PCI-DSS is a stringent list of standards that any company that stores, processes or uses credit card information is required to adhere to. It was created to help protect consumer financial information, and not complying with these rules is not an option. It is the merchant’s responsibility (yours) to always ensure that your server is PCI compliant. Failing to do so could lead to serious complications, including fines and potential criminal investigations and costly litigation. So, how do you ensure that your server is PCI compliant?
Check with Your Hosting Provider
The first step is to check with your hosting provider. The company should make all of their servers PCI compliant. However, be aware that the server may not be PCI compliant by default – it will need to be updated to comply. Note that if the server is not by default PCI compliant, you will need to have your hosting company change settings for compliance. Also note that any changes you make on your end may affect that compliance. It’s also important to understand that server compliance does not guarantee website software compliance.
Another consideration here is that your database server is actually on its own physical server, and cannot share space with your web server. The database server must also be connectable through a VPN (virtual private network). You cannot use PHPMyAdmin for this, as it is not PCI compliant. Another consideration here is FTP, or file transfer protocol. Once, it was one of the most frequently used ways to update information on your site and server, but it is not PCI compliant because it is not secure. If your server allows FTP access, it is not PCI compliant.
Security updates and patching on the server must be under your control. In a shared hosting environment, this is not the case. If you do not have control over your server’s security, it is not PCI compliant. Note that a written agreement with your hosting provider to update your security on your behalf will work for compliance with PCI standards, though. To tell if your host provider actually updates on a timely basis, check the MySQL version, as well as the version of PHP being run. If it is not current, the host is not guaranteeing PCI compliance.
Pay attention to the login process on your server, as well. If you log into the server with just a username and a password, without any third means of identity and authorization verification, the server is not PCI compliant. You must have a two-factor authentication system setup on the server for access.
Verify that the host provider conducts regular scans and monitors the server for unauthorized access. It is also wise to partner with a third-party scanning service to guarantee PCI compliance on the part of your host. The report generated by the scanning service will detail where any PCI compliance issues lie, whether with the host, or on your end. And make no mistake, there are several requirements that fall squarely on the merchant’s shoulders and that do not pertain to the host provider (although some companies will offer more assistance than just server PCI compliance).
SSL
SSL stands for secure socket layer, and it’s a requirement for PCI compliance. However, this falls on you, the merchant, not on your hosting provider. You’re responsible for obtaining an SSL certificate, and paying for it. You can generally purchase an SSL certificate through your hosting provider (from a third party, such as Comodo). Chances are good that your hosting provider will offer several different types of SSL certificate, and you’ll need to choose the right one for your hosting environment, as well as your business type. For instance, an ecommerce company would need a different type of SSL certificate than a company that did not offer online purchasing capabilities, but did store cardholder information on their server.
Shopping Cart and Ordering
If your website uses a shopping cart feature, or offers customers the ability to order online, you must ensure the system is PCI compliant. There are tons of different shopping cart software versions out there, as well as innumerable ways that you might allow online ordering. The best defense here is to ensure that your solution is up to date (use a modern shopping cart). Signs that your shopping cart or other ordering process is PCI compliant include the following:
- Customers are required to use complex passwords to access their account.
- Default passwords from the vendor can be changed (it’s your responsibility to ensure that they are, and you should do this immediately on installation).
- Payment processing transactions are logged by the shopping cart or other payment/ordering system.
- Ensure that the shopping cart is secure, and protected against malware (check the documentation from the cart vendor for verification of this).
Company Policies and Procedures
Finally, PCI compliance also requires that your business have the right policies and procedures in place. It’s not all about the hosting provider or server compliance. If your company’s policies and procedures are not PCI compliant, then there is still a significant chance of a data breach, even with a compliant, secure server. Rule 12 of the PCI standards states that merchants must “maintain a policy that addresses information security.” While that’s rather vague, it is no less important than ensuring server compliance.
Your company must have stringent controls in place about how cardholder information is stored, how it is protected, how it’s accessed and who can access it. Strong passwords and unique user IDs are only the tip of the proverbial iceberg here. You must also pay attention to the security provided for cardholder information on your business’ network (within the organization, not necessarily tied to your company’s server). This applies to both electronic and physical records. For instance, leaving printed cardholder information on a desk is a violation of PCI standards.
With the right server, and the right steps to ensure compliance on your end, your company can safeguard consumer credit card information, avoid costly fines and penalties, and build a better reputation in the eyes of your customers.