In my earlier post about PCI Compliant Hosting, we have discussed about the PCI Compliance areas to be looked into when considering a hosting service provider. In this post, I would like to cover the scope and some of the key aspects of hosting to ensure you have the compliance towards PCI DSS
Some of the key services which requires PCI Compliant hosting include:
-
E-Commerce service providers
-
Online Banking
-
Firewall to separate the webserver from other webservers. Limit the open services and allow only secure communications. Also to separate any database servers from having access directly from the internet
-
Configure the webservers to have only the secure services allowed.
-
Enable HTTPS and use an SSL Certificate for web communications to your server
-
Enable SSH for terminal communication, instead of Telnet
-
Enable SFTP instead of FTP for file transfers
-
Configure your servers with unique usernames for all users who would be accessing your servers
-
Modify the vendor default settings to more secure configurations. The raw MYSQL server comes with no password for the root user, for example, which needs to be changed.
-
Implement encryption on critical database tables and store the encryption keys away from these servers
-
Configure your servers meet some baseline security configurations, examples can be found at CIS Security.
-
Use secure web applications if choose to use off the shelf product. Payment services or shopping carts such as PayPal, Google Checkout etc. can be of help and would make your liability very limited towards PCI Compliance
-
If you build web applications for the purpose, it should be code reviewed for security. Web Application Firewall should be set up to ensure web application security, you may use open source web application firewalls
-
Have a mechanism established for updating the security patches, it required for PCI Compliance
The key requirements which should be available with with the hosting in order it to be PCI Compliant includes:
In the next post related to PCI Compliance, I would try posting a checklist for verifying if the hosting service is PCI compliant hosting.
0 Comments