What is PCI Compliance? Find Best PCI Compliant Web Hosting
Payment Card Industry – Data Security Standards (PCI-DSS) are a vast set of requirements adopted by the PCI Security Standards Council, and it’s meant to ensure consistent data security measures across all online merchants. The PCI Security Standards Council (PCI SSC) includes JCB International, American Express, Discover Financial Services, VISA and MasterCard Worldwide. Any online merchant accepting payments through major credit card companies is bound by the PCI-DSS requirements.
Achieving and maintaining compliance can be a nerve-wracking experience even for major online companies, let alone small merchants. But the costly repercussions of data breach and failure to meet compliance requirements makes it imperative for online service providers to ensure that their customers are transacting securely.
In this article, we’re discussing some of the most important requirements for PCI compliance and how to find the best PCI compliant web hosting to better manage your PCI compliance strategy.
What Does it Mean to be PCI Compliant?
PCI compliance is a must for all e-commerce businesses that accept credit card, irrespective of revenue and volume of transactions. Therefore, these two factors will not determine whether or not you have to adhere to the data security rules set out by the PCI SSC, given that even the smallest e-commerce business accepting credit card is bound by the PCI-DSS standards; however, the number of credit/debit card transactions your business processes annually will determine which of the four levels of compliance you have to achieve. Level 1 has the highest compliance difficulty, and it’s a security standard that needs to be achieved by e-commerce businesses that process more than 6,000,000 credit or debit cards over a 12-month period. On the other hand, level 4 bears the lowest compliance difficulty, and it concerns online businesses that process fewer than 20,000 credit card transactions annually.
While the PCI-DSS standards defined by the PCI SSC are not a law, compliance to these standards is enforced by the credit companies themselves. Businesses that are found to be in breach can expect substantial fines ($5,000 – $100,000 per month) and penalties (loss of right to process credit card payments, increase in per-transaction processing fees, paying for credit cards compromised because of the breach, moving up a level of compliance, etc.). These fines and penalties can prove to be catastrophic to a business, not to mention the loss of reputation that a business can suffer as a result of a breach.
Although the standards defined and maintained by the PCI SSC ultimately boil down to securing cardholder data, achieving PCI compliance poses many roadblocks for the average online merchant.
Here are, in a nutshell, the requirements for PCI compliance covered in the full PCI DSS standards that online service providers must adhere to:
- Building and maintaining a secure network, which involves firewall and router configurations, testing related to these, frequency of testing, and secure password management;
- Protecting cardholder data by defining storage, data retention, and data usage parameters and encryption requirements, as well as setting out the implementation of encryption and security protocols (SSL/TLS, SSH or IPSec) for the protection of cardholder data when transmitted over open, public networks;
- Executing a vulnerability management program, which involves the use of an anti-virus program that is regularly updated, active at all times, and that generates audit logs. Another facet of the vulnerability management program is the development and maintenance of secure systems and applications, which is achieved through adherence to secure coding guidelines and review of third-party code or custom applications with respect to vulnerabilities;
- Implementing secure user access control measures by protecting sensitive data from unauthorized access, limiting access by setting up well-defined role-based access control (RBAC), assigning unique user IDs for traceability, using two-factor authentication processes, restricting physical access to cardholder data;
- Using logging mechanisms to track and monitor access to network and cardholder data, creating an audit trail that must be retained for at least a year;
- Running regular internal network security scans (quarterly and after each and every significant change, upgrade, or modification in the network or infrastructure), submitting to quarterly ASV (Approved Scanning Vendor) scans following the passing of the initial compliance scan, implementing systems (intrusion detections systems and file monitoring systems) to alert regarding unauthorized modification of critical files and system compromise;
- Creating and maintaining an information security policy that should cover aspects related to personnel screening, risk assessment, vulnerabilities assessment, remote access, etc.
Businesses that lack the expertise and/or internal resources to execute an efficient compliance program should seek the help of an external partner and qualified security advisor, who will offer guidance with respect to the PCI-DSS Self-Assessment Questionnaire they must complete, the requirements they need to meet for their level of compliance, the infrastructure deficiencies their have to solve, etc.
Some of the burden of meeting these requirements can be shared with solutions partners such as hosting providers, who can help with implementing and maintaining physical, network, and system controls.
How to Find the Best PCI Compliant Web Hosting
Choosing a good web hosting can be a complicated task in itself. Adding PCI-DSS compliance to the list of your requirements can make the process even more complicated. Here are the main things to do when searching for a PCI compliant web hosting:
Discuss PCI compliance components undertaken by your host
Ask the web hosting provider about the components of the PCI compliance they are able to handle for you. For example, HostGator clearly states on their website that their VSP and dedicated servers have been updated to meet server PCI compliance requirements. However, HostGator will not provide support for ensuring that the shopping carts, payment gateway software, shopping cart plugins, etc. used by your website are PCI compliant, therefore, this task encumbers you as the user of these solutions.
Get more details about each component
Since failure to meet PCI compliance requirements carries a host of risks potentially threatening the very existence of your business, always read the fine print of the extra services undertaken by your hosting company in your efforts to become PCI compliant, and ask for more details about adopted solutions to see if these services align with your PCI-DSS compliance requirements. Hosting companies like Rackspace, go beyond simply offering you server PCI compliance by providing a host of other services (e.g. managed firewall, SSL certificates, managed antivirus solutions, vulnerability assessment services, web application firewall, etc.).
See about support
Navigating the maze of becoming compliant with the industry standards imposed by credit card companies is no doubt a strenuous process for anyone, be it small or big business. Support offered in discussing your needs and help in exploring the services you need can help reduce the complexity of your efforts in becoming compliant.
Conclusion
It’s important to remember that PCI compliance is a shared responsibility, and by opting for a PCI compliant hosting, one does not automatically become PCI compliant. Getting a clear view from the get-go of the responsibilities undertaken by each solutions partner is an important step in attaining and maintaining compliance.