Major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when companies process, store, or transmit credit card information. For a more defined definition of PCI Compliance be sure to read our blog article.If you run credit cards, eventually your processor may ask you to prove that your website is PCI compliant. PCI compliance is just a simple security test. The credit card processor wants to ensure that there are no glaring vulnerabilities that would allow hackers to access sensitive data regarding your users' credit card information. In this article, we're going to take you through the steps of PCI compliance and let you know what to expect.The process of PCI compliance testing is usually an annual process and is required to prove certain security parameters based on the server and programming you use for your website. Alternate Image's websites are written in Cold Fusion, a language made by Adobe.To achieve PCI compliance, your credit card processor has a PCI vendor (of their choosing) run a remote scan of your website. After the scan, there are usually always a few items (vulnerabilities) that need clarification. These items are appealed through the PCI vendor and then declare you"PCI compliant"....for this year. Yes, you read that right. Once you get a PCI request, it's something that has to be done every year.The reason they need clarification is because they simply can't see much with their remote scans. For example: if your website is written in ColdFusion, you always get a couple standard ColdFusion specific"vulnerabilities". If the website were written in PHP, you would get the standard PHP vulnerabilities, and so on. These vulnerabilities are not seen through the scan, therefore, they require an appeals process to clarify and confirm that security measures are being taken care of.An example of a Cold Fusion"vulnerability" is"Predictable Session IDs". To resolve this issue,
we simply run our servers with"J2EE session variables". The PCI vendors are even nice enough to tell us what the solutions are. Adobe (the makers of ColdFusion), published a tech note specifying what to do in order to ensure PCI compliance. It is literally a checkbox in our ColdFusion administration panel. But because the PCI vendor is scanning remotely, they cannot verify whether this box is checked or not. This is why there is a PCI appeals process. You will receive a login to your PCI vendor's website. Here we can see whatever"vulnerabilities" they have found and can resolve them through the standard appeals process of each one. In the case of the"Predictable Session IDs", we confirm for the vendor that we are, in fact, running J2EE Sessions and we point them to the Adobe tech note. Problem solved. This is how each vulnerability is handled and therefore each vulnerability is resolved. Unfortunately, this is not a onetime process. Because PCI is continually requiring and monitoring websites for these vulnerabilities, each year they will be scanning and each year we will be following the PCI appeals process to resolve the vulnerabilities found. This is not something you should be alarmed about, however it is important you are informed. We have found some PCI vendors to be more difficult to work with and therefore we suggest TrustKeeper, whom we work with exclusively. TrustKeeper is a certified PCI compliance provider for all credit card companies. They have proven to respond regularly and timely. If the PCI vendor does not respond you will continue to receive messages that you are not PCI compliance which can result in additional fees and frustration.
If you have any questions about PCI Compliance please do not hesitate to call 386-760-1774.