Created: June 19, 2018
Last Updated: September 6, 2019
The Payment Card Industry Security Standards Council develops standards that outline the proper protection of data in today’s security climate. These specifications form the basis of PCI compliant hosting requirements. Compliance with the PCI Data Security Standard (PCI DSS) is necessary for merchants and other entities that process payment cards, transmit that data, or store it.
Since PCI compliance is critical for so many parties, below is a list of our PCI compliant server details. The PCI council’s recommendations form the basis of our 12-point checklist of PCI compliant server details, which should be considered highlights rather than comprehensive.
PCI Compliant Hosting Requirements:
Our 12-Point Checklist
1 - We have properly configured routers and firewalls where used
When you join multiple networks together, we use a router. When we want to control the traffic entering and leaving a network, or to keep people from getting into certain critical areas, we integrate a firewall. With the implementation of firewalls and systematic setup of routers and firewalls we can better control traffic flow which is one of the most fundamental PCI compliant hosting requirements.
2 - We require the replacement of all default passwords
If a hacker can just use a list of default passwords or exploits that prey on systems with out-of-the-box settings, your system is vulnerable. When an individual or organization wants to enter your infrastructure, they match together easily accessible default details with software that shows them all the devices connected to your network. When we deploy a new system we switch out those default settings and passwords right away.
3 - We use proper defenses on any PCI information in storage
Storage of cardholder data is generally not recommended by the PCI standards. The data that is on the chip or stripe should never be put into storage. If your organization does store permanent account numbers, or PANs (in this case payment card numbers), they should be encrypted. When displayed, PAN should be masked. Users should only be able to observe, maximum, the first 6 digits and last 4 digits.
We do not store any cardholder data on our servers. We use PCI compliant card processing servers and billing software via Authorize.net, PayPal, Stripe, or BitCoin so no account holders data can be saved or accessed from our servers ever.
4 - We always use encryption of data transmission on all networks private or public
Whenever sending cardholder data through any public network (including the Internet, WiFi, general packet radio systems, global systems for communications, etc.), use IPsec or SSL/TLS to encrypt. Strong encryption should be implemented both for authentication and for data transmission. If you want a sense of best practices for these PCI compliant server requirements, the PCI Council points to IEEE 802.11, which is a set of standards for wireless local area networks (WLAN). For our customers security we always use encryption of data transmission on all networks private or public.
5 - We regularly update our servers antivirus software
There are plenty of opportunities during the course of business for downloads of malicious applications, through email or web browsing. Antivirus and anti-malware programs detect the activities of known malicious software. We now work with predictive analytics and artificial intelligence to detect malware before it spreads. We Deploy these tools on all systems, and select a solution that creates audit logs and we regularly update our servers antivirus software.
6 - We run continuied maintenance of secure software and systems
A hacker could get into a system or program with security weaknesses, potentially allowing them to steal or view PAN. We run continuied maintenance of secure software and systems. When the developer of a product or platform releases a patch, we immediately install this patch since it solves a known problem. Patches are always implemented on critical systems first, followed by less critical systems, adhering to a vulnerability management program.
7 - We operate on a business need-to-know access control basis
Employee roles and business need-to-know should guide the development of access controls so that unauthorized use does not occur. The basic idea of need-to-know is that you only give the extent of privileges and amount of data to a user that is necessary to conduct their tasks. We operate on a business need-to-know access control basis. This means we have a Zero Trust policy integrated into our access control system, as indicated by the PCI Council’s instructions to “‘deny all’ unless specifically allowed.”
8 - We require Unique IDs for everyone with access
You want to be able to know who is doing what within the system, and you want all activities to be easily trackable so that you can monitor and verify. We require Unique IDs for everyone with access. We do not give anyone access to critical systems or data unless you have first given them a background security check and Unique User ID. We use a password, passphrase, or multi-factor authentication (MFA) standardly. MFA is used for remote access. Virtual private networks, tokenization, or authentication and dial-in is implemented for remote use.
9 - We have stringent physical access controls
Data is of course stored on real systems, and access to physical systems presents the opportunity for theft. We have stringent physical access controls. In order to achieve PCI compliant hosting requirements, We restrict the data centers physical access. We have facility entry controls in place, we never allow tours this is not a theme park.
10 - We use extensive network and data access monitoring & tracking
Being able to track exactly what a given user is doing by logging all steps they take allows you to perform vulnerability management and forensics in an organized fashion. Logs allow you to analyze something much more specifically and efficiently if there are any issues. They allow us to understand how attempted hacking or other improper use occurs. We use extensive network and data access monitoring & tracking with automated audit trails in place so that we can review any activities.
11 - Constant testing and retesting of all security mechanisms
Security gaps are often revealed through hacking. We are constantly testing and retesting of all security mechanisms, testing security protocols, hardware, and software. We check to see what wireless devices are being used with a wireless analyzer at least quarterly. Alternately, we use a wireless intrusion detection system (IDS). Network vulnerability scans are performed weekly and also following major adjustments within the network. We also perform penetration testing monthly.
12 - We have a personnel information security policy
Beyond PCI compliant server requirements, you also need personnel interacting with the systems to be well-equipped. We have a personnel information security policy in place and everyone on staff knows their responsibilities for safeguarding sensitive data. This is why we created, continually update, train, test and distribute our personnel information security policy that keeps our employees up to date on all PCI DSS rules.
100% Uptime Guarantee
452Hosting.com’s architecture offers online retailers fast and secure transfer of data, while supporting multiple distribution formats. Our PCI compliant infrastructure is backed by our 100% Uptime SLA Guarantee, offering you the ultimate peace of mind. Better website performance means better end-user experience.
452Hosting's guarantee assures that all major routing devices within our network are reachable from the global internet 100% of the time. The 100% uptime guarantee applies to any 452Hosting web hosting services client in good financial standing with the Company at the time of a service outage.
By choosing to host your e-commerce app or website on 452Hosting.com, you are ensuring that it will remain reliable, secure, and robust, enabling a seamless user experience. Our flexible PCI compliant solution suite gives online merchants the power and freedom to choose the kind of top-notch hosting they need.