Results 1 to 17 of 17
  1. #1
    Join Date
    Mar 2008
    Posts
    52

    * PCI Compliance and the Hosting minefield - Simple question for a genuis

    Been reading your genuis skills and I was so impressed I figured you might be able to help me with a rather terrible quandry.

    I am undergoing the search for a new dedicated hosting provider and at the same time undertaking PCI compliance.

    Some of the hosting providers are suggesting that all PCI compliant merchants must ALL have a seperate and stand alone Firewall in order to reach PCI standards.

    Other hosting providers seem jaded by the question and seem to think that the standard software type firewall will suffice.

    Now, are the sales people I am speaking to inept or am I being "upsold" unneccessarily.

    My transaction numbers are relatively low but the retention or certainly the passing of credit cards needs to be slick and happen on my site rather than another.

    So could you tell me

    1/ Is a PCI compliant merchant needing to have a seperate $500 a month harware firewall?

    Oddly enough Control Scan, who are very good at selling me their SSL and PCI compliance in one service, are unable to advise me on those manditory hardware requirements for PCI compliance, even though they are supposed to be experts in the arena. So I thought I would ask someone who actually knows what they are doing!

    Hope you can help. You'll feel all warm and everything

  2. #2
    Join Date
    Mar 2007
    Location
    UK
    Posts
    852
    Im not sure my self what exactly is needed and im sure there is probably many people on this forum that know.

    However a google search should be able to find you some trusted information.

    One link I found was : http://www.pcicomplianceguide.org/
    ZXPlay
    Premium Virtual Private Servers | Dedicated Media Streaming Servers
    Dedicated Resources | EU Based
    www.zxplay.co.uk

  3. #3
    Join Date
    Jan 2003
    Location
    Chicago, IL
    Posts
    6,889
    From the best of my understanding you simply need to be able to pass the network scans, etc. and fill out the questionnaire, at least for levels 2-4, which covers most people. To pass the network scans some places recommend hardware firewalls, but we have passed them ourselves with standard software firewalls on systems.
    Karl Zimmerman - Steadfast: Managed Dedicated Servers and Premium Colocation
    karl @ steadfast.net - Sales/Support: 312-602-2689
    Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation
    Now Open in New Jersey! - Contact us for New Jersey colocation or dedicated servers

  4. #4
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    I am unsure why ControlScan were unable to answer your question, I am sure they have a few QSA's working there.

    The software firewall should be sufficent providing it's configured correctly but it all ultimately depends on the level of compliance you are aiming for.

    Given what you stated about the low volume I would suggest that you can use a software firewall without any issues in the slightest, ultimately PCI DSS compliance is there to ensure you are proactive about security and how you go about this providing it works doesn't really matter (That is not strictly true but in this case lets just assume that for talking sake).

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  5. #5
    Join Date
    Mar 2008
    Posts
    52
    Yes looking at the kind link that ZX sent it seems that (4) is the level for the moment.

    It does state that level 4 compliancy is more vunerable to hackers as they think that you are an easy target not being able to have a big juicey firewall. However the data even if partially retained on the site is still encrypted right via the SSL. So I wont be rolling around at night with anxiety concerned about 5,000 clients having their credit card information stolen. Am I correct?

    Its amazing how you guys calmly know the answers to this, getting this type of knowledge from someone who actually works for a company is rather more difficult. I am waiting for an email back from Control Scan.

    The idea was to pass parameters slick to the bank and customise the pages, this is the only reason why I am doing this, however if being handled by Verisign and Control Scan and whichever small software option isnt enough then I looks to be rather a head ache!

    I am glad you have added doubt however as this does rather suggest that my intuition about someone trying to upsell me was potentially correct.

    Anyone here who is a level 4 merchant or who has set one up then please do tell me where I am going wrong.

  6. #6
    Join Date
    Oct 2005
    Location
    Atlanta
    Posts
    29

  7. #7
    Join Date
    Jan 2003
    Location
    Chicago, IL
    Posts
    6,889
    Quote Originally Posted by abiddar View Post
    You are required to have a standalone Firewall.
    Could you please show where in the PCI Guidelines that is stated?
    Karl Zimmerman - Steadfast: Managed Dedicated Servers and Premium Colocation
    karl @ steadfast.net - Sales/Support: 312-602-2689
    Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation
    Now Open in New Jersey! - Contact us for New Jersey colocation or dedicated servers

  8. #8
    Join Date
    Oct 2005
    Location
    Atlanta
    Posts
    29

    PCI DSS

    It is the first requirement under the Pci Data Security Standard. Here is a link https://www.pcisecuritystandards.org/tech/index.htm

    I have also copied the overview below. I hope this is helpful.

    Aaron Biddar/ ControlScan

    The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

    Build and Maintain a Secure Network


    Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
    Protect Cardholder Data


    Requirement 3: Protect stored cardholder data
    Requirement 4: Encrypt transmission of cardholder data across open, public networks
    Maintain a Vulnerability Management Program


    Requirement 5: Use and regularly update anti-virus software
    Requirement 6: Develop and maintain secure systems and applications
    Implement Strong Access Control Measures


    Requirement 7: Restrict access to cardholder data by business need-to-know
    Requirement 8: Assign a unique ID to each person with computer access
    Requirement 9: Restrict physical access to cardholder data
    Regularly Monitor and Test Networks


    Requirement 10: Track and monitor all access to network resources and cardholder data
    Requirement 11: Regularly test security systems and processes
    Maintain an Information Security Policy


