Tuesday, September 27, 2011

A Guide to PCI Compliance

Most of you have heard the term “PCI Compliance” or “PCI DSS,” but what does this mean for you and your business? What are the steps necessary to obtain and maintain compliance?

The PCI Data Security Standard (DSS) is a set of requirements created by major credit card companies that applies to any organization that stores, processes or transmits credit card information. If any credit card information travels through either your website or your hosting environment, you will need to make sure that you maintain Payment Card Industry (PCI) compliance. Violations of the standard or any breach of credit card information can result in very serious fines, as well as more strict requirements for your solution. As everyone knows, stricter requirements almost always translates to more costs for you, and the financial and reputation repercussions can be catastrophic for many of small business owners. If you are new to this topic it may seem overwhelming and difficult to understand at first, but the long-term side effects of not taking the necessary steps towards compliance could possibly land you in the ever-growing unemployment line. The good news is achieving PCI compliance is not as difficult as it may appear.

  1. Divide your front-end and back-end servers into independent solutions
  2. The initial step to becoming compliant is to split your front-end (web) and back-end (database) servers into independent solutions. The reasoning behind this approach is that if there was ever a breach of your public-facing web server, the intruder would not have direct access to the information located and/or processed with your database server.
  3. Enable firewall policies
  4. After you have split into a minimum of two servers, you will want to have your hosting provider enable multiple layers of firewall policies restricting access to and from your now independent solutions. The first requirement regarding firewall policies is to restrict all access except port 80 and port 443.
  5. Remove all public access to your database server
  6. After the necessary firewall policies are implemented, you will connect to your public web server via a secure SSL/VPN connection. To connect to your private database server, you will first login to your web server and then establish a connection to your database server via the specified SQL port.
  7. Hire an Approved Scanning Vendor (ASV)
  8. After you have segregated your web and database server and implemented the necessary firewall policies, you will need to sign up with a third-party ASV of your choice for quarterly scans of your solution. To maintain compliance, you are required to pass a network vulnerability assessment scan every 90 days. The PCI Security Standards Council has a list of over 100 approved vendors that can perform vulnerability audits and help you automate this process. Prices for scanning and other compliance services vary significantly, so we suggest contacting multiple vendors to ensure you are receiving the best available pricing. You will find the Approved Scanning Vendors list at: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

Can I avoid being PCI compliant?

If you transfer the risk entirely to someone else who meets the PCI standard, such as PayPal, you can avoid having to being PCI compliant. However, your clients will have to interact directly with PayPal and their credit card information can never pass through your servers. If your website integrates with PayPal via an API, you are still liable for PCI compliance since your servers capture and transmit the credit card data.

What if my application does not store any credit card information?

PCI DSS applies to the handling of data while it is processed over your network, not just the storage of credit card information.

Is the PCI DSS a requirement or a recommendation?

If your business processes, stores or transmits any information listed on a credit or debit card, then you must comply with the PCI DSS Standard. If you are found negligent in the event of a breach, you are likely to face significant fines, higher costs through increased compliance requirements, larger merchant fees and/or potential suspension or cancellation from your credit card merchants.

If I pass the quarterly ASV scan, does that mean I am compliant?

ASVs are only a piece of the PCI puzzle. All merchants and service providers are required to complete a self-assessment questionnaire (SAQ) that serves as a statement of compliance. The questionnaire states that your organization has implemented the required controls described in the PCI Standard. You can download these SAQs from the PCI Security Standards Council's website
at: https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

Does PCI compliance require a dedicated server environment?

A common misconception is that you are required to have a dedicated server to become PCI compliant. However, PCI compliance is obtainable in a virtual environment where the operating system is isolated and able to be secured according to the standard’s requirements.

Do you provide the required quarterly network scans?

The required scans will need to be completed by a third-party Approved Scanning Vendor (ASV), who will provide you with an independent, non-biased view of your network. We have partnered with Alert Logic (http://www.alertlogic.com/) to provide this service, but you are free to select from any of the approved vendors. If you choose Alert Logic as your ASV, tell them you are a HyperFive Web Hosting customer to ensure you receive the best available pricing.

Do you guarantee a PCI compliant solution?

We guarantee to provide you with a PCI-compliant solution for your hosting services. We also guarantee that if any issues are found by your selected ASV, we will work directly with you and your ASV to achieve compliance.