ServerGuy and PCI Compliance
Yes, ServerGuy as a company is PCI Compliant. We as hosting providers, ensure complete security for cardholder data. Our highest priority is to constantly monitor our network in order to meet PCI DSS requirements. But we do stress upon the fact that PCI Compliance is a far more complex subject. You need to assess your business to be PCI Compliant.
You can start with the Self Assesment Questionnaire form PCI security standard
Note: If you are hosting with us, does not mean you’re PCI compliant. Since we don’t interact with your end user we are not responsible for the way you collect and process their data. You need to make your website PCI compliant and you can start by understanding the requirements mentioned below.
PCI DSS Requirements
PCI compliance compiles 12 requirements which are broadly categorized in 6 parts:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong security measures
- Regularly test and monitor networks
- Maintain an information security policy
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder details
A firewall provides network security by filtering all incoming traffic from the untrusted source on the internet. It is essential to position firewalls to block connections from unfiltered locations.
PCI Compliance requires you to place firewall on all paths including eCommerce connections from the Internet, employees Internet access, email connections, B2B connections, and all other sources. We secure our client’s data by placing firewalls as an extra layer of protection.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
It is essential to change vendor-supplied default usernames and passwords. We do mandate the use of strong and unique passwords. The responsibility to change all vendor-supplied passwords lies with the website owners.
Protect Cardholder Data
3. Protect stored cardholder data
PCI states, it is important to document a data retention policy to protect cardholder data. It includes masking the primary account number on customer receipts and making it accessible to only a few employees. We fully understand the guidelines for handling and storing cardholder data and offer our employees training and understanding of this policy.
4. Encrypt transmission of cardholder data across open, public networks
This policy includes reviewing all locations, systems, and devices, where cardholder data is transmitted. It ensure, we’re using appropriate encryption to safeguard data over open, public networks. It also includes:
- Verifying the validity of encryption keys
- Checking the latest encryption vulnerabilities
- Ensuring TLS is enabled
- Prohibiting the use of WEP
This is a policy which both hosting provider and website owners need to adhere.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
It is essential to deploy anti-virus programs on commonly affected systems. This policy also mandates setting up anti-virus to scan, detect and remove malicious software. We ensure that the systems that are not considered at-risk are also regularly evaluated to determine their current risk status. In this we also include the systems that merchants may use to connect to their eCommerce installation.
6. Develop and maintain secure systems and applications
This requirement stresses the fact that all network software must be regularly updated and security patches must be installed immediately after the release. We have a process in place to keep up-to-date with the latest identified security vulnerabilities and their threat level.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
There should be controlled access on every system where cardholder data is stored and handled. We make sure that everyone that interacts with our networks has no more access to the data than they need to do their work.
Also, it is the responsibility of the website owner to restrict the number of people who have the access to their card details.
8. Assign a unique ID to each person with computer access
Under this requirement we make sure that:
- All remote access accounts are monitored while they are in use.
- All remote access accounts are disabled when not in use.
- Every account used for remote access enables only when used.
- Putting in place a multi-factor authentication for all remote access sessions.
Website owners are also responsible to identify and authenticate access to their eCommerce platform.
9. Restrict physical access to cardholder data
This requires restricting access to any publicly accessible network jacks in the business. It also includes keeping physical media secure and maintaining control over any media being moved within the building and outside of it. We make sure to use a secure courier when sending media through the mail so the location of the media can be tracked.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
We make sure to protect sensitive data, we log, track, and audit all access to cardholder data. This includes having a process in place to review logs and security events daily. We have a complete review system components defined by the risk management strategy.
11. Regularly test security systems and processes
We follow the below mentioned steps to adhere to this requirement:
- Use internal resources to run quarterly internal vulnerability scans.
- Use PCI-approved resources to run quarterly external vulnerability scans.
- Use qualified resources to run these scans.
- Quick response to alerts generated by the change-detection tools.
- Perform regular penetration tests to confirm segmentation is operational and isolated in the CDE from all other systems.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
We make sure that every employee working with cardholders data completes an annual security awareness training. We have created a companies policy documenting all critical devices and services within the cardholder data.
Last Updated on: 24 December 2018