PCI compliance has specific security requirements which must be met, all our VPS, Cloud servers and dedicated servers are all PCI compliant capable, what this means is that upon request we will perform the configuration changes required to pass PCI compliance.
These requirements vary depending on the level of PCI compliance required however the majority of ecommerce sites require either SAQ A or SAQ A-EP both of which offload payment processing to third-party payment gateways (For example PayPal or Stripe) meaning that no card information is stored or transmitted by our servers. This greatly reduces your compliance burden.
PCI compliance requires the following standards are met:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Important: PCI covers more than just the server environment, it also covers your eCommerce application and your security policies, you will need to also ensure those areas are covered.
What is the PCI compliance process?
When you request a PCI-compliant configuration our engineers will first contact you to determine the application you intend to run and the level of PCI compliance required, as a baseline, we will then perform the following:
- Ensure you have a firewall enabled and have a robust firewall policy implemented.
- Ensure that you have an SSL certificate installed and correct ciphers are set up.
- Ensure that encryption is enforced for all services.
- Disable any software which is not required to provide service.
- Enable and configure intrusion prevention.
- Enable an application firewall
- Enabled and configure anti-virus and anti-malware services.
- Ensure logging and log retention policies are in place
- Apply an access and password policy
- Ensure a backup policy is in place and that backups are encrypted.
Once complete you can then contact your PCI compliance assessor to perform your compliance scan.
Most PCI assessors perform automated scans which makes them susceptible to false positives, if your scan fails at this point don’t worry, simply forward the results to our engineers and we will advise if any further changes are required. If we determine a failure is due to a false positive we will advise how to respond to your assessor who will then mark it as such.
If you have any questions regarding PCI compliance please contact our team and we will be happy to advise.