PCI Compliance

pci
compliance

#1

The set of security standards that were designed to ensure that any company that processes, stores, accepts, or transmits credit card information maintain a secure environment is called PCI DSS (Payment Card Industry Data Security Standard).

We recommend using a Quality Security Accessor if you are trying to accomplish PCI Compliance. Security Metrics & TrustWave are just a couple of the many vendors. They will work to help you determine the type of compliance required for your business and provide the services to achieve and maintain compliance.

How do I know what level/validation type?

The Quality Security Accessor will help you to determine the level/validation type based on PCI DSS standards

  • The Level of “compliance” required (1-4) is based on transaction or monetary volume. (see the table below)
  • The “Validation Type” determines the assessment requirements and is based on how much card data you store.

You can find a copy of the PCI DSS here.

Compliance Levels

Compliance Level Description
Level 1 Merchants processing over 6 million card transactions per year.
Level 2 Merchants processing 1 to 6 million card transactions per year.
Level 3 Merchants processing 20,000 to 1 million card transactions per year.
Level 4 Merchants handling fewer than 20,000 card transactions per year.

How Hostek compliments efforts to attain PCI Compliance

  1. Ensuring PCI Standards can be met and kept for our own systems.
  2. Providing firewall protection for all servers and the option for PCI Compliant firewall rules to be applied to a customer’s environment.
  3. Providing a VPN solution for customers to securely connect and manage environment remotely.
  4. Providing VLAN (virtual private network) for customer’s environment with multiple servers so that their database server is completely isolated from public access.
  5. Included Anti-virus scanning on VPS and/or Shared Hosting Servers. (Premium options are available)
  6. Protecting physical access to network and servers. Data centers are managed & monitored 24/7 by security cameras and on-site staff.

Hostek.com PCI Standings

PCI compliance requires quarterly scans from a PCI compliance vendor. Hostek.com goes above and beyond this requirement by having regular scans from two different PCI compliance vendors. One vendor’s scans are done quarterly. The other scans on a nightly schedule. This ensures that all potential PCI compliance issues are accurately identified and dealt with promptly.

Hostek.com PCI Compliance Report

You can view Hostek.com’s latest PCI DSS Compliance report Pci-report-hostek.pdf (31.3 KB)
.

Hostek.com Datacenter

The St. Louis, MO datacenter where the Hostek.com’s equipment is housed maintains SOC 2 certification.
The Ashburn, VA data center where Hostek.com’s equipment is housed maintains SOC 2 and SOC 3 certifications.

Previous Certification types
SOC 2 replaced the SSAE 16 certification.
SSAE 16 replaced the SAS 70 certification.

Hostek.com Shared Servers

We support PCI compliance on our shared hosting servers. If your PCI scan shows any issues that are not directly related to your web application, you can attach the report in a support ticket so that we may address any issues.

TLS 1.0

We are disabling support for TLS 1.0 on our Shared Windows Servers.

  • Disabling TLS 1.0 is now required to obtain PCI DSS compliance.
  • This change is to ensure that any connection over HTTPS is secured against eavesdropping from Man-In-The-Middle (MITM) attacks.
  • The majority of users will be unaffected by this change because it will only affect outdated browsers and old mobile devices that do not support TLS 1.1 & 1.2.

Internet Explorer

  • After disabling this protocol Internet Explorer 11(only supported on Windows 7 and up) will be the only version of Internet Explorer that can view HTTPS pages on the shared Windows servers.
  • Users with ‘Windows XP’ and ‘Windows Vista’ will have an unsupported version of Internet Explorer. In order to view HTTPS pages, these users will need to use an alternate browser (Examples include: Google Chrome, Mozilla Firefox, Safari, etc…)
  • The table below will provide a general guide on which browsers will be supported/unsupported with TLS 1.0 disabled.
Browser/OS Status Browser/OS Status
Android 2.3.7 Unsupported IE 11 / Win 8.1 Supported
Android 4.0.4 Unsupported IE Mobile 10 / Win Phone 8.0 Unsupported
Android 4.1.1 Unsupported IE Mobile 11 / Win Phone 8.1 Supported
Android 4.2.2 Unsupported Java 6u45 Unsupported
Android 4.3 Unsupported Java 7u25 Unsupported
Android 4.4.2 Supported Java 8u31 Supported
Android 5.0.0 Supported OpenSSL 0.9.8y Unsupported
Baidu Jan 2015 Unsupported OpenSSL 1.0.1l Supported
BingPreview Jan 2015 Supported OpenSSL 1.0.2 Supported
Chrome 42 / OS X Supported Safari 5.1.9 / OS X 10.6.8 Unsupported
Firefox 31.3.0 ESR / Win 7 Supported Safari 6 / iOS 6.0.1 Supported
Firefox 37 / OS X Supported Safari 6.0.4/ OS X 10.8.4 Unsupported
Googlebot Feb 2015 Supported Safari 7 / iOS 7.1 Supported
IE 6 / XP No FS 1 Unsupported Safari 7 / OS X 10.9 Supported
IE 7 / Vista Unsupported Safari 8 / iOS 8.1.2 Supported
IE 8 / XP No FS 1 Unsupported Safari 8 / OS X 10.10 Supported
IE 8-10 / Win 7 Unsupported Yahoo Slurp Jan 2015 Supported
IE 11 / Win 7 Supported YandexBot Jan 2015 Supported

Please Note: The table above is not meant to be an exhaustive list of all browsers. This is meant to be used as a reference for older browsers.

Common PCI Compliance Resolutions

In this section, we will be going over common issues that are experienced while configuring your site/application to be PCI Compliant. You can also submit a support ticket so that our team may assist you.

