Less than two weeks ago, we released a new capability to help online merchants audit their WAF and prove their compliance to their PCI auditors. Ever since we have been receiving questions from both long-time customers and those inquiring about Incapsula regarding the subtleties around PCI and how it all relates to their websites.
More and more businesses are choosing to sell products online. And while handling transactions and processing credit card payments on a website may be a cost effective way to boost business, it does not come without risks.
The major credit card issuers created PCI DSS (Payment Card Industry Data Security Standard) for all businesses to ensure credit card data security. Any business that processes, card payment online must be PCI compliant. Failure to comply could result in a business being fined or even restricted from conducting card transactions on its site. Non-compliant businesses could also be held liable in the event a customer’s card information is compromised.
So… if you process credit cards on your website (without using a hosted payment processor page), you need to comply with the PCI DSS regulations. Furthermore, even if you are using a third party eCommerce software that is PCI certified (PA-DSS), it still needs to be run in a PCI certified environment.
This means that all your service providers that transmit, store or processes your customers’ credit card data, need to be PCI certified service providers and need to be mentioned in your PCI audit.
So… how does Incapsula help with all this?
A requirement for PCI compliance (Req 6.6) is using a WAF to mitigate application level attacks on your website. These are coding and other vulnerabilities that expose your website to malicious attacks and data theft. Incapsula provides a full blown, enterprise grade WAF for this exact purpose. However, one of the key aspects of using a WAF is setting it up correctly and making sure that it is constantly kept updated with the latest vulnerability information. That’s why at Incapsula, our security team is constantly updating the WAF signatures so that all Incapsula websites stay up to date and protected.
One additional and very important thing is that Incapsula is the only PCI certified cloud WAF & CDN for small and medium-sized businesses. All CDN and Cloud WAF providers transmit credit card data and therefore must be PCI compliant service providers. However, If a merchant needs to be PCI compliant and uses a non-PCI compliant service provider, they are (by definition) non-compliant.
When you note in your PCI audit that you use Incapsula to accelerate and protect your website, your auditor is assured that you’re compliant, and you can focus on the other areas of your PCI compliance, and other areas of running your business.
For more information on Incapsula’s PCI compliance solution for business and enterprise customers, click here.