PCI Compliance continues to confuse the masses. I will aim to address this confusion and actually explain what is needed. This article is aimed to clear up the confusion in regards to hosting providers and PCI Compliance and won’t address the different levels in regards to transaction volume.
At this stage it would be worth pointing out that there are different levels of PCI Compliance. Firstly, let’s start with the Data Center where the server is hosted. The initial confusion usually starts here. Many people, wrongly, believe that the responsibility for PCI Compliance is solely with the Data Center. If a Data Center has chosen to be formally recognized as PCI Compliant, you don’t inherit ANY of that compliance. Below are the requirements for a Data Center to be PCI Compliant:
9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
9.1.1.a Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?
9.1.1.b Is data collected from video cameras reviewed and correlated with other entries?
9.1.1.c Is data from video cameras stored for at least three months, unless otherwise restricted by law?
9.1.2 Is physical access to publicly accessible network jacks restricted?
9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?
9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
9.3 Are all visitors handled as follows:
9.3.1 Authorized before entering areas where cardholder data is processed or maintained?
9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?
9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?
9.4.a Is a visitor log in use to maintain a physical audit trail of visitor activity?
9.4.b Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?
9.4.c Is visitor log retained for a minimum of three months, unless otherwise restricted by law?
I can’t think of any reasonable Data Center these days which wouldn’t meet these requirements. As part of your own compliance, you will need to certify that the Data Center meets these requirements. If you are sure that the Data Center does indeed follow these policies, it is safe to answer yes to these questions. Just because I don’t know of any Data Centers out there these days that don’t, doesn’t mean they don’t exist. You have to be very sure of that aspect. The easiest way for you to be sure is to ask the Data Center in question, or your hosting provider, if they themselves have a certification they could show you. They don’t need to have this to be meeting the requirements though.
The next step is the physical or virtual environment where your website is located. I don’t want to even guess how many websites out there have a PCI Compliance certificate but have done so by not answering truthfully to questions. How many of you have a firewall in front of your servers? How many of you have split web, sql, mail, dns or any other service between servers? These are all requirements and those requirements don’t come cheap. If you are reading this now and you are thinking “Huh? I don’t have this in my environment, but I am compliant!” well, you aren’t. If you have a breach and an investigation is carried out and you divulge your setup, your insurance would be invalid. You would also be open to litigation from your merchant provider and your customers, along with anyone else impacted by said breach. Read https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf for the full requirements.
We now come onto the actual scan. This is what people usually concentrate on as it is something they can’t lie or skip their way through. After you have certified your setup either physically or virtually meets PCI Compliance, a scan will be performed against your website/server. I say website, as part of the scan actually checks your website for vulnerabilities. During this scan you will no doubt see that your website has many vulnerabilities. Firstly, not all of these are actual vulnerabilities and many are theoretical, but they still need fixing. It is generally the hosting provider’s responsibility to fix things such as software versions like PHP, SQL or Apache. Things like SSH protocol versions, SSL and ports also fall under the responsibility of the hosting provider. Part of the scan will also test the actual website for vulnerabilities. Mostly SQL Injection and cross site scripting are what they focus on and these are the types of things which need fixing by your developer. You can’t expect your hosting company to change your website code.
All of these parameters change over time, sometimes over days, and most providers will scan you either monthly or quarterly. Expect to fail almost every time and allow your hosting company and site developers the chance to address the new requirements.
Don’t always trust your provider, particularly in shared environments. Is it possible for a shared hosting environment to be PCI Compliant? Yes, but it is incredibly difficult. There are hosts out there which specialize in this type of shared hosting, at a premium that is. When you keep in mind the aspect of SQL injection or cross site scripting, that is very unique to your own environment. Very few shared hosting providers will actually have an individual scan for your website. You would still need to seek that yourself. Remember, a provider’s compliance doesn’t mean you are compliant. The responsibility ultimately will fall on you.