PCI Hosting Information & Guide

The guide to PCI Compliance and PCI Web Hosting

PCI Web Hosting News

Stay up to date on the latest news about PCI DSS compliant web hosting resources when you read the blogs, articles and news items below. Have a question? Contact us for more information.

Understanding the SAQ

Posted by on Sep 20, 2013 in PCI Compliance | Comments Off

The Self-Assessment Questionnaire is an integral tool for finding the PCI compliance services that are applicable to you. Yet, understanding the questionnaire itself can be so confusing that you might wish you had a tour guide. Here’s a few quick tips that can help you better understand the SAQ.

Merchant Levels

If you’re working on PCI compliance, then you’re probably already aware that your merchant level has an impact on which metrics you’re required to meet. One of these procedures is whether or not you should take the SAQ at all. Only some merchants can use this questionnaire as a guide for determining their PCI compliance.

If you’re eligible to use the SAQ, it might surprise you to learn that there’s actually a number of different questionnaires, not just one. Although each questionnaire includes a number of PCI DSS requirements ranging from your physical server to using only PCI compliant web hosting, the specifics are different for each merchant definition.

For example, card-not-present merchants, who outsource all cardholder data functions, will have a different set of rules for achieving compliance compared to merchants who use physical payment terminals. Some processes are fairly straightforward, while others will require a more significant investment.

Staying Safe

Once you’ve filled out the self-assessment questionnaire, you’ll have a much better idea of where you stand in terms of PCI-DSS compliance. If your answers indicate that you need to make some changes to your web hosting in order to become compliant, please don’t hesitate to contact us today for help navigating local PCI compliant providers.

Unanticipated Changes Could Cost You in Compliance

Posted by on Sep 19, 2013 in PCI Compliance, PCI Web Hosting Provider | Comments Off

The business world has always changed quickly, but rapid advances in technology have brought things up to light speed. If you’ve made any recent changes to your business, it’s worth taking a few hours to review whether your PCI compliance services are still keeping you protected. Here are some things to keep an eye on.

Changing Levels

Many of the PCI DSS guidelines are based on your merchant level. If business is booming and you’ve significantly increased the number of credit card transactions you’re processing, you might find that your existing PCI compliant web hosting provider is no longer meeting the metrics of your new merchant level.

Internal levels may have changed as well, not in terms of cardholder data or transaction volume, but in terms of process. One small change on the IT end could grant your developers permission to make code changes or access certain data from their homes. If that means that cardholder data has migrated out of your secure database and is now vulnerable, your business could be found in violation of the PCI DSS.

An easy way to double check your existing PCI DSS requirements and make sure that you’re still following them to the letter is to compare your current configuration against your most recent Self-Assessment Questionnaire (SAQ). If all the data is still accurate and applicable, you should be able to keep on doing business as usual.

Checking Permissions and Verifications

Are you sure who has access to your cardholder data? Is your business small enough that you know exactly who’s been hired or fired since the last time you filled out the SAQ? If you can answer yes to both of those questions, you’re well-positioned to maintain your existing PCI compliance services. If you’re not positive, this is something that definitely needs reviewing.

Employees who have been hired, fired or who have been promoted will all mean re-verifying permissions. If an employee is no longer with the company, or if they’ve switched positions to a department that no longer requires them to have access to cardholder data, their permissions should be revoked. Make sure to check your current permissions list to make sure that nothing has changed, and adjust the necessary access data accordingly.

In addition to verifying personnel, you should also verify processes and policies. Part of ensuring that you achieved PCI compliance in the first place should have entailed coming up with new processes, policies and procedures that are in line with PCI DSS guidelines. Yet, the rules are made to be broken, and it only takes one rogue employee who decides not to follow those metrics to make your entire business noncompliant.

Make sure that daily operations are still securely configured, and that all necessary processes are being followed consistently. It takes very little to introduce a new vulnerability to the cardholder environment; regular verification is essential.

Follow Procedure

If your merchant level requires you to conduct rule set reviews on your firewall and router, make sure that you do so after any hardware changes or software upgrades to ensure continued compliance. A quarterly vulnerability scan is required for some merchant levels, so keeping on top of any changes within your company before hearing it from the expert is a good idea.

Whether your business has undergone massive restructuring or a few little changes here and there, it’s still a good idea to review your PCI compliance and make sure it’s in good standing. The last thing you want is for an unexpected change to cost you your compliance.

Help Centers and PCI Compliance

Posted by on Sep 10, 2013 in PCI Compliance | Comments Off

Maintaining security for online transactions by using a PCI compliant hosting provider and taking other measures to limit vulnerability is one thing, but how do you ensure compliance in a call center environment where cardholder data is exchanged verbally on a daily basis?

This Call May Be Recorded

Any organization that handles sensitive data from their customers, namely credit card or debit card account numbers, is responsible for ensuring that every possible step is taken to keep that data safe and secure. This extends to the recorded calls that are a typical part of life at a help center.

Whether calls are being recorded for posterity or just as part of the employee training program, storing those recordings falls under the scope of PCI DSS guidelines if cardholder data is shared during the call. With credit card fraud and ID theft both on the rise, organizations are under more pressure than ever to prevent potential security breaches.

Ignorance, as they say, is no excuse for breaking the law. If your organization handles cardholder data, they must comply with the PCI DSS standards. There are many options available for compliant call recording that don’t have to mean sacrificing great customer service. The important thing is to implement a solution sooner rather than later, and keep cardholder data safe.

If you have any questions about how to achieve and maintain PCI compliance in a call center environment, please don’t hesitate to contact us today. Our team can walk you through the necessary steps to find local providers in your area who know exactly how to handle call center compliance.

Planning Ahead for PCI Compliance

Posted by on Aug 22, 2013 in PCI Compliance | Comments Off

The Internet has made it easier than ever to start your own company right from the comfort of your living room couch, and all you have to do is accept credit card payments online. Yet, the second you start processing cardholder data, you’re bound by the PCI-DSS guidelines. How can you be sure that you’re not missing any requirements for PCI compliance services? The answer is simple: plan ahead from the start.

Looking Forward

If you know that you’ll be running a business where you’ll be accepting credit card payments, or other payment transmissions via mobile device or tablet, the best thing you can do for company is to start planning ahead. Any form of processing, transmitting or storing cardholder data puts you under the jurisdiction of the PCI-DSS guidelines. As a merchant, even conducting a very small amount of business, it is your responsibility to provide a secure platform for all your transactions.

To start, you’ll need a PCI compliant hosting provider to host your site; this ensures that your provider is already familiar with the PCI-DSS guidelines that you’ll need to follow. Also remember that just having a provider who says they’re compliant doesn’t mean that the responsibility is out of your hands. Instead, you’ll still want to verify their credentials, both for your own sake and the sake of your future customers.

The real expenses in PCI compliance lie in scrambling to update equipment and processes that have been around since before the compliance guidelines went into effect. For new companies that incorporate the PCI-DSS guidelines into their business as they grow, compliance should be a snap.

Contact Us today for help in choosing a PCI compliant web host, a key piece of any successful PCI compliance program for online businesses.

Biggest Challenges in Mobile PCI Compliance

Posted by on Aug 17, 2013 in PCI compliant dedicated serve | Comments Off

Most of us think of things like security audits, log reports and PCI dedicated servers when we plan for PCI compliance. Yet, the reality is that a lot of ecommerce is becoming M-commerce: transmitting transactions through mobile devices, and not through computer networks at all. What are the biggest challenges in ensuring mobile PCI compliance?

Keeping Up with Technology

Compliance industry experts say that the biggest challenge right now is how quickly technology is changing. As quickly as regulation boards are able to move forward with new applicable guidelines for consumer protection, technology outstrips those rules almost immediately.

New payment techniques via mobile device just make criminals more inspired to develop a fresh hack that will swipe the necessary cardholder data. Transmitting payment information over a mobile network is far different than processing payments on a secure website that uses PCI compliant hosting for extra safety, and isn’t protected in the same way.

The PCI council continues working on developing new approaches that will help keep mobile consumers safe. Yet, malicious activity is increasing across the vulnerable mobile platforms far more quickly than it spread through PC networks.

Taking Precautions

Of course, one of the biggest challenges in protecting mobile commerce is driving home to individual users that there is a potential threat in using mobile devices for transmitting card data. Many people feel that the transaction must be safe when they’re making a purchase right from their own private phone. In reality, there are still risks at hand that need to be assessed and addressed as the popularity of M-commerce continues to grow.

We are happy to help if you need to choose a PCI compliant web host who understands your mobile needs. Feel free to Contact Us  online for more information.

What Makes PCI Programs Fail

Posted by on Aug 12, 2013 in PCI Compliance | Comments Off

By now, businesses know that using PCI compliance services is a must in order to meet the DSS-PCI guidelines. Yet, despite attempts to become compliant, some companies still fail. What are the primary reasons that PCI compliance presents so many challenges?

Failure to Plan

The reason that enterprises most often end up with a system that’s just not working is failure to plan properly. A number of issues need to be addressed when it comes to compliance, including the use of encryption, understanding vulnerabilities and using only PCI compliant web hosting providers. Too many businesses think they can skip a few steps and still achieve compliance. In reality, achieving and maintaining compliance is a very precise science.

In addition to neglecting proper planning, there’s the other failure of having a good plan in place that’s simply too shortsighted. Remember, PCI compliance is not a static end goal; it’s an ongoing process that requires regular assessments and audits. Daily operations and employee training are part of ensuring compliance; without addressing these smaller steps as well as the larger ones, the progress you make simply won’t last.

Achieving Successful Compliance

On the upside, you now know exactly the tools you need to achieve compliance success: planning ahead, and planning long-term. By taking a forward-thinking approach toward compliance, you can set up a system now that will remain relevant in the future, without having to worry that you’ll be playing catch-up to new regulations forever. Educating yourself about compliance and taking the steps to ensure not just present success but continued success will give you a compliance plan that lasts.

If you need help in choosing a PCI compliant web host, Contact Us today and let us do the legwork for you. A compliant host is a key piece of any successful PCI compliance program for online businesses.

The Highest Costs of PCI Compliance

Posted by on Jul 23, 2013 in PCI Web Hosting Provider | Comments Off

When developing a successful strategy for PCI compliance services, it’s a good idea to be prepared for where the highest compliance costs hide. Here’s a look at the top three largest investments for achieving and maintaining PCI compliance.

Physical Access Security

Although many merchants think of PCI compliance as a virtual safeguard, the PCI DSS guidelines also have requirements for physical protections of any hardware that stores or processes cardholder data. For example, entry alarms or security cameras may need to be installed at the physical facility where your servers are located. Some of these costs may be alleviated by only working with PCI compliant hosting providers, but always double check their credentials.

Data Encryption

Virtual protection is another high cost associated with achieving and maintaining PCI compliance. Small businesses and other merchants who store cardholder data after processing their sales will be held responsible for ensuring that all PCs and servers are equipped with hard disc encryption, including any employee laptops that are used to access sensitive data. Remember too that backup tapes are not exempt.

Tests and Scans

The cost of vulnerability scans and network penetration tests can add up pretty quickly. A lot of companies that offer vulnerability scanning services will also offer package deals that some businesses may be eligible for based on size and frequency of scans. For these businesses, a package price can greatly reduce overhead spent on testing and scanning. For most merchants, quarterly scans are required, so be sure to plan ahead.

Although the three expenses listed may be among the highest costs, that doesn’t mean they’re impossible to achieve. Simply budget for your PCI compliance investment accordingly, and there won’t have to be any unpleasant surprises in your compliance costs.

Contact Us today for help in choosing an affordable PCI compliant web host as part of your comprehensive compliance package.

3 Tips for Long-Term PCI Compliance Success

Posted by on Jul 13, 2013 in PCI Compliant, PCI compliant dedicated serve | Comments Off

Far too many companies look at PCI compliance as a short-term mandatory necessity. Just because you’ve jumped through a few of the initial hoops toward compliance, like taking the self-assessment questionnaire, consulting a Qualified Security Assessor or using PCI compliant hosting, that doesn’t mean you’re home free. Here are the top three tips for ensuring long-term PCI compliance.

Invest In Your Vendor

Choosing your vendor wisely is an integral part of ensuring long-term PCI compliance. Whether you’re starting out a new compliance program from scratch or simply trying to update your existing system, a strong vendor partnership is critical. An educated vendor will help you understand the hardware end of compliance, like whether or not you need a PCI compliant dedicated server for your hosting needs, as well as keeping you informed of any changes in the PCI DSS standards.

Educate Employees

PCI compliance is not an end goal to be reached. Instead, it’s an evolving process that requires the cooperation of everyone involved including your employees. Educating your workers on the importance of compliance and what their role is will help drive home the consequence of failing to maintain PCI DSS standards. Continued education will help reinforce the need for compliance among any employees or management who have access to credit card information.

Don’t Forget the Paper Trail

Despite all the advances in technology available today, there are still those hackers who look for credit card data the old fashioned way: in your garbage. Don’t forget to manage your paper trail in addition to any virtual data records. Receipts should never include a full credit card number, and any sensitive paper records should be shredded if storage isn’t required.

Contact Us today and let us help you choose a PCI compliant web host as part of your comprehensive PCI compliance program.

How to Build a Successful PCI Compliance Program

Posted by on Jul 2, 2013 in PCI Web Hosting Provider | Comments Off

One of the most common mistakes in attempting to build a successful PCI compliance program is to start out with the wrong impression of what, exactly, PCI compliance entails. This leads merchants to pursue PCI compliance services with an attitude of crisis management rather than thinking about long-term risk mitigation. Here are some tips to help you build a more successful PCI compliance program.

Look Before You Leap

Internal pre-assessments are an essential part of building a successful PCI compliance program. Although an external assessment by a QSA is required for some merchant levels, waiting for an outside party to tell you what’s wrong with your system isn’t really cost effective. Instead, take the self-assessment questionnaire to proactively identify potential vulnerabilities before implementing any compliance measures.

Assume Accountability

Many businesses think that achieving PCI compliance is as simple as signing a contract with a PCI compliant hosting provider who will take care of all the details. In reality, no matter who hosts your data storage or web pages, each business still carries a certain amount of accountability to the PCI DSS guidelines to ensure compliance. It only takes a little research to learn what your responsibilities are as a business and merchant, so take time to do your homework.

Document, Document, Document

Since part of compliance goes to intentionality, it’s important to document your process for achieving compliance in the first place. Keep track of your efforts, and be sure that you’re actually following through on everything you’re documenting as well. This approach will also help you meet the PCI DSS requirements for emphasizing evidence of both the documentation itself as well as the effectiveness of your implementation. Documentation also provides a level of repeatability, another essential component of meeting PCI DSS guidelines.

Contact Us today for help in choosing a PCI compliant web host, a key piece of any successful PCI compliance program for online businesses.

Survey Shows Vulnerabilities Decreasing

Posted by on Jun 20, 2013 in PCI Compliant, PCI Web Hosting Guide | Comments Off

A recent survey shows that vulnerabilities may be on the downward trend when it comes to PCI compliance services. The recently released WhiteHat Website Security Statistics Report has conducted every year since 2006 to present the statistics of existing website vulnerabilities, including those from custom Web applications. Is PCI compliant web hosting having a major impact on how merchants protect themselves from potential data breaches?

Looking at Numbers

The overall trend toward addressing vulnerabilities is encouraging. The remediation rate for all surveyed sites was 61 percent last year in 2012, which is almost double the 35 percent rate from the 2007 survey.

The top vulnerability for 2012 was cross-site scripting, affecting 43 percent of surveyed sites, followed by content spoofing, impacting 13 percent of sites, and information leakage, which affected 11 percent of respondents. Although half of all the scripting vulnerabilities were resolved, the average length of time taken to provide a resolution was 227 days.

Although initial response time may be slow, the sites that did experience breaches were more likely to have fewer vulnerabilities in the future – 51 percent fewer, in fact – as well as resolving those vulnerabilities 18 percent faster. Remediation rates were four percent higher than average as well.

On average, the surveyed websites contained 56 vulnerabilities last year alone, which may seem like a high number until you compare it with the 230 vulnerabilities per year that were reported in 2010.

At least one serious vulnerability was found in 86 percent of all websites; vulnerabilities are defined as serious if they could allow an attacker to compromise sensitive data or user accounts, or if they violate any of the PCI DSS compliance requirements.

These trends show businesses moving forward in a positive direction, although they still have a long way to go.