Posts Tagged ‘PCI Compliance’

« Older Entries

Mobile Payment Security & Compliance

by FireHost Evangelist on November 30th, 2011

There isn’t much we can not do with our smartphones anymore, is there? Making mobile payments is no exception. There’s a coming wave of new apps and technologies that allow consumers to purchase everything through their phone, literally eliminating the need to carry an actual wallet (almost). FireHost senior security engineer Chris Hinkley wrote a guest article for SecurityWeek on the safety of mobile payments and PCI compliance implications.

You can check out the full article to learn more about why mobile payments are still vulnerable, how the PCI Security Standards Council is tackling the issue, and what the next year will bring for this popular consumer trend.

“There is vagueness around the safety of consumers’ credit card numbers when they are transmitted through mobile applications. A website that’s been modified for a mobile platform is presumably safer than an actual mobile application, making the latter considered not compliant according to the PCI DSS Council. If your business is working on a payment app to make transactions easier or more convenient for customers, you must consider this before deploying the app into the iPhone, Android, Blackberry or other marketplace.”
(more…)

Tags: , , ,
Posted in: Compliance, Security | 1 Comment »

New Data Center for FireHost Clients

by FireHost Evangelist on February 17th, 2011

At FireHost, we continually strive to make the unique secure hosting services we provide even better. Our top priority is keeping our customers running securely and worry-free around the clock.

With that, we’re pleased to announce our expansion into a new data center facility in April 2011. The new facility is located in Richardson, Texas and represents FireHost’s third data center footprint in the US. The new facility brings a serious set of top-notch security, connectivity and redundancy features that will not only benefit our new customers, but also our existing customers who will migrate from our current Dallas facility.

Here are some of the major benefits you’ll experience with our data center expansion:

Redundant Connectivity InfrastructureConnectivity

  • Diverse fiber entry and intra-building fiber paths
  • Fully redundant internal network distribution
  • Multiple 10 Gbps connections from multiple premium carriers

Redundant Power Infrastructure

  • Complete 2N Electrical InfrastructurePower
  • Redundant Utility Feeds
  • Redundant Transformers in Ring Configuration
  • Redundant Power Distribution Units (PDU)
  • Redundant 2,000 kw Diesel Generators
  • 72+ hours fuel supply onsite with priority re-fueling status

(more…)

Tags: , , , , ,
Posted in: Cloud Hosting, FireHost News | 1 Comment »

Decoding PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications

by FireHost Evangelist on June 24th, 2010

The main directive of the Payment Card Industry Data Security Standard (PCI DSS) Requirement 6 is to “develop and maintain secure systems and applications.” At a high level, the requirement seems reasonable and the language in the title is simple and straightforward. Closer investigation, however, reveals a much more complex compliance scenario.

While most of the contents of Requirement 6 are not technically difficult to achieve, maintaining the balance between an eCommerce organization’s business requirements, brand integrity, usability requirements, and security is challenging. It is the responsibility of the development team to weigh the best interests of the organization against its wish list, all while adhering to the best practices and requirements set forth in the PCI DSS standard to protect the organization and its customers.

Requirement 6 affects almost every aspect of the development process, from the planning stage to post-launch maintenance. Some of the provisions of Requirement 6 are very specific in nature and will vary depending on your deployment and development environment, and thus, this article will cover all of the general compliance guidelines.

System Configuration, Maintenance and Security

As with all of the PCI DSS requirements, it is important to consider all of the required accommodations early on and throughout the planning phase. The scope of Requirement 6 reaches beyond code to the configuration of the development and production environments as well as the administration of both.

This includes simple things, such as the requirement in Provision 6.1 that all systems (both production and development servers, as well as all developer workstations) have the latest security patches installed within 30 days of their release (or 90 days if your company’s policy requires roll-out testing); and that all security patches are tested against the vulnerability they fix prior to deployment in a production environment. Provisions 6.3.2-6.3.3 require that production and development environments be completely separate, and that a policy exists to provide a separation of duties, responsibilities and privileges between users with access to either system.

Additionally, specific system vulnerabilities may be addressed in code or as system configuration adjustments. The solution to each will be different for each configuration. Most PCI-certified vulnerability monitoring solutions will provide additional, detailed guidance for each specific instance discovered.

(more…)

Tags: , , ,
Posted in: Compliance | 2 Comments »

Decoding PCI DSS Requirement 4: Encrypting and Storing Credit Card Data

by FireHost Evangelist on May 19th, 2010

Data encryption seems complicated, and in most cases it lives up to that complexity. This is especially true when encryption requirements go beyond the basics, such as names and passwords, to include highly confidential information like social security numbers, credit card numbers, and protected health information.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that help govern the way credit card information should be handled and protected. Its nomenclature can oftentimes be a bit confusing. So in a short series articles (starting with this one), we’ll break down the most important elements of the PCI DSS as it relates to data encryption.

PCI DSS Requirement 4

Requirement 4.1 of PCI DSS addresses the encryption protocols and instructs any entity that accepts, handles, transmits, or stores credit card data to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”
 
Let’s start with understanding what information is encrypted per Requirement 4. PCI DSS requires that all cardholder data (specifically the cardholder’s name, the card number, expiration date, and billing address) be encrypted when stored or transmitted.

Here are some common questions and answers about Requirement 4 to help developers navigate through it.

(more…)

Tags: , , ,
Posted in: Compliance, Technology | No Comments »

Understanding the Whole PCI Compliance Pie – Which slice do you own?

by FireHost Evangelist on March 30th, 2010

When you develop Web sites that collect payment via credit card for goods and services sold online, part of your responsibility is to establish and maintain PCI compliance. If followed properly, the Payment Card Industry Data Security Standard (current version 1.2) does a very effective job of providing a safe shopping experience for customers. However, achieving compliance is easier said than done, especially for startups and developers for small online retailers.

After reviewing the 200-plus sub-policies, procedures, activities, and technical nuances that make up the PCI Data Security Standard, most small and startup E-commerce companies will choose to outsource portions of their website operation to third party service providers. In this scenario, each party is independently responsible for maintaining control over compliance for their respective organization. You shouldn’t fall into the trap of assuming that someone else is handling your compliance needs. Everyone involved in your online store is responsible for a piece of the security compliance pie.

Anyone that touches or has access to credit card data in any capacity is responsible for PCI compliance, regardless of their role.  This includes the online retailer, the Web application developer, and the hosting provider.