If you intend to take payments for goods or services on your website, you’ll be required to comply with Payment Card Industry Data Security Standard (PCI DSS) regulations. These are the security standards that companies which store, process or transmit payment card data have to meet. In this post, we’ll take a closer look at what they are and explain why you need a PCI-compliant server.
What PCI-compliance entails
If you want your company to accept online card payments your server environment and eCommerce application have to comply with PCI DSS. This is the case even if you use a third-party payment processor. Failure to comply can have a significant impact, including ongoing fines or in the worst-case scenario, being prohibited from taking payments and thus finding your company unable to trade.
The standards you have to meet for PCI compliance are detailed and rigorous. They require you to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, monitor and test networks on a regular basis and maintain an information security policy.
Ensuring these standards are met requires many other operations to be put into effect, such as the installation and maintenance of an appropriately configured firewall, the use of strong (non-vendor-supplied) system passwords, the encryption of cardholder data during transit, the secure storage of cardholder data and the use of anti-virus software. In addition, you’ll need to update and patch applications, restrict both system and physical access to cardholder data and create unique IDs for individual staff so that you can track and monitor all access to network resources and cardholder data.
It is obvious from this that the PCI DSS standards are stringent and the responsibility for implementing and maintaining them, as well as evidencing compliance, falls with the eCommerce company and any third-party service providers they use.
The challenges and solutions of PCI compliance
eCommerce companies face two major challenges when striving to comply with PCI DSS regulations. Firstly, is the cost of building an in-house system that meets the standards and, secondly, they often lack the expertise to attain compliance. A solution that makes compliance easier and less expensive to achieve is to use the services of a PCI-compliant hosting provider that can offer both the server infrastructure and the necessary expertise.
At eukhost, for example, we are geared up to ensure our data centres, networks and operations are PCI DSS compliant. Aside from ensuring robust physical and system security of all our data centres, all our VPS, cloud servers and dedicated servers are PCI compliant-capable. In other words, we are able to carry out all the necessary configuration changes needed to meet PCI compliance upon request.
There are different levels of PCI compliance and the solutions put in place will depend upon the level your business is obliged to achieve. Most eCommerce sites, for example, have to meet either the SAQ A or SAQ A-EP levels. These are required for companies which process payments via a third-party payment gateway, such as Stripe or PayPal. As customers are transferred to the payment gateway to carry out these kinds of transactions, no card information is stored or transmitted by our servers. As a result, your compliance burden is dramatically reduced.
Putting the compliance process into action
To determine the exact requirements of making a server PCI compliant, your hosting vendor will need to know the application you are going to use and the level of PCI compliance you are required to meet. Here at eukhost, we carry out the following as standard:
- Ensure you have a firewall enabled and have a robust firewall policy implemented.
- Ensure that you have an SSL certificate installed and correct cyphers are set up.
- Ensure that encryption is enforced for all services.
- Disable any software which is not required to provide service.
- Enable and configure intrusion prevention.
- Enable an application firewall
- Enable and configure anti-virus and anti-malware services.
- Ensure logging and log retention policies are in place.
- Apply an access and password policy.
- Ensure a backup policy is in place and that backups are encrypted.
Once you have these features, plus any others you require, put into place, you will then be able to arrange for a PCI compliance assessor to undertake a compliance scan.
Remember, overall responsibility lies with the company
While a PCI DSS compliant vendor can help you comply and do so more economically, the ultimate responsibility lies with the company. Standards, such as assigning unique user IDs and maintaining an information security policy, which are carried out in-house, also have to be achieved. Furthermore, companies also need to ensure that any third-party hosting services they use also comply with the regulations.
PCI DSS is one of the most important regulations that an eCommerce company has to comply with. Designed to protect the consumer, it has a stringent set of requirements and is rigorously policed. One of the most effective ways to help you achieve compliance is to use the services of a hosting partner that has experience and expertise in PCI compliance and can provide the compliant server environment required.