What is PCI compliance? You have surely heard about it if you have a history of web hosting. You know it is a good thing to have, however, do you really need it? Should you strive towards it? All of these questions and more will be discussed in the following paragraphs.
PCI (Payment Card Industry) compliance is a regulation that was born back in 2006 when online payments were getting popular. More than a decade had passed since online payment processing was introduced to the world, however, this drew the attention of hackers who took advantage of the then-poorly secured servers for personal gain.
PCI compliance consists of the so-called PCI DSS (Payment Card Industry Data Security Standard) regulations that include a dozen general requirements for environments (web hosting servers) that store, process, accept, or transmit credit card information. These standards obligate the owners of these servers to maintain robust security protocols that are needed to prevent credit card heists and protect the users who submit their sensitive information within the environment.
What are the requirements for the Web Hosting Server to be considered PCI compliant?
Let's go over these general requirements and shed some light on what we mean:
- The server needs to have a FireWall installed. It filters outgoing and incoming traffic and typically has configurations in the form of rules that can be set, based on the user's needs.
- You need to enforce strong, non-generic passwords and usernames for the various services running on the server. If you are on a cPanel based server, this includes the cPanel itself, WHM, or Webmail.
- All data on the server has to be encrypted, especially sensitive information (credit card information). Usually, this data is transmitted over various protocols such as HTTP, IMAP, SMTP and installing an SSL for the services will do the job.
- Use software, which detects, prevents, and scans for malware. This type of software should also be updated regularly and configured to meet the PCI DSS standards.
- You need to make sure that the server is always running the latest security patches for the various installed and configured applications and services.
- Assign specific access and user-roles for different types of data, based on the needs of the person who queried for it. Generally speaking, there should be information restrictions on the server for users that do not need to see or reach freely.
- Each person using the server should have a unique ID, providing administrators to track his behavior whenever this is required.
- You should make sure that the physical server, holding the credit card information, has restricted access.
- Implement logging for all the services related to sensitive information processing.
- Vulnerability and exploitation scans should be performed regularly, to make sure that the server meets the security standards it claims to have. If a security hole is discovered, it needs to be patched immediately.
- The last thing you need to do is write all of the above in a neatly and well-described document. This record can be used as a reference whenever a PCI commission needs to check your server if you are following the rules.
Do I need PCI compliance for my web hosting plan in HostArmada?
This process involves a lot of work and time. Luckily for you, there is no need to have PCI compliance on the server that is hosting your website. There are companies known as "payment gateways", which cover all of the above requirements. They allow users to utilize their services, without the need to go through all the hassle of configuring PCI compliance and meeting the PCI SDD regulations on the server hosting their business.
Can HostArmada configure PCI compliance for me?
None of the hosting plans we offer are PCI compliant. Please note that this does not mean that we do not enforce prudent security practices. Security is perhaps the most important aspect we stand for, and we have explained this within our What are the security benefits with HostArmada article.
There might be times when you are working with a specific vendor that requires that you use a self-hosted payment gateway service, and it complies with the PCI DSS.
As we think our clients deserve the best available service, we have trained our support members and implemented a procedure to perform the PCI compliance configurations for our VPS and Dedicated Server plans. This set up includes meeting all of the requirements listed above and eventually allowing your server to process online payments. The cost of the service we offer is $100. This also includes continual support should a PCI scan show additional vulnerabilities in the future.
Please purchase the addon from your Client Area. Note that the PCI Compliance Addon will show ONLY for the clients who have purchased our VPS or Dedicated Servers hosting plans. Doing so, you will receive a ticket requesting that you provide us with the login information and credentials to your PCI vendor so that we may begin the setup and initiate a scan once we have completed it. Note that this procedure involves technical time to finish. There are A LOT of requirements that need to be met, therefore, we request that you remain patient while we work on your server.