What it means to be a PCI Compliant Hosting Provider: 10 Standards That PCI Hosting Providers Must Meet
PCI security standards are set by the PCI Security Standards Council (PCI SSC) to protect payment cardholder data. The standards apply to any person, company, or other entity that stores, processes, or transmits cardholder data. The goal of PCI standards are to build and maintain secure networks that protect confidential payment information from theft or other misuse. To comply with the PCI standards, hosting providers must meet the following criteria:
Requirement 1: Install and maintain a firewall and hardware configuration to protect cardholder data
For most, this may seem obvious, but the hosting provider should ensure that its servers are protected by firewalls. This is a good idea in any context, but it is essential to PCI compliance. Moreover, the hardware itself should prevent easy tampering, and any networks should prevent unauthorized access. These devices should restrict traffic from "untrusted" networks and hosts, prohibit direct public access to any sensitive data, and ensure safeguards against malicious outside attacks.
Requirement 2: Do not use vendor-supplied default passwords or security settings
Another obvious mistake is allowing easy access to a provider's hardware by being too lazy to change default passwords and security settings. For PCI compliance, vendor-supplied passwords must always be changed, the server must create and follow secure configuration standards, and data must be transmitted and stored via encrypted means.
Requirement 3: Protect stored cardholder data
Generally, for PCI compliance, cardholder data should never be stored unless absolutely necessary. In the unusual instance when such information is stored, it should be rendered unreadable without a corresponding decryption. For PCI compliance when data is stored, the data retention period must be limited to the period necessary for an identified and legitimate purpose, it must not be stored after authentication, and PAN's must be masked and unreadable wherever it may be stored. Moreover, encryption keys must be protected and all key management processes and procedures relating to protecting stored cardholder data should be documented.
Requirement 4: Encrypt cardholder data transmission
Since cardholder data travels over networks, criminals can intercept it while it is in transit over open, public networks. Thus, cardholder data must be encrypted by the host prior to transmission in order to achieve PCI compliance. The cryptography must render the data unreadable without the accompanying cipher.
Requirement 5: Use updated anti-virus software
Another obvious requirement, PCI compliant servers must use up-to-date, anti-virus software.
Requirement 6: Secure and fully patched systems
For PCI compliance, a host's critical systems must have the most recently released software patches to prevent exploitation. Moreover, any applications running on the host's servers should feature best coding practices designed to defend against and defeat errors and malicious attacks. Updates should be installed as soon as practical, risks should be regularly assessed and addressed, and all public-facing elements should be protected against known vulnerabilities.
Requirement 7: Restrict data to certain personnel
While securing a system provides a certain layer of security, people are much more likely to leak sensitive information than a computer. Thus, for PCI compliance, critical data should only be accessible by authorized personnel. The hosting provider should establish access control protocols and tightly restrict access based on a user's need to know.
Requirement 8: Assign a unique ID to each person with computer access
Akin to requirement 7, tracking where leaks may occur can be critical to plugging gaps in security. Thus, PCI compliance requires the assignment of unique identification (ID) to each person with access to a PCI compliant server. The ID should be supported by additional safeguards such as two-factor authentication and password encryption.
Requirement 9: Restrict physical access to cardholder data
Just as electronic access should be restricted, so too should physical access to both the raw data and any servers hosting that information. PCI compliant servers must be housed in entry-controlled facilities that have procedures in place to limit access and distinguish between authorized personnel and visitors. The hosting service should maintain a visitor log, store back-ups in secured locations (preferably off-site), and any media containing sensitive information should be destroyed promptly after it is deemed no longer necessary.
Requirement 10: Test regularly
A system is only as secure as its performance when most needed. To ensure the security of a PCI compliant hosting server, regular testing must be performed. This testing should include safeguarding against wireless access points, running internal and external network vulnerability scans, using network intrusion detection systems, and deploying file integrity monitoring tools to alert personnel to unauthorized access or modification of protected files.
Importance of PCI Compliance
While PCI compliance can not only ensure the satisfaction and security of credit and debit card customers, it is also crucial for maintaining a site's security certifications. Those security certifications will most likely be required by card processing services to maintain a site's privileges. Thus, identifying hosting providers that meet or exceed PCI compliance standards can be crucial for the health and safety of both your customers and your own continuing operations.