What is PCI-DSS Compliance?
PCI-DSS (Payment Card Industry – Data Security Standard) is an information governance standard, handling security and the information around making payments through credit card providers. This standard was created by the Payment Card Industry Standards Council and is a requirement for sites that process card data from firms like Visa, Mastercard and American Express.
While PCI-DSS is not a legal standard enshrined in law, it is almost certainly written into contracts that provide any credit card processing service. Failing to meet compliance can result in your ability to process card data being withdrawn and potential punitive fines and other measures.
At its heart, PCI-DSS is based around 6 broad concepts
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Each of these broad concepts has specific things that should be done and tested to reach a level of compliance.
These concepts and the specification are not based around a single piece of hardware, application or service but business processes. So while we can offer help, advice and can provide guidance on our platform, moving to our platform (or anyone) will not in itself make you compliant.
How do we help?
We have designed our technology stack on the Universal and WordPress Hosting platforms to meet the requirements of the PCI-DSS specification. We work with you to help make sure things that are out of your control (the version or configuration of system packages for example) not only meet the specification but also will pass automated scans, or we can provide “mitigation” as to why the scan may be a false positive and work with the
Obviously code you put on the server is your responsibility but even there we can help, for example on our WordPress Platform, we provide automated updates for WordPress plugins.
How do you become compliant?
This depends on your turnover and transaction volume but for the vast majority of users, PCI-DSS compliance is a matter of completing the Self Assessment Questionnaire. For companies with larger turnovers, you may need to be accessed by an external audit partner rather than going through self-assessment.
If you are unsure whether you need to be undergoing PCI-DSS compliance assessment then the merchant gateway you use will be able to tell you. This may be one of the popular providers such as Stripe or WorldPay. In the case of companies like
If you are required to do an assessment, your payment provider is likely to ask for a copy of your self-assessment questionnaire along with an independent vendor scan. These scans are an automated way of seeing if your website is in compliance. This is normally the time we would get involved as from time to time, the scan will come back with problems like the version of OpenSSL in use is out of date and insecure.
This isn’t something you can fix and is part of the system. In such
We normally find it is latter, for
In such cases, we normally provide you with some standard copy along the lines of, “This software is based on
If the issue is not solved by backported security patches we will make appropriate changes, for
So what can you do to help compliance on your sites?
Make sure you have an SSL certificate in place as the lack of one will give an instant fail. Thankfully setting up SSL with us is a single click process on both our WordPress and Universal Platforms. We also automatically configure the connection over SSL to meet and exceed the PCI-DSS specification.
Don’t process the card data directly
Most payment companies provide ways to take payments via their site and thereby significantly reduce the scope for PCI-DSS compliance. Simply using a third-party provider might not remove all compliance requirements but it should drastically simplify matters.
Maintain and regularly audit logs
We manage your server’s PHP-error, access and Nginx error logs on the WordPress hosting and store them for 28 days (in line with GDPR). Having these logs is only one part of the process; actually checking and auditing them is the second half. You might also want to consider logging within the application (i.e WordPress) with tools like Stream Plugin.
Regularly review users
You should regularly review both your SFTP and WordPress users, making sure only trusted people have access to your site and SSH access. It’s amazing how often old SFTP/SSH accounts lie dormant on people’s servers that were given to a previous development or SEO company.
In addition, when SSH/SFTP is not in use you can turn off SFTP access via our SFTP lock, meaning that when in production sites do not have an open port 22. Many scans are now failing sites with open SFTP without mitigation reasons and turning our SFTP
Enable Two Factor Authentication
Got a question? We’re here to help
PCI compliance is, on the whole, a simple process but one that is specific to your business. If you have questions about the process your first point of call is with your assessor (if you have one) or your payment provider. They will be able to assist and help with what you have to do.
We can help you understand and respond to automated scans and of
If you have any questions, either on this article or your own site’s PCI compliance, email our support team: support@34SP.com.