The Payment Card Industry (PCI) Data Standards were designed to help protect consumers, merchants, and banks from costly fraud due to insufficient security. To comply with PCI regulations, those involved with the payment card industry have to implement measures to protect credit card data, such as encrypting credit card data during transmission and locking down servers used in payment processing. SSL certificates are used to authenticate servers and enable data encryption. The Shortcut Guide to PCI Compliance and How SSL Certificates Fit provides an overview of PCI regulations, describes the structure and function of SSL certificates and how SSL fits into the compliance picture. The final chapter of the guide is a checklist on how to implement SSL certificates and prepare for PCI audits.
The payment card industry is the target of substantial fraud. Organized cybercrime groups are sophisticated and well established to the point of having created underground markets for credit card fraud software, data, and supporting services. Legitimate businesses have responded with efforts to improve the security of a highly-distributed and decentralized payment card system. SSL certificates play key roles in preserving the confidentiality and integrity of payment card data.
SSL certificates are an important element of the security infrastructure that protects systems and communications. In that role, they also enable customers to trust businesses that customers might otherwise be unfamiliar with. What is it about SSL certificates that enable these properties? To answer this question, we must understand the components of an SSL certificate and how they are used for authentication and encryption. We also need to understand different uses of SSL certificates and how they enable the formation of trust. This chapter is organized into five sections that will address these issues:
The PCI Data Security Standards Council publishes a number of documents for businesses, IT professionals, software developers, and others who participate in implementing the PCI Data Security Standard (PCI DSS). One of these, the Requirements and Security Assessment Procedures (version 2.0), describes a set of requirements for businesses working with payment card data. The document describes a set of high-level requirements organized into six functional tasks:
This chapter will describe these requirements in a slightly different structure, organized more around clusters of requirements that would be addressed by different groups within an IT department, for example, developers and systems administrators. These are not hard and fast divisions. Some of the requirements necessitate collaboration between developers, systems administrators, application architects, and application managers. Keeping in mind the need for multiple skill sets, we will discuss the requirements organized around:
We begin with the most basic of tasks: collecting data.
The Payment Card Industry Data Security Standard (PCI DSS) contains more than just recommended best practices—they are required policies, procedures, and technical requirements for businesses that use payment cards. The PCI Security Standards Council provides a number of documents that describe requirements in detail along with FAQs and guidelines; these are available in the council’s documents library. This chapter highlights key compliance areas with a focus on the use of SSL certificates, including:
By sponsoring a book with Realtime Publishers, you will connect your technology company with thousands of IT professionals who need information on the technology topic of your choice. Realtime Publishers works with only the best authors in the IT field to produce expert-level publications that appeal to and educate the IT professional audience.
Visit sponsorships.realtimepublishers.com to learn more about our wide array of sponsorship and content marketing opportunities.