PCI-Compliant Hosting Solutions

How do I protect the network for PCI compliance?

Install and maintain a firewall configuration to protect cardholder data

The firewall is the front door to a network that must be adequately protected from internal or externally routed traffic over trusted and untrusted networks. All layers of the network are in scope, such as the open internet, VPN connectivity, wireless networking, and corporate networks.
The network security design must be documented and amendments must be managed by change control in dev, test, and production configurations. Importantly, the flow of card data around the network must be known and documented. Other key areas to consider are the roles and responsibilities must be defined in terms of who will manage the network (typically a network engineering team), all unused switch ports must be down and closed, all undefined traffic must be denied by default, and any discovered vulnerabilities in the network hardware must be patched.

How do I change the default configurations to meet PCI-DSS standards?

Do not use vendor-supplied defaults for system passwords and other security parameters

It is very easy for a malicious user to compromise a system if the vendor passwords have not been amended from their defaults. Default passwords are documented all over the Internet, so it is recommended to disable the accounts and create unique accounts. Any wireless network must be protected with strong encryption (minimum WPA2) and complex passwords.
PCI-DSS also requires configuration standards being met for server builds to include security and server hardening to close off security vulnerabilities, operating system patching, application updates, and more. You must also only have one primary function per server; a single server must not do every task required by the business. Often front-end, DMZ, mid-tier, and backend services are divided to create a secured hierarchy, and the technical teams must be aware of the security policies put in place to protect these systems.

How do I protect stored cardholder data?

Credit card data should only be stored when necessary. If your organization does store permanent account numbers, or PANs (in this case payment card numbers), they should be encrypted. When displayed, the PAN should be masked and truncated; one-way hash functions based on strong cryptography can be used to render cardholder data unreadable.
The storage of full-track data, PINs and validation codes is prohibited, and there are strict rules on data retention - Remember, if you don't need it, don't store it!

How do I secure cardholder data transmission?

Encrypt transmission of cardholder data across open, public networks

When you accept credit card payments for secure processing on your company's web server or share cardholder data across networks, sensitive data must be encrypted during transmission over the Internet, WiFi, private networks, and site-to-site connections. All websites must be secured with TLS (HTTPS), and there are strict rules on how PAN data can be transmitted. Always ensure this is done in a secure environment; never transmit over email, SMS, or mobile apps, as this data is easily intercepted and should be routinely monitored.

How do I meet PCI-DSS vulnerability protection requirements?

Develop and maintain secure systems and applications

Vulnerability scanning will identify all the known vulnerabilities affecting the infrastructure. This landscape rapidly changes, and it is important to stay one step ahead. The majority of vulnerabilities have already been identified by the manufacturers and patches are available rapidly.
Any custom applications must be built to PCI DSS compliance standards regarding access to and encryption of source code. Never hardcode security information into source code, and never publish to public repos like GitHub. Databases require special attention to prevent Buffer Overflow and SQL injection weaknesses.

Should access to cardholder data be restricted?

Restrict access to cardholder data by business need-to-know

Employee roles and business need-to-know should guide the development of access controls so that unauthorized use does not occur. The basic idea of need-to-know is that you only give the extent of privileges and amount of data to a user that is necessary to conduct their tasks. Zero Trust should be integrated into your access control system, as indicated by the PCI Council’s instructions to “‘deny all’ unless specifically allowed.”

How can I know who is accessing my systems?

Identify and authenticate access to system components

To meet PCI compliance standards, you need to know who is doing what within the system and you want all activities to be easily trackable so that you can monitor and verify. Do not give anyone access to critical systems or data unless you have first given them a unique user ID. A password, passphrase, or multi-factor authentication (MFA) should be standard. MFA should be used for remote access. Virtual private networks, tokenization, or authentication, and dial-in should be implemented for remote use.

How secure are the Atlantic.Net data centers?

Restrict physical access to cardholder data

Data is, of course, stored on real systems, and any access to physical systems presents the opportunity for theft. To achieve PCI-compliant hosting requirements, the provider’s data center should restrict physical access. Facility entry controls should be used. Before any outsider enters a space in which cardholder data is present or is being processed, they should receive a physical token that they give back before departure.

Is it possible to monitor all activity for PCI-DSS?

Track and monitor all access to network resources and cardholder data

Being able to track exactly what a given user is doing by logging all steps they take allows you to perform vulnerability management and forensics in an organized fashion. Logs allow you to analyze something much more specifically and efficiently so that if any issues arise, you can understand how hacking or other improper use occurs. To meet PCI standards, you want automated audit trails in place so that you can review any activities.

Who is responsible for pen-testing?

Regularly test security systems and processes

Security gaps are often revealed through hacking. Testing security protocols, hardware, and software will keep you secure long-term. Check to see what wireless devices are being used with a wireless analyzer at least quarterly. Alternatively, use a wireless intrusion prevention service (IPS). Network vulnerability scans should be performed once each quarter and also following major adjustments within the network. Perform penetration testing annually at a minimum.

Who needs to understand the rules of PCI compliance? My staff, or just my PCI-compliant hosting provider?

Maintain a policy that addresses information security for all personnel

Beyond PCI-compliant server requirements, you also need personnel interacting with the systems to be well-equipped. Everyone on staff should know their PCI compliance responsibilities for safeguarding sensitive data. Create, update, and distribute a PCI compliance information security policy that lets your employees know about PCI DSS rules. For internal environments, create usage policies to shape expectations for employees and contractors.