    Requirement 12: Maintain a policy that addresses information security

  9. #9
    Join Date
    Jan 2003
    Location
    Chicago, IL
    Posts
    6,889
    Quote Originally Posted by abiddar View Post
    It is the first requirement under the Pci Data Security Standard. Here is a link https://www.pcisecuritystandards.org/tech/index.htm
    Where in there does it say anything about a stand-alone firewall? It doesn't... It says to "Install and maintain a firewall configuration." From what I can tell, that firewall can be a shared firewall, or a software firewall, as long as it accomplishes it's task to "protect cardholder data."
    Karl Zimmerman - Steadfast: Managed Dedicated Servers and Premium Colocation
    karl @ steadfast.net - Sales/Support: 312-602-2689
    Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation
    Now Open in New Jersey! - Contact us for New Jersey colocation or dedicated servers

  10. #10
    Join Date
    Oct 2005
    Location
    Atlanta
    Posts
    29

  11. #11
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,955
    Quote Originally Posted by abiddar View Post
    You are absolutely correct Karl. I should not have identified the frewall as standalone. You can have a software firewall and it can be shared. Sorry for any confusion and I hope this is helpful.
    And to think, we were thinking of purchasing your service for compliance assessments....

  12. #12
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,084
    The reality is that you should not be taking any of our advice about this. I have taken 2 companies to PCI compliance (large enterprise companies) and you need an accredited PCI compliance company to certify you. They will tell you any deficiencies and what you need to do to close them.

    I can tell you that in our case we had a separate firewall but I don't BELIEVE that this is a requirement. Don't listen to me though I am not an expert and you need one.

  13. #13
    Join Date
    Mar 2008
    Posts
    52
    Oddly enough as much as I am amazingly impressed with your kind notes and advice. It is infact Control Scan who are supposed to be helping me with the neccessary hardware requirements or set up config prior to begining their service. And it was abiddar who seems to be from Control Scan, the very company who are unable to help me at this level of questioning.

    As for your remarks CoolRaul, I do think you are an expert if you have done this twice. And to an extent I should listen more to people who kindly advise without profit or gain than I should from those who are selling a product or service.

    Control Scan seem an outstanding company so far and extremely diligent. I am sure they will be able to answer my questions, but there is nothing wrong asking those with passionate knowledge of the subject, and experience aswell to be sure.

    The whole hardware software issue came from a hosting provider who insisted that I need to buy a server and then a $500 firewall service on top which rather shocked me. I was confused because at the point of sale Control Scan or which ever sales person from a PCI reputed company should make me aware of these requirements before I begin the buying process of their service. Moreover the person ( hosting CEO )was absolutely certain that PCI on a shared or software firewall was a complete impossibility, both from a compliance recognition point of view and an operations one.

    I stand by that these forums do have experts, because they are not selling anything and hence I am hopeful.

    Naturally I respect and I am thankful for your comments though and agree with you that forums are not the be all and end all.

    How very frustrating

  14. #14
    Join Date
    Apr 2002
    Location
    North Kansas City, MO
    Posts
    2,565
    This seems fairly simple to me. Contact the company doing your PCI compliance testing and ask them what you need. You need to pass thier tests, not ours.
    Aaron Wendel
    Wholesale Internet, Inc. - http://www.wholesaleinternet.net
    Kansas City Internet eXchange - http://www.kcix.net

  15. #15
    Join Date
    Mar 2008
    Posts
    52
    For sure, if only the company were able to provide this information in the first place.

  16. #16
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    PCI compliance scans won't know (or care) if you're using a hardware or software firewall. Secondly, depending on what your server is running and how it's configured, they probably won't know or care if you have a firewall (software or hardware) running at all, simply because they won't see those ports are open and listening for connections anyway. Of course, you should still have a firewall to control what ports what IPs (or the world) can connect into or out to, just in case you or a client are running a vulnerable script that can be exploited to listen on a port or connect out to a site and act as the source of an attack and so on.

    In all honesty, most PCI compliance scans do effectively the same thing and most of them are just a joke. They are good for people that don't know and ensure some type of general compliance so not just anyone can accept credit cards through a valid merchant service or whatever, but they are not as complex and involved as some people might think. Also, consider that most people won't actually be storing the CC data, at least to any point where it's useful and usable if someone did access it (not that you don't want to use SSL and encrypt that fairly non useful data anyway). Just do everything you normally would to ensure a secure environment and transaction, then have the scan performed. Fix the few small (and usually trivial) things they report as a problem (or big one's, if that's the case) and you'll be good.

  17. #17
    Join Date
    Mar 2008
    Posts
    52
    Brilliant, what an amazing bunch of genuis... ( what is the plural for genuis ) HOWA

    This is very interesting and makes alot of sense. I am really pleased... The port thing makes sense,RD and I will expect the PCI people to tell me which ports to close. I recall having to close some ports previously on one of my sites as a hacker got in and was using our server for sending out viagra tablet emails. ( no problem if they sent me some, but they didn't )

    You are right about the storing.RI I was planning on storing a few and doing the whole amazon subsequent purchase "SSV code only" thing but if that meant I would have to retain everyones useable details I wouldn't bother.TCHIE I was under the impression that the SSL from Verisign would handle all this. I suspect however this only covers the encryption of the data while it is being passed to the bank.

    After your post I have emailed a "sh**&" load of hosters asking them about ports and firewall inclusions.

    I really hope your right that its not that tough or a headache... maybe you should google me and who knows there might be some work down the line once I have checked you out.

    Left my name here in code so that Google doesnt pick this up and show all my clients I am asking for help from the gods, instead of knowing what I am doing!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •