PCI Hosting Information & Guide

The guide to PCI Compliance and PCI Web Hosting

PCI Web Hosting News

Stay up to date on the latest news about PCI DSS compliant web hosting resources when you read the blogs, articles and news items below. Have a question? Contact us for more information.

Merchant Levels Breakdown

Posted by on Jun 13, 2013 in PCI Compliant | Comments Off

Are you required to use PCI compliant hosting? Do you know the right guidelines to follow for your merchant level? This quick guide will give a brief overview of the PCI DSS requirements, and how they vary depending on the merchant level that your business is categorized under.

Understanding Your Level

Merchants at every level of business may need PCI compliance services to meet PCI DSS standards if they process credit card transactions. However, the number of annual transactions that occur provide a definition for the merchant level you fall into, which in turn sets forth even more specific requirements. Lower level retailers won’t have to carry the same level of security that merchants at higher levels must, although businesses at every level need to meet basic security standards.

There are four different merchant levels defined by the PCI Security Council:

  • Level 1 merchants process over six million individual credit card transactions every year. An outside assessor (called a QSA) must visit your site to evaluate your existing security and prepare a Report On Compliance with your specific needs. Quarterly PCI Scans are required as well.
  •  Level 2 merchants run between one and six million credit card transactions every year. Instead of a full Report On Compliance, Level 2 merchants are allowed to complete the Self-Assessment Questionnaire (SAQ) instead, and will have to fill out an additional form stating that there are certain types of data that are not kept on file as well as submit Quarterly PCI Scans.
  • Level 3 merchants process between 20,000 and one million transactions annually. These merchants can complete the SAQ, and must carry out Quarterly PCI Scans.
  • Level 4 merchants run between one and 20,000 credit card transactions every year, and are allowed to complete the SAQ, although they still have to submit Quarterly PCI Scans.

These levels make it easier for businesses to understand the exact PCI requirements they must follow. If you still have questions about PCI DSS compliance and how it might relate to your choice of a web host for your business, we encourage you to contact us online.

Going Wireless

Posted by on Jun 3, 2013 in PCI Compliant, PCI compliant dedicated serve | Comments Off

All companies accepting credit card transactions must stay in compliance with the PCI DSS guidelines. This can include using a PCI compliant dedicated server, maintaining and auditing security logs and access records, and other measures to keep cardholder data safe and secure. For merchants who use wireless local networks, there are a few extra measures that have to be taken. This applies even for companies who don’t use their wireless networks to transmit cardholder data.

Wireless Categories

There are three categories that companies can fall into when it comes to wireless networks, and each has their own set of requirements to follow.

  • No Wireless in Use: Companies who aren’t using wireless LANs must prove that fact in order to ensure that there’s no possibility that hackers could tap into an unsecured network to access cardholder data. The merchants in this category have to install an IDS, or wireless intrusion detection system, plus perform quarterly audits proving that no access points have been found.
  • Wireless LANs Not Used for Card Data: Companies who do have wireless networks but aren’t using them to transmit sensitive cardholder data are required to inventory their networks and update that report quarterly. These merchants will also have to install a firewall to ensure that the wireless network is completely separately from the wired network that stores cardholder data. This category, too, must use an IDS.
  • Wireless LANs Transmitting Card Data: These companies must follow the above guidelines as well as enabling role-based access to limit use to authorized personnel only. The LAN must be monitored, including logging and an audit trail.

With all else equal, most IT departments would prefer not to have to deal with the added challenges of wireless network security and administration. But it’s undeniable that employees today in many businesses can be more productive with a wireless computing environment. Using PCI compliant hosting and meeting other DSS requirements can help you achieve PCI compliance, but remember that you’ll need to go a few steps further with wireless networks.

Top PCI Compliance Myths for Small Businesses

Posted by on May 14, 2013 in PCI Compliance | Comments Off

There are a lot of myths surrounding small businesses and the need for PCI DSS compliance. No matter how small your business is, if you process credit cards then you have to use PCI compliance services.

Once I Achieve Compliance, I’m Done

Many businesses believe that achieving compliance is a one-stop shop. In reality, compliance isn’t a matter of buying the right product or service and then forgetting about it. Ongoing audits, log monitors and risk assessments are all a required part of PCI DSS compliance.

Compliance Is the Merchant Services Provider’s Job

Even though it’s convenient to have a merchant services provider processing your credit cards for you, that doesn’t mean that you’re totally free from having to maintain PCI compliance. Making compliance an in-house priority will help eliminate vulnerabilities and keep you and your customers safe from the results of noncompliance.

Becoming Compliant Is Too Expensive

While there are some significant costs associated with achieving compliance, the cost of noncompliance will be many times higher. Data breaches can result in fines, processing fees and loss of customer loyalty. Making the commitment to become and remain PCI compliant will be far less expensive in the long run.

Small businesses aren’t exempt from PCI compliance, but they don’t have to go bankrupt meeting the guidelines, either. For many small businesses, making minor changes in daily operations can be a manageable step toward achieving PCI compliance. Installing firewalls, using PCI compliant web hosting for online transactions, and maintaining security logs are all a good start toward protecting you and your customers.

Noncompliance: Fees or Fines?

Posted by on May 10, 2013 in PCI Compliant | Comments Off

If you’re using PCI compliant hosting for your online website transactions, you’re running a much lower chance of being slapped with fees or fines for PCI noncompliance. What’s the difference between fees and fines, and when are you at risk for either one?

Fees

Noncompliance fees are used by processors to deliver a costly reminder that’s supposed to encourage businesses to become compliant with the PCI DSS guidelines. Fees are relatively small, and may be charged either monthly or annually. Some processors will charge a noncompliance fee even if a company fails to deliver proof of their compliance with PCI DSS guidelines.

Since these fees are set (and collected) directly by the processors, they are responsible for both determining the fee and validating compliance.

Fines

Neither Visa nor MasterCard impose the same types of monthly noncompliance fees, although there is a persistent myth that processor fees are an imposed penalty directly from these card companies, and then passed on to the merchants from the processors.

While Visa and MasterCard don’t charge noncompliance fees, they will issue fines to merchants who are noncompliant when that compliance failure leads to a data breach or other security issue. These are usually one-time charges that are impressively hefty.

Eliminating Extra Charges

Ensuring and maintaining PCI compliance can prevent being subjected to either fees or fines. Using a PCI compliant dedicated server to host your website can protect your electronic transactions, while installing the mandated firewalls, antivirus and partitioning required by the PCI DSS guidelines will protect your internal network. These measures, along with following the other steps of PCI DSS, will give you and your customers a safe, fee-free experience.

Understanding the PCI Compliance Self-Assessment Questionnaire

Posted by on May 3, 2013 in PCI Compliance | Comments Off

The road to achieving PCI compliance services starts with the self-assessment questionnaire (SAQ). But the compliance process is so complex that you may need assistance to get started with the SAQ in the first place. Assessment type depends primarily on the number of credit card transactions that are processed in a year, as well as whether sales are made primarily from a physical location or online.

Four Different Questionnaires

There are four different versions of the self-assessment questionnaire (designated A, B, C or D), with each one geared to address the different needs of your company based on the ways your business processes, transmits and stores cardholder data.

• SAQ A: These merchants are designated as card-not-present, meaning that transactions occur over the phone, by mail or online via PCI compliant hosting, rather than face-to-face; cardholder storage and other functions are completely outsourced.

• SAQ B: These merchants are called imprint-only. They either don’t use cardholder data storage, or they function as stand-alone dial-up terminal merchants.

• SAQ C: These merchants use payment application systems that are connected directly to the Internet, but don’t store any cardholder data.

• SAQ D: Any merchants who don’t fall into the other three categories, and who store cardholder data electronically must take this SAQ, the longest of the four versions.

The Bottom Line

There are some other factors that help determine which SAQ you should fill out. For example, many businesses end up having to access cardholder data multiple times (as in the case of recurring payments, or changing a card number), which would put them into the SAQ D category. Businesses also have the option of outsourcing their cardholder data storage to a vendor that uses a PCI DSS compliant data storage facility. This allows them to use a different SAQ.

The Dangers of Cutting Corners on PCI Compliance

Posted by on Apr 10, 2013 in PCI Compliant | Comments Off

When looking at PCI compliance services, it’s easy to feel intimidated by the bottom line and look around for ways to reduce costs. While making financially sound decisions is an integral part of keeping any business solvent, PCI compliance is one place you don’t want to cut corners.

Serious Sanctions

Non-compliance with the PCI DSS requirements can cost huge in fines and sanctions. There is a $50,000 fine charged per day for non-compliance. An actual data breach could cost $500,000 per data security breach incident; conceivably, this could mean $500,000 per cardholder whose data had the potential to be accessed. Merchants are also responsible for covering any fraud losses that occur due to compromised account data, and assume liability for costs associated with reissuing compromised cards. Merchant accounts also run the risk of complete suspension.

Running Risks

The average cost of compliance through steps like updated anti-virus software, internal security audits and using PCI compliant web hosting is far less than the cost of non-compliance. The only difference is, compliance costs are all laid out on a spreadsheet, while non-compliance costs come in the form of sanctions and loss of business reputation.

In the end, non-compliance just isn’t worth running the risk. Just a single incident of compromised data has the potential to put you out of business in terms of fines and sanctions alone, not to mention the loss of customer trust. Making the shift toward compliance now is going to be far easier than getting slapped with sanctions and moved up to a higher merchant level with stricter PCI compliance services guidelines after your cardholder data gets hacked.

3 Steps to PCI Compliance

Posted by on Apr 4, 2013 in PCI Compliant | Comments Off

Maintaining PCI DSS compliance services is critical for every merchant who processes, transmits or stores cardholder data. Yet, obtaining compliance can feel overwhelming and confusing, given the number of requirements specified in the guidelines. Here are three easy steps toward ensuring that your business is PCI compliant.

 

Honest Assessment

The first step in becoming compliant is through an honest assessment of your business. The PCI Security Standards Council offers a self-assessment questionnaire designed to help you do just this. You’ll need to look at many aspects of your business, including your existing security audit approach and anti-virus software. You’ll also have to extend this evaluation for all devices that have access to the cardholder data environment, including personal computers and mobile devices.

Minimize Vulnerability

After your assessment, you’ll have a good idea which areas are leaving your business most vulnerable. Take steps to reduce your exposure to potential (and potentially expensive) data breaches, including software code flaws to unsafe daily business practices. Make sure your website is run through a PCI compliant hosting provider who uses all the proper encryption conditions of the PCI DSS.

 

Ongoing Maintenance

Too many businesses think PCI compliance is static. In reality, maintaining PCI compliance requires constant vigilance, updates, surveys and audits to ensure that your customers’ cardholder information is continually protected. Failing to do so could mean sanctions and the addition of stricter, more specific PCI guidelines to follow.

Regardless of the size of your business, PCI compliance is now a necessary factor you need to take into consideration. Every aspect of your daily activities, including software and hardware, that relate to cardholder data needs to be assessed, evaluated and protected going forward.

Focus on Vulnerability Management

Posted by on Mar 28, 2013 in PCI Compliant | Comments Off

As part of the PCI DSS guidelines, businesses are required to have a vulnerability management program in place. This includes using and regularly updating anti-virus software and programs according to Requirement #5, as well as Requirement #6: developing and maintaining secure systems and applications. One way to fulfill both of these requirements is by using PCI compliant hosting services.

Requirement #5

To the personal PC user, anti-virus software is equated with those irritating pop-up boxes reminding you to renew your subscription or update your database. It’s easy to click them shut and forget they ever existed, yet doing so leaves your system open to attacks from viruses, worms and other malware that are commonly transmitted by daily business activities like opening emails.

For the small business owner, ignoring your anti-virus isn’t a risk you can afford to take. Every system with the potential for attacks via malware must be protected from existing and future threats with anti-virus software, including mobile devices or personal computers that hold a connection with the cardholder data environment.

Your anti-virus software also needs to be capable of generating audit logs to verify PCI compliance if needed.

Requirement #6

Along with anti-virus software, you also need to eliminate the security vulnerabilities that may already exist in your systems and applications. Review and install any security patches that have been provided by your vendor; a PCI compliant dedicated server can only do so much if you’re not maintaining the necessary updates and installations in your end.

When it comes to PCI compliance, safe is definitely better than sorry. Take the extra step to get your systems in order, and maintain your anti-virus protections instead of ignoring their instructions.

Correcting Misconceptions about PCI Compliance Services

Posted by on Mar 4, 2013 in PCI compliant dedicated serve | Comments Off

PCI compliant dedicated server

3 Misconceptions about PCI Compliance

With all the guidelines required for ensuring PCI compliance, it’s no great mystery that so many misconceptions have sprung up about the process. Misunderstandings about whether or not you need a PCI compliant dedicated server to wondering if cloud storage violates compliance requirements are everywhere. Here are a few of the top myths exposed.

It’s Once a Year

Many online merchants believe that PCI DSS compliance is just an annual obligation rather than the ongoing process it needs to be. In reality, PCI compliance services are just as much about internal processes as they are about hardware and software requirements. Methods need to be tracked, logs must be kept and records have to be detailed enough to protect you in the event of any questions down the road.

It’s Just for Big Companies

While it’s true that there are different tiers of service providers, there is no threshold where it’s okay for any company that processes cardholder data to toss the PCI DSS guidelines by the wayside. Smaller companies are adopting the compliance deadline much more slowly than larger companies, and yet they’re much more vulnerable. If there is a breach, customers much more likely to blame the little guy than the more trusted national brand.

It’s Pointless

While security breaches still happen even in large companies who are dedicated to PCI compliance, that doesn’t mean there’s no point in taking extra precautions within your own enterprise. Hackers will always find new ways to hack; companies who run more frequent security scans stand a better chance at protecting cardholder data than those who don’t ensure PCI compliance services.

Avoiding PCI Compliance Violations

Posted by on Mar 1, 2013 in PCI Compliance | Comments Off

The PCI DSS guidelines are in place to protect cardholder data and other sensitive consumer information. Identity theft, system hacking and unauthorized account access are all examples of the vulnerabilities that are greatly reduced by following these guidelines. If you fail to deliver PCI compliance services to your customers, you run the risk of being slapped with some serious violations.

Standards of Violation

If a company declines to follow the PCI DSS guidelines, there are a few violations that can take place. First, the payment brand can issue a fine ranging up to $100,000. That’s not a one-time fee; it’s a cost charged per month. Businesses run the risk of suffering from increased transaction fees at best, and total termination from the bank at worst. In the end, your customer base will bear the brunt of these added costs and inconveniences. Violations can be catastrophic to the continued vitality of small businesses in particular.

Understanding Requirements

Ignorance of the law is no excuse, so your best line of defense is to research PCI standards and learn what the data security requirements mean for your enterprise. Any organization that accepts credit cards as a payment method has to maintain PCI compliance. The requirements range from using PCI compliant hosting for your website to maintaining logs and running regular audits.

It’s also important to realize that generic compliance isn’t enough for every business; each individual card provider often has a separate set of required PCI compliance services that may exceed the basic standards. In order to ensure total compliance, you’ll want to check the different mandates from each card company. Together, these steps should help you avoid costly PCI compliance violations.