PCI DSS Compliance Overview
All our packages are designed to conform to the highest requirements of the Payment Card Industry Data Security Standards (PCI DSS). All organizations who receive, process, or store credit card data must adhere to these standards. Ensuring you are also able to meet these standards is our highest priority.
PCI DSS Requirements
The PCI Security Standards Council identifies 12 requirements to be met by the PCI DSS-compliant merchant and host.
These 12 requirements fall into six categories:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong security measures
- Regularly test and monitor networks
- Maintain an information security policy
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder details.
Every server is protected by a firewall which, as well a limiting the ports available to general traffic, monitors packets for suspicious activities. Attached this we also have an active log monitor which will block repeated failed attempts to login to key systems.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
If an attacker knows that a user exists they already have half the information they need to start to attack the site / server. Ensure that all defaults usernames are removed. In the case of Magento this would also cover the default patch for the admin panel and Magento Connect. This also covers any devices within your premises that may be affected.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
This requirement deals with what we need to do to protect credit card data across the server and our network. It deals with secure deletion of data, the user of strong encryption and restrictions on storage. Merchants and hosts are responsible for this.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
This requireemnt ensure that all credit card data is encrypted at a suitable level (TLS 1.2) as it moves over the network. Merchants and hosts are responsible for this.
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Despite all the tools and system we deploy to keep your site and data safe it is essential that continual vigilance is performced. Anit-virus / anti-malware scanners and a number of our own scanning tools look for signs of a breach after the event. Merchants should also scan their own systems that connect to their e-commerce platform.
Requirement 6: Develop and maintain secure systems and applications.
All software in our server stack is regularly updated and security patches applied as needed on release.
Merchants are responsible for keeping their magento installation patched as these patches are released and to ensure that 3rd party extensions / modules are similarly updated when patches are published. Similarly merchants must take all reasonable efforts to secure their application.
Implement Strong Access-Control Measures
Requirement 7: Restrict access to cardholder data according to need.
No one should have any more access to the network / application than is needed to fulfil their role. This applies to our management fo the system at your end and the running of your application.
Requirement 8: Identify and authenticate access to system components.
To ensure a clear audit trail and secure access all entires to the system should be individually identifieable. Repeated failed attempts should be blocked. Users that no longer require access will be removed.
Requirement 9: Restrict physical access to cardholder data.
These requirements deal with physical access to the actual servers we run your sites on. Including
24 hour manned security, biometric access and intruder alarms
24 hour on site Network Operations Centre (NOC)
Internal and external CCTV systems
Security breach alarms
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
In order to safeguard data we must autdit and track all access to card holder data and alert appropriate We monitor all logs for the server and network infrastructure. Merchants needs to ensure that they maintain and monitor logs for the applications iteself.
Requirement 11: Regularly test security systems and processes.
In order to ensure that systems are contantly eveolving to meet changing treats we routinely test our security proceedures. this includes network vulnerability scans and penetration testing. Merchants are responsible for scanning their own applications.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel.
Equally as important as all the technial resources that are in place are the polacies and proceedures that are in place to manage staff and the training that backs these up. Merchants must have similar proceedures in place for their own staff.