You certainly want to ensure that credit card payments are executed securely on your commerce site. You also want the site to be certified as a secure site, so customers are able to purchase your goods or services with their credit cards. In order to provide the security guidelines, tools, and certification, the major credit card suppliers formed the Payment Card Industry (PCI) Security Standards Council.
PCI has defined 12 requirements, in these six areas, necessary for your commerce site to be compliant:
- Secure network
- Secure cardholder data
- Vulnerability management
- Access control
- Network monitoring and testing
- Information security
See this PCI Certification article for more detail on the requirements.
The PCI council provides certification to commerce merchants that meet the PCI requirements. The certification is a requirement for processing credit card transactions, besides its intrinsic site and cardholder security value. Failure to adhere to the requirements may result in fines and additional transaction fees.
Receiving the initial certification is the first step. A merchant must constantly maintain the required PCI controls and adapt controls to meet changes in the standard. A Qualified Security Assessor (QSA) must conduct periodic assessments of merchants and also be scanned by PCI Approved Scanning Vendors (ASV) each quarter.
Incapsula received PCI accreditation a few years ago, meeting all the requirements applicable to a service provider. Since then the service has maintained that accreditation, with the following annual requirements:
- PCI relevant control review
- Penetration testing, both internal and external
- Quarterly vulnerability scan
- On-site audit of select global data centers (points of presence or PoP). The audit includes:
- PoP site physical security controls
- PoP site facility controls, including areas such as fire and safety
Incapsula is required to adapt to new or revised standards requirements, such as the requirement to migrate from the current available range of SSL encryption standards to only selected ones. Old releases of the standard were found to contain vulnerabilities which could expose PCI data. With PCI standards being adjusted for new up and coming changes, Incapsula plans to meet these new requirements and maintain its security levels for their customer base.
How Incapsula WAF Protects PCI Data
When using the Incapsula Web Application Firewall (WAF), your data is protected end to end. The Incapsula WAF was designed to enable an organization to meet its PCI requirement. This covers the following two criteria when organizations develop new systems and applications:
- Data masking
Your secure customer transaction data flows through the following processes:
- Transactions are routed via our WAF
- Sensitive data is masked out of the data in memory on entry to the WAF process
- After inspection and removal of any malicious traffic, the clean traffic (without malicious code) is passed through to your site
- Malicious traffic event notices and data are routed to storage in our Management Center
This process is outlined in the detailed data flow and inspection diagram below.
The WAF satisfies the PCI requirement to protect cardholder data for events it identifies. Data sets fall into two main groups:
- Requests identified as malicious traffic
- Full access logs of each request and response message for customers who have this additional service
Cardholder data, such as the card number, in these retained messages is automatically masked, along with approximately 50 other sensitive fields, to protect the privacy of the data, per the PCI requirements. You can identify additional data fields to mask by contacting the Incapsula support team.
The WAF mechanisms for detecting malicious threats are continuously being updated to provide maximum protection against the latest application vulnerabilities. A couple examples of well known vulnerabilities included on the OWASP Top 10 list are:
- SQL injection where untrusted data, that can perform an unauthorized command or access data without permission, is sent as a query
- Cross-site scripting where untrusted data is sent to your browser, allowing execution of scripts in the victim’s browser
Web applications are one of the highest risks to an organization. They require a strict development program to prevent them from opening vulnerabilities. The application development itself includes secure coding, code reviews, static code analysis and application testing/QA. These code-level controls require extensive time, resources, expertise and skills and then it’s possible you may not have covered it all. If you are using the Incapsula cloud WAF, you immediately gain a higher level of protection, reducing the significant efforts within your organization and freeing your precious engineer resources to develop new and enhanced site features. The Incapsula WAF satisfies your need for protecting your web application and your customers’ sensitive financial cardholder transactions.