PCI compliance Violation can lead to hefty fines for you and your business. As PCI Security Compliance Experts we help organizations to comprehensively manage PCI Standard compliance.

Here we are sharing a use-case with our fellow readers demonstrating how we ran a PCI Compliance audit for one of our clients and helped them secure their customer’s vital data.

What is PCI Compliance?

What is PCI Compliance for Online Businesses

Papadent one of the leading DIY auto repair tools sellers approached us for building his website for selling automotive tools online. The client worked as an automotive body man for repairing cars. He was looking for an online presence and i-Verve developed online store website https://www.papadent.com using WordPress and the client started enjoying great sales and profits.

The client came back to us stating that the government has made it mandatory to ensure that the website is PCI compliant to secure the important customer information and avoid data breaches. The Federal law in the US expected all online merchants to ensure PCI compliance.

Payment Card Industry Data Security Standard (PCI DSS) compliance helps to improve the level of security and boost customer confidence.

Any online website that accepts payment through debit or credit card needs to be PCI compliant/certified. Electronic payments need a high level of security. Whatever the size of your organization and volumes of transactions may be, PCI is applicable to any website that accepts card payments or deals with any confidential customer information. Different levels of compliance apply to the online merchants based on the volume of transactions.

PCI DSS Compliance Levels

Different levels of PCI Compliance

Whatever the size of the business or organization and the volume of transactions, PCI are applicable to anyone who accepts card payments transmits any data or stores any information regarding that data. Different levels do apply, however, with merchants falling into one of four, based on the volume of transactions. Each level features different standards of compliance, designed to reflect the amount of risk the organization may be subject to.

Benefits of PCI Compliance for Online Businesses

  • PCI compliance ensures that your customers’ data and confidential information is safe and secure.
  • Protect your business against vulnerable attacks with PCI compliance.
  • Enhance your business reputation and build brand credibility.
  • Boost customer confidence and increase your sales online.

Data thieves are becoming increasingly sophisticated and are adopting new technologies and features quickly. Any company that uses a credit card or debit card should secure itself with PCI compliance. It can be riskier for merchants that accept recurring payments.

It can be easier for smaller businesses to meet compliance with PCI DSS. For larger organizations, it may be a difficult process as the standard requires changes to be made at all the levels. Infrastructure level, application level, network level, operating system level, and procedures level also. The wider the environment, the more difficult it would be to meet the PCI DSS requirements.

Errors We Scanned in PCI Compliance Audit:

1. vulnerable WordPress version: 4.8
2. vulnerable jQuery version: 1.11.0
3. Web error message information leakage: /
4. web program allows cross-site scripting in the query string (/)

We got an error from Server End:

5. SSL backdoor found
6. OpenSSH 7.4 is vulnerable
7. SSL/TLS server supports short block sizes (SWEET32 attack)
8. server is susceptible to POODLE attack over TLS – 3
9. The server supports TLS 1.0
10. WebDAV extensions are enabled

We contacted to hosting server support team and passed this server error to hosting support team. We disabled the not required extension like WebDAV.

We had taken require steps for following error at development side in PCI

1. vulnerable WordPress version
2. vulnerable jQuery version –
3. Web error message information leakage: /
4. web program allows cross-site scripting in the query string (/)

What solution (PCI Implementation) was provided by i-Verve?

  • Remove sensitive authentication data.
  • Protect the internal networks.
  • Secure payment card applications.
  • Monitor and control access to your systems.
  • Protect stored cardholder data.
  • Finalize remaining compliance efforts.

We updated WordPress to the latest version and installed compatible jQuery. We also updated PHP version 5.6 and then safely updated WordPress latest version by manual upload of files. We removed the old jQuery version and setup compatible jQuery version. Our team removed the old version from theme JS and CSS file.

Web error message information leakage:
We had removed application flow info from code, back-end, and database.

Web program allows cross-site scripting in the query string (/):
We had validated the query string in WooCommerce code for checkout page and other pages to stop XSS attack from HTTP header request from the browser, and we had Report XSS attack by using word fence plug-in and block IP of the attacker and these details had listed out in WordPress back-end. After that, we added a plug-in to set header security and deny XSS attack from HTTP header request.

After applying all these required steps, we got error-free PCI Compliance Report. The client was happy with the solution we provided. Every eCommerce website that accepts online payments through debit or credit card should ensure PCI compliance to secure the sensitive data of the customers’ confidential information. i-Verve can help you secure and safeguard your eCommerce store easily. Get in touch with us to get more information.

Post Comment

Your email address will not be published. Required fields are marked *

Please type your comment