Chat with us, powered by LiveChat
PCI Compliance

PCI Compliance

pci-dss

PCI Compliance continues to confuse the masses. I will aim to address this confusion and actually explain what is needed. This article is aimed to clear up the confusion in regards to hosting providers and PCI Compliance and won’t address the different levels in regards to transaction volume.

Location

At this stage it would be worth pointing out that there are different levels of PCI Compliance. Firstly, let’s start with the Data Center where the server is hosted. The initial confusion usually starts here. Many people, wrongly, believe that the responsibility for PCI Compliance is solely with the Data Center. If a Data Center has chosen to be formally recognized as PCI Compliant, you don’t inherit ANY of that compliance. Below are the requirements for a Data Center to be PCI Compliant:

9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?

9.1.1.a Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?

9.1.1.b Is data collected from video cameras reviewed and correlated with other entries?

9.1.1.c Is data from video cameras stored for at least three months, unless otherwise restricted by law?

9.1.2 Is physical access to publicly accessible network jacks restricted?

9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?

9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?

9.3 Are all visitors handled as follows:

9.3.1 Authorized before entering areas where cardholder data is processed or maintained?

9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?

9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?

9.4.a Is a visitor log in use to maintain a physical audit trail of visitor activity?

9.4.b Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?

9.4.c Is visitor log retained for a minimum of three months, unless otherwise restricted by law?

I can’t think of any reasonable Data Center these days which wouldn’t meet these requirements. As part of your own compliance, you will need to certify that the Data Center meets these requirements. If you are sure that the Data Center does indeed follow these policies, it is safe to answer yes to these questions. Just because I don’t know of any Data Centers out there these days that don’t, doesn’t mean they don’t exist. You have to be very sure of that aspect. The easiest way for you to be sure is to ask the Data Center in question, or your hosting provider, if they themselves have a certification they could show you. They don’t need to have this to be meeting the requirements though.

Environment

The next step is the physical or virtual environment where your website is located. I don’t want to even guess how many websites out there have a PCI Compliance certificate but have done so by not answering truthfully to questions. How many of you have a firewall in front of your servers? How many of you have split web, sql, mail, dns or any other service between servers? These are all requirements and those requirements don’t come cheap. If you are reading this now and you are thinking “Huh? I don’t have this in my environment, but I am compliant!” well, you aren’t. If you have a breach and an investigation is carried out and you divulge your setup, your insurance would be invalid. You would also be open to litigation from your merchant provider and your customers, along with anyone else impacted by said breach. Read https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf for the full requirements.

Configuration

We now come onto the actual scan. This is what people usually concentrate on as it is something they can’t lie or skip their way through. After you have certified your setup either physically or virtually meets PCI Compliance, a scan will be performed against your website/server. I say website, as part of the scan actually checks your website for vulnerabilities. During this scan you will no doubt see that your website has many vulnerabilities. Firstly, not all of these are actual vulnerabilities and many are theoretical, but they still need fixing. It is generally the hosting provider’s responsibility to fix things such as software versions like PHP, SQL or Apache. Things like SSH protocol versions, SSL and ports also fall under the responsibility of the hosting provider. Part of the scan will also test the actual website for vulnerabilities. Mostly SQL Injection and cross site scripting are what they focus on and these are the types of things which need fixing by your developer. You can’t expect your hosting company to change your website code.

All of these parameters change over time, sometimes over days, and most providers will scan you either monthly or quarterly. Expect to fail almost every time and allow your hosting company and site developers the chance to address the new requirements.

Warning

Don’t always trust your provider, particularly in shared environments. Is it possible for a shared hosting environment to be PCI Compliant? Yes, but it is incredibly difficult. There are hosts out there which specialize in this type of shared hosting, at a premium that is. When you keep in mind the aspect of SQL injection or cross site scripting, that is very unique to your own environment. Very few shared hosting providers will actually have an individual scan for your website. You would still need to seek that yourself. Remember, a provider’s compliance doesn’t mean you are compliant. The responsibility ultimately will fall on you.

John Strong
Managing Director

Ben Stones

Ben's main IT experience is on software, programming, website development and marketing topics including search engine optimisation. At eUKhost, he regularly works alongside the marketing department on product marketing strategies, and in the development and quality control of the communications which are sent to customers and through the press distribution network. Aside from his regular collaboration with the marketing department on product marketing objectives, Ben occasionally works with the design department in conjunction with the management team on the development of new product pages and the stringent quality control requirements.
Ben Stones

Sharing

Leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.