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure

This is also known as BEAST (Browser Exploit Against SSL/TLS) Vulnerability.

Please Note: If you are on a ‘shared server’ or a ‘dedicated managed VPS’, please submit a support ticket and attach/include your PCI scan report. The information below is for non-managed VPS customers.

  • Place the following text in a file named TLS.reg and execute the file. It will add registry values to enable TLS 1.1 and TLS 1.2 support:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
  • After completing the above step, go to ‘Start’->‘Run’ -> (type gpedit.msc) -> (click ‘OK’)
  • Navigate to ‘Computer Configuration’ -> ‘Administrative Template’ -> ‘Network’ -> ‘SSL Configuration Settings
  • Right click on ‘SSL Cipher Suite Order’ and choose ‘Edit’ or ‘Properties’ (this will depend on the OS version).
  • Select ‘Enabled’ and replace the text in the textbox under ‘SSL Cipher Suites’ (not to be confused with the ‘Notes’ textbox) with the following line of text. This will be all on a single line - no line breaks or spaces.
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5
  • Click ‘OK
  • Reboot Server

Disable SSLv2 & Strong Cyphers Only & Strong Protocols Only

If you are on a shared server, please open a support ticket and attach the PCI Scan report.

For VPS’s: This generally applies to Windows-based servers. If you see one of these items on your PCI Scan report, download this [link to zip file here] and extract the appropriate .reg file and put that on your VPS. Once located on your VPS double-click the .reg file to make the appropriate registry change to fix the issue. Generally if one of these shows on your report, we suggest running all three .reg files to fully take care of the issue at one time.

Please Note: A server reboot will be required for these changes to take effect.

VPS-Windows 2008 server

This free tool can be used to determine if vulnerable or weak protocols or ciphers are enabled and provides the option to disable them.
Changes using this tool requires a server reboot to complete them.

Websites that allow testing for SSL Protocols and Cyphers:

SSLLabs
ServerSniff

Visa E-Commerce Security Checklist Questionnaire

Cloud Assessment Questions

Q: Is your oganization insured by a 3rd party for losses?
A: Yes

Q: Do your organization’s service level agreements provide tenant remuneration for losses they may incur due to outages or losses experienced within your infrastructure?
A: The Hostek.com SLA provides for a refund or credit limited to the dollar amount paid for the service during that monthly period. The refund or credit amount is calculated based on the amount paid for the monthly service/number of minutes in a month * the number of down minutes.

Q: Do you collect capacity and utilization data for all relevant components of your cloud service offering?
A: Yes. Daily.

Q: Do you provide tenants with capacity planning and utilization reports?
A: No.

Q: Do you have a documented procedure for responding to requests for tenant data from governments or third parties?
A: Yes

Q: Do you process, transmit or store any credit card related information on behalf of Cisco?
A: No

Q: Please provide any documentation on policies and procedures for controls you have in place to protect tenant’s intellectual property and sensitive data from unauthorized access.
A: Utilization of IPS and IDS. The customer has the ability to lock down server access. Internal access information is stored encrypted and only available via internal access.

Q: Please specify any inspection technologies used for collecting or creating metadata about tenant data usage (search engines, etc.?).
A: We do not mine nor utilize tenant data. Access to tenant data would occur if tenant asked for help in resolving a situation which may require such access.

Q: What is the process for tenants to opt-out of having their data/metadata accessed/mined via inspection technologies?
A: N/A as we do not inspect tenant data.

Q: Can you provide the physical location/geography of storage of a tenant’s data upon request?
A: Yes

Q: Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?
A: No

Q: Do you allow tenants to specify which of your geographic locations their data is allowed to traverse into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?
A: No

Q: What capability do you have to use system geographic location as an authentication factor?
A: N/A

Q: Does legal counsel review all third party agreements?
A: Yes

Q: Do you select and monitor outsourced providers in compliance with laws in the country where the data originates, processed, stored, and transmitted?
A: N/A

Q: Have you established an Information Security Management Program (ISMP)?
A: Our ISMP is being developed.

Q: Do you provide tenants with a right to audit (tenant audit)?
A: No, for security/confidential purposes.

Q: What is the process for tenants to request deletion/removal of data as needed?
Q: Provide the stands used for secure deletion of archived data upon requests by tenants.
Q: What is the process to sanitize all computing resources of tenant data once a customer has exited your environment?
Q: What is the time period that you retain customer data after explicit user deletion/removal?
A: When a cloud tenant cancels, their virtual machine and backup data are deleted. Data blocks are reused for new customers, which replace the old blocks.

Q: Do you manage separate production and non-production environments & what controls do you have in a place to ensure that the production data is not copied to non-production environments?
A: No. We have a redundant production environment, which is replicated nightly from the primary environment.

Q: Are backups and archives of data using unique encryption keys for each tenant?
A: Each tenant with a nightly backup has their own uniquely retained archive.

Q: What is the duration for keeping backed up data? And can you provide information about your backup rotations and rotation of your backup media?
A: The backup duration depends on the plan selected and the nightly backup option chosen. For Shared customers, backups range from 7-14 days. For VPS customers choosing our Nightly Backup option; 5-30 days depending on the option selected. The backups are full backups with a nightly differential, providing for a full 5-10 restoration period.

Physical Security and Disaster Recovery

Q: Do you require strong (multifactor) authentication options (card keys+pin, biometric readers, etc…) for access to your physical facilities?
A: Yes

Q: Are any of your datacenters located in places which have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc…)?
A: No.

Q: Do you use 24x7 camera monitoring in all the access points of your datacenter and key locations within the datacenters?
A: Yes.

Q: Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations?
A: N/A