PCI Compliance and the Hosting minefield - Simple question for a genuis
Been reading your genuis skills and I was so impressed I figured you might be able to help me with a rather terrible quandry.
I am undergoing the search for a new dedicated hosting provider and at the same time undertaking PCI compliance.
Some of the hosting providers are suggesting that all PCI compliant merchants must ALL have a seperate and stand alone Firewall in order to reach PCI standards.
Other hosting providers seem jaded by the question and seem to think that the standard software type firewall will suffice.
Now, are the sales people I am speaking to inept or am I being "upsold" unneccessarily.
My transaction numbers are relatively low but the retention or certainly the passing of credit cards needs to be slick and happen on my site rather than another.
So could you tell me
1/ Is a PCI compliant merchant needing to have a seperate $500 a month harware firewall?
Oddly enough Control Scan, who are very good at selling me their SSL and PCI compliance in one service, are unable to advise me on those manditory hardware requirements for PCI compliance, even though they are supposed to be experts in the arena. So I thought I would ask someone who actually knows what they are doing!
Hope you can help. You'll feel all warm and everything
From the best of my understanding you simply need to be able to pass the network scans, etc. and fill out the questionnaire, at least for levels 2-4, which covers most people. To pass the network scans some places recommend hardware firewalls, but we have passed them ourselves with standard software firewalls on systems.
I am unsure why ControlScan were unable to answer your question, I am sure they have a few QSA's working there.
The software firewall should be sufficent providing it's configured correctly but it all ultimately depends on the level of compliance you are aiming for.
Given what you stated about the low volume I would suggest that you can use a software firewall without any issues in the slightest, ultimately PCI DSS compliance is there to ensure you are proactive about security and how you go about this providing it works doesn't really matter (That is not strictly true but in this case lets just assume that for talking sake).
Server Management - AdminGeekZ.com Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: [email protected]
Yes looking at the kind link that ZX sent it seems that (4) is the level for the moment.
It does state that level 4 compliancy is more vunerable to hackers as they think that you are an easy target not being able to have a big juicey firewall. However the data even if partially retained on the site is still encrypted right via the SSL. So I wont be rolling around at night with anxiety concerned about 5,000 clients having their credit card information stolen. Am I correct?
Its amazing how you guys calmly know the answers to this, getting this type of knowledge from someone who actually works for a company is rather more difficult. I am waiting for an email back from Control Scan.
The idea was to pass parameters slick to the bank and customise the pages, this is the only reason why I am doing this, however if being handled by Verisign and Control Scan and whichever small software option isnt enough then I looks to be rather a head ache!
I am glad you have added doubt however as this does rather suggest that my intuition about someone trying to upsell me was potentially correct.
Anyone here who is a level 4 merchant or who has set one up then please do tell me where I am going wrong.
I have also copied the overview below. I hope this is helpful.
Aaron Biddar/ ControlScan
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Where in there does it say anything about a stand-alone firewall? It doesn't... It says to "Install and maintain a firewall configuration." From what I can tell, that firewall can be a shared firewall, or a software firewall, as long as it accomplishes it's task to "protect cardholder data."
The reality is that you should not be taking any of our advice about this. I have taken 2 companies to PCI compliance (large enterprise companies) and you need an accredited PCI compliance company to certify you. They will tell you any deficiencies and what you need to do to close them.
I can tell you that in our case we had a separate firewall but I don't BELIEVE that this is a requirement. Don't listen to me though I am not an expert and you need one.
Oddly enough as much as I am amazingly impressed with your kind notes and advice. It is infact Control Scan who are supposed to be helping me with the neccessary hardware requirements or set up config prior to begining their service. And it was abiddar who seems to be from Control Scan, the very company who are unable to help me at this level of questioning.
As for your remarks CoolRaul, I do think you are an expert if you have done this twice. And to an extent I should listen more to people who kindly advise without profit or gain than I should from those who are selling a product or service.
Control Scan seem an outstanding company so far and extremely diligent. I am sure they will be able to answer my questions, but there is nothing wrong asking those with passionate knowledge of the subject, and experience aswell to be sure.
The whole hardware software issue came from a hosting provider who insisted that I need to buy a server and then a $500 firewall service on top which rather shocked me. I was confused because at the point of sale Control Scan or which ever sales person from a PCI reputed company should make me aware of these requirements before I begin the buying process of their service. Moreover the person ( hosting CEO )was absolutely certain that PCI on a shared or software firewall was a complete impossibility, both from a compliance recognition point of view and an operations one.
I stand by that these forums do have experts, because they are not selling anything and hence I am hopeful.
Naturally I respect and I am thankful for your comments though and agree with you that forums are not the be all and end all.
PCI compliance scans won't know (or care) if you're using a hardware or software firewall. Secondly, depending on what your server is running and how it's configured, they probably won't know or care if you have a firewall (software or hardware) running at all, simply because they won't see those ports are open and listening for connections anyway. Of course, you should still have a firewall to control what ports what IPs (or the world) can connect into or out to, just in case you or a client are running a vulnerable script that can be exploited to listen on a port or connect out to a site and act as the source of an attack and so on.
In all honesty, most PCI compliance scans do effectively the same thing and most of them are just a joke. They are good for people that don't know and ensure some type of general compliance so not just anyone can accept credit cards through a valid merchant service or whatever, but they are not as complex and involved as some people might think. Also, consider that most people won't actually be storing the CC data, at least to any point where it's useful and usable if someone did access it (not that you don't want to use SSL and encrypt that fairly non useful data anyway). Just do everything you normally would to ensure a secure environment and transaction, then have the scan performed. Fix the few small (and usually trivial) things they report as a problem (or big one's, if that's the case) and you'll be good.
Brilliant, what an amazing bunch of genuis... ( what is the plural for genuis ) HOWA
This is very interesting and makes alot of sense. I am really pleased... The port thing makes sense,RD and I will expect the PCI people to tell me which ports to close. I recall having to close some ports previously on one of my sites as a hacker got in and was using our server for sending out viagra tablet emails. ( no problem if they sent me some, but they didn't )
You are right about the storing.RI I was planning on storing a few and doing the whole amazon subsequent purchase "SSV code only" thing but if that meant I would have to retain everyones useable details I wouldn't bother.TCHIE I was under the impression that the SSL from Verisign would handle all this. I suspect however this only covers the encryption of the data while it is being passed to the bank.
After your post I have emailed a "sh**&" load of hosters asking them about ports and firewall inclusions.
I really hope your right that its not that tough or a headache... maybe you should google me and who knows there might be some work down the line once I have checked you out.
Left my name here in code so that Google doesnt pick this up and show all my clients I am asking for help from the gods, instead of knowing what I am doing!