Addressing the PCI Data Security Standard within HCL Commerce
The following topics deal with each of the detailed requirements that pertain to HCL Commerce. Some of the requirements are directly related to the HCL Commerce software package. Other requirements are unrelated, or indirectly relate to the HCL Commerce software package. For example, indirect requirements can affect your use of the operating system security features to secure HCL Commerce files.
For each requirement that directly affects HCL Commerce, the requirement is reprinted in italics and addressed point by point. In some cases, it is an explanation or confirmation that the requirement is met. In others cases, you must enable or disable features.
For several of the requirements that are related only to PCI compliance (and not to WebSphere Commerce) you are referred directly to the PCI DSS for details. Ensure that you keep up with the rapid pace of changing security requirements.
Required fixes and modifications for PCI compliance
In addition, it is recommended that you apply security fixes as recommended in the HCL Commerce Security Bulletins.
- Go to My notifications.
- Lookup and subscribe to notifications for your HCL Commerce product. For example, HCL Commerce Enterprise.
- Select .
- Ensure that the Security bulletin document type is selected.Note: All document types are selected by default.
- Click Submit.
Summary of specific configuration actions required in your HCL Commerce implementation
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Ensure that you implement HCL Commerce in a 3-tier configuration.
- Requirement 3: Protect stored cardholder data
- Use DBclean periodically.
- Use the Key Locator Framework to store the merchant encryption key.
- Change your merchant encryption key when required, and at least annually.
- Change the default number of plain text digits that are shown in the account number 5 - 4.
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Disable SSLv2 encryption on your web server.
- Requirement 6: Develop and maintain secure systems and applications
- Ensure that your store error pages do not display stack traces, either visibly, or in the page source.
- Requirement 10: Track and monitor all access to network resources and cardholder data
- To comply with the PCI-DSS, you must enable business auditing for the orders component.
- To comply with the PCI-DSS, you must enable DB2 or Oracle auditing for the BUSAUDIT table.