Additional Instructions

Employee Training and Monitoring

The greatest threat to your data comes from your own employees. Be sure to give your employees proper instruction with regard to your policies regarding cardholder data. Create a set of written policies and procedures to keep maintain the integrity of your secure environment. Restrict the number of employees who have access to the cardholder data to only those who have a business need.

In AbleCommerce, all user accesses of credit card data are written to the write only audit log. This log can only be viewed by super user admins. This log can help you monitor employee activities and identify suspicious behavior.

Key Management Responsibilities

Maintaining the encryption key for AbleCommerce is an important task because it impacts the security of your data. Only super users can access the key management interface. As a merchant, you must ensure that users responsible for the encryption key sign a written statement that they understand and accept the duties and responsibilities as custodian(s) of the key. The key custodians should be fully familiar with the requirements of the PCI DSS.

Also be sure to maintain appropriate key backups and store the backup keys securely. AbleCommerce provides for the key backup to be split into two parts so that you may have two people each retain part of the key. This would prevent any one person from being able to reconstruct the entire key.

Change your key regularly. Every 90 days is recommended. You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.

Wireless Communications

If you use wireless networking to access sensitive card holder data, it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.

  • Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.
  • Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
  • Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS.
  • Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
    • Use with a minimum 104-bit encryption key and 24 bit-initialization value AbleCommerce 7.0 Secure Implementation Guide Page 16 of 17
    • Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS
    • Rotate shared WEP keys quarterly (or automatically if the technology permits)
    • Rotate shared WEP keys whenever there are changes in personnel with access to keys
    • Restrict access based on media access cod e (MAC) address.
  • Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.

Access Control

You must carefully control access to cardholder data. This covers all places where sensitive data may be stored, including databases, servers, and PCs. Follow these rules:

  • Always provide unique usernames for each person who needs access.
  • Always use strong passwords that meet the requirements of the PCI DSS.

Remote Access

If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:

  • Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)
  • Allow connections only from specific (known) IP/MAC addresses
  • Use strong authentication or complex passwords for logins
  • Enable encrypted data transmission
  • Enable account lockout after a certain number of failed login attempts
  • Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed
  • Enable any logging or auditing functions
  • Restrict access to customer passwords to authorized reseller/integrator personnel
  • Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5

Non-Console Administrative Access

If you use tools to remotely access the application, you should encrypt all communication with technologies like SSH, VPN, or SSL/TLS. For example, Microsoft Terminal Services can be configured to use encryption and this should be set to the "high" level. This will ensure that the RDP data is bi-directionally encrypted with a 128 bit key.

Encrypted Config Files

The database.config and encryption.config files are saved in an encrypted form, so that your connection string and encryption key remain protected. If you are installing AbleCommerce to a web farm or clustered environment, you must take additional steps so that this file encryption will work properly. The standard AbleCommerce installation guide contains details on how to implement the application in a clustered environment.

Notes for Integrators

If you are a third party developer who integrates with AbleCommerce or customizes it on behalf of others, you may have occasions where it is necessary to troubleshoot a problem with one of your clients. In these events, please note the following:

  • Sensitive authentication data should only be collected when needed to solve a specific problem.
  • Sensitive data should be stored in specific, known locations with limited access.
  • Only collect the minimum amount of data needed to solve the problem.
  • Sensitive data must be encrypted while it is stored
  • Sensitive data must be securely deleted immediately after use

Debug Logging

Payment gateway integrations provided by AbleCommerce all support optional debug logging. The debug log files generated b y our integrations never include sensitive card data. Sensitive data such as credit card number and CVV2 are redacted. Third party developers who create new payment integrations are strongly advised to follow the same procedure. Debug logs must not contain sensitive data in order to achieve PCI DSS compliance.