies must document and implement all key management processes and procedures for cryptographic keys used for encryption.

Retailers are also advised to store media back-ups in a secure location, preferably at an offsite or commercial storage facility. Furthermore, any internal or external distribution of media must be maintained under strict control.

Finalise remaining compliance efforts and ensure all controls are in place

PCI DSS compliance need not be a cumbersome task but, like any other compliance standard, it should be taken seriously.

Every IT department must develop daily operational security procedures, such as user account maintenance procedures, and log review procedures. In addition, you should create usage policies for technologies such as mobile devices.

Ensure your security policies and procedures clearly define information security responsibilities for all personnel. Also implement an incident response plan, so you are prepared to react immediately to a breach.

Don’t take risks

Criminals will continue to find ways to attack card data and, if you don’t comply with the PCI standards, you could face serious repercussions that are not only financially damaging, but can affect the reputation of your company. It is imperative that every online retailer is compliant, so don’t take risks – it will never be worth it.

Didier Godart is a co-author of the first PCI-DSS and risk product manager at Rapid7.


Read more on Regulatory compliance and standard requirements