PCI Security Standards compliance for a VPS. Part I

[Micfo-Brad]

I. Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
->The VPS technical support team can help you with this. We will configure the firewall as per the PCI standards for you.)

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
-> For this, you will have to change the passwords of the vps from your side. That is the only way to have a different password than what we provide you with. If PCI means a third party vendor, then you will have to login to the respective account or members section and change the passwords yourself.

II. Protect Cardholder Data

Requirement 3: Protect stored cardholder data
-> This is something which would be stored within your vps; it would be a part of the website files and other such data which would be contained within your virtual server. Protecting and maintaining the integrity of such data would be under your purview.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.
-> You can encrypt the data and ensure that it has a secure passage using SSL certificates which you can purchase from us. We will help you with the installation of those on your VPS. SSL certificates have to be purchased per domain as they are registered by domain names only.

[Micfo-Brad]

III. Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Updating the anti-virus software has to be done on the individual vps. The technical support team is responsible for the security and integrity of the overall hardware node. For your individual VPS, you can request the technical support team to update it for you from time to time.

Requirement 6: Develop and maintain secure systems and applications
->The VPS technical support team does not assume any responsibility of any third party software, applications and algorithms. Worldpay or for that matter, any payment gateway is officially classified as a third party application. You would have to design your own custom security rules to ensure the integrity of the application which you run.

IV. Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
->Restricting access to a particular user or customer is entirely your prerogative. You would be best placed to know which individual is to be allowed access and who is to be kept away from the virtual server. You can do this by allowing only the IP's of your users in the firewall and blocking all other external IP's. You can ask the vps team to add the trusted IP's in the firewall for access.

Requirement 8: Assign a unique ID to each person with computer access
-> This will have to be done by you. Creating an ID and assiging it to individuals who have access to the vps would be your prerogative.

Requirement 9: Restrict physical access to cardholder data
-> No one has physical access to the cardholder's data which is stored within the vps excepting the NOC technicians. Leave alone your vps, these technicians never venture anywhere near the hardware node if there isnt a support request or an issue to resolve on the node itself. So you are guaranteed utmost restriction and security in this regard.

[Micfo-Brad]

V. Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
->The VPS technical support team monitors the vps as a part of the bigger hardware node on which it is created. Tracking of access attempts and usage patterns of individual users on your vps would not be feasible. This would have to be taken care of by you. Restriction levels and accessibility of individual users will have to be decided by you since the best placed entity would be the vps owner to decide the usage of individual customers.

Since our linux and windows vps come with unrestricted administrative privileges through SSH and RDP respectively, the VPS technical support team has little or no control over the kind of access which the VPS owner may grant to his individual customers. Consequent to this, guaranteeing 100% security and integrity would not be possible since we have no authority over the kind of restrictions and limitations which can be imposed on individual users.

Requirement 11: Regularly test security systems and processes
-> You may request the vps technical support team to carry out a check on the health of the vps and the security configurations as well as settings whenever you want a thorough check to be performed.

VI. Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security
-> This is again something which is down to individual preferences, choices and practical usage patterns of the vps. It would be neigh impossible for the vps technical team to create a policy framework and security guidelines for your individual vps owing to the lack of information on the exact use of the vps and the activity which each user would be carrying out on the virtual machine. This is something which you would have to frame by yourself. The technical support team would be glad to lend whatever assistance you may need. However, the final word on this would be yours.

[shane]

Payment Card Industry Data Security Standard (PCI DSS) is applied to every organization that processes Credit or Debit Card information that also include merchant and third-pary service providers and stores Credit Card data. It has now become an requirement for all.

It has been known that each company who accepts payments through Credit Card are complaint with standards.

[shane]

This has become an important concept with any transactions and to pass a PCI compliance test, you need at least 100% to pass.

[shane]

Are Micfo servers PCI Compliant ?