PCI Compliance and How SSL Certificates Fit

by Dan Sullivan


The Payment Card Industry (PCI) Data Standards were designed to help protect consumers, merchants, and banks from costly fraud due to insufficient security.  To comply with PCI regulations, those involved with the payment card industry have to implement measures to protect credit card data, such as encrypting credit card data during transmission and locking down servers used in payment processing.  SSL certificates are used to authenticate servers and enable data encryption. The Shortcut Guide to PCI Compliance and How SSL Certificates Fit provides an overview of PCI regulations, describes the structure and function of SSL certificates and how SSL fits into the compliance picture.  The final chapter of the guide is a checklist on how to implement SSL certificates and prepare for PCI audits.


Chapter 1: Overview of Payment Card Industry Data Security Standards

The payment card industry is the target of substantial fraud. Organized cybercrime groups are sophisticated and well established to the point of having created underground markets for credit card fraud software, data, and supporting services. Legitimate businesses have responded with efforts to improve the security of a highly-distributed and decentralized payment card system. SSL certificates play key roles in preserving the confidentiality and integrity of payment card data.

Chapter 2: Overview of SSL Certificates

SSL certificates are an important element of the security infrastructure that protects systems and communications. In that role, they also enable customers to trust businesses that customers might otherwise be unfamiliar with. What is it about SSL certificates that enable these properties? To answer this question, we must understand the components of an SSL certificate and how they are used for authentication and encryption. We also need to understand different uses of SSL certificates and how they enable the formation of trust. This chapter is organized into five sections that will address these issues:

  • Components of an SSL certificate
  • Authenticating servers with SSL certificates
  • Encryption and SSL
  • Different uses of SSL certificates
  • Trust and SSL security
We start with the basic building blocks of SSL certificates.

Chapter 3: What Is Required by PCI Data Standards?

The PCI Data Security Standards Council publishes a number of documents for businesses, IT professionals, software developers, and others who participate in implementing the PCI Data Security Standard (PCI DSS). One of these, the Requirements and Security Assessment Procedures (version 2.0), describes a set of requirements for businesses working with payment card data. The document describes a set of high-level requirements organized into six functional tasks:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

This chapter will describe these requirements in a slightly different structure, organized more around clusters of requirements that would be addressed by different groups within an IT department, for example, developers and systems administrators. These are not hard and fast divisions. Some of the requirements necessitate collaboration between developers, systems administrators, application architects, and application managers. Keeping in mind the need for multiple skill sets, we will discuss the requirements organized around:

  • Data collection and storage practices
  • Infrastructure security
  • Vulnerability assessment
  • Monitoring and reporting

We begin with the most basic of tasks: collecting data.

Chapter 4: PCI Compliance Checklist

The Payment Card Industry Data Security Standard (PCI DSS) contains more than just recommended best practices—they are required policies, procedures, and technical requirements for businesses that use payment cards. The PCI Security Standards Council provides a number of documents that describe requirements in detail along with FAQs and guidelines; these are available in the council’s documents library. This chapter highlights key compliance areas with a focus on the use of SSL certificates, including:

  • Self-assessment activities
  • Security of servers and data transmission with SSL
  • Essential security policies related to SSL certificates
  • SSL certificate life cycle management
Before delving into the details of how to use SSL certificates to meet PCI DSS requirements, we will discuss the self-assessment process.