We sell our WordPress Hosting and Universal Hosting as suitable for PCI Compliant applications, but what does that actually mean? What is PCI Compliance and should you be worrying about it?

What is PCI-DSS Compliance?

PCI-DSS (Payment Card Industry – Data Security Standard) is an information governance standard, handling security and the information around making payments through credit card providers. This standard was created by the Payment Card Industry Standards Council and is a requirement for sites that process card data from firms like Visa, Mastercard and American Express.

While PCI-DSS is not a legal standard enshrined in law, it is almost certainly written into contracts that provide any credit card processing service. Failing to meet compliance can result in your ability to process card data being withdrawn and potential punitive fines and other measures.

At its heart, PCI-DSS is based around 6 broad concepts

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

Each of these broad concepts has specific things that should be done and tested to reach a level of compliance.

These concepts and the specification are not based around a single piece of hardware, application or service but business processes. So while we can offer help, advice and can provide guidance on our platform, moving to our platform (or anyone) will not in itself make you compliant.

How do we help?

We have designed our technology stack on the Universal and WordPress Hosting platforms to meet the requirements of the PCI-DSS specification. We work with you to help make sure things that are out of your control (the version or configuration of system packages for example) not only meet the specification but also will pass automated scans, or we can provide “mitigation” as to why the scan may be a false positive and work with the scan vendor and yourself to prove compliance.

Obviously code you put on the server is your responsibility but even there we can help, for example on our WordPress Platform, we provide automated updates for WordPress plugins.

How do you become compliant?

This depends on your turnover and transaction volume but for the vast majority of users, PCI-DSS compliance is a matter of completing the Self Assessment Questionnaire. For companies with larger turnovers, you may need to be accessed by an external audit partner rather than going through self-assessment.

If you are unsure whether you need to be undergoing PCI-DSS compliance assessment then the merchant gateway you use will be able to tell you. This may be one of the popular providers such as Stripe or WorldPay. In the case of companies like PayPal the requirement for PCI-DSS will be dependent on how you are using them and the individual services. If in doubt ask your payment provider.

If you are required to do an assessment, your payment provider is likely to ask for a copy of your self-assessment questionnaire along with an independent vendor scan. These scans are an automated way of seeing if your website is in compliance. This is normally the time we would get involved as from time to time, the scan will come back with problems like the version of OpenSSL in use is out of date and insecure.

This isn’t something you can fix and is part of the system. In such cases we will look at the failure and either fix it if indeed its an issue or offer mitigation.

We normally find it is latter, for example the OpenSSL version might indeed not be the latest, but it is the latest available via RedHat repositories and has backported security fixes. Most of our infrastructure is based around RedHat/CentOS who manage their own fixes for software, so while we might be using an older version of the software, Redhat’s own team will have patched it to make sure it has the same security patches as the latest software.

In such cases, we normally provide you with some standard copy along the lines of, “This software is based on RedHat version of XXXX. Its full version string is YYYY and was last updated on ZZZZ.” The scan vendors then receive that, confirm it’s correct, and change the failure to a pass.

If the issue is not solved by backported security patches we will make appropriate changes, for example if an older cypher is being used in SSL or SSH we will remove the cypher. We will do this not only on your site but across our platforms as a whole to maintain everyone’s security. This is rare because we proactively check for things like this before the scan vendors would pick them up.

So what can you do to help compliance on your sites?

SSL/TLS

Make sure you have an SSL certificate in place as the lack of one will give an instant fail. Thankfully setting up SSL with us is a single click process on both our WordPress and Universal Platforms. We also automatically configure the connection over SSL to meet and exceed the PCI-DSS specification.

Don’t process the card data directly

Most payment companies provide ways to take payments via their site and thereby significantly reduce the scope for PCI-DSS compliance. Simply using a third-party provider might not remove all compliance requirements but it should drastically simplify matters.

Maintain and regularly audit logs

We manage your server’s PHP-error, access and Nginx error logs on the WordPress hosting and store them for 28 days (in line with GDPR). Having these logs is only one part of the process; actually checking and auditing them is the second half. You might also want to consider logging within the application (i.e WordPress) with tools like Stream Plugin.

Regularly review users

You should regularly review both your SFTP and WordPress users, making sure only trusted people have access to your site and SSH access. It’s amazing how often old SFTP/SSH accounts lie dormant on people’s servers that were given to a previous development or SEO company.

In addition, when SSH/SFTP is not in use you can turn off SFTP access via our SFTP lock, meaning that when in production sites do not have an open port 22. Many scans are now failing sites with open SFTP without mitigation reasons and turning our SFTP lock on helps the scan pass.

Enable Two Factor Authentication

Two factor authentication can be enabled for your 34SP.com Client Control Panel and on your WordPress site itself. Two factor, while not an explicit requirement, is an instant quick win for strengthening your access control measures.

Got a question? We’re here to help

PCI compliance is, on the whole, a simple process but one that is specific to your business. If you have questions about the process your first point of call is with your assessor (if you have one) or your payment provider. They will be able to assist and help with what you have to do.

We can help you understand and respond to automated scans and of course are happy to help with questions related to our infrastructure and technology stack as it relates to PCI compliance. We can offer advice on how to improve security and potentially how to reduce compliance demands.

If you have any questions, either on this article or your own site’s PCI compliance, email our support team: support@34SP.com.

Comments

    Sign up to our newsletter

    Get the latest tutorials, videos and special offers from 34SP.com.

    Thanks for signing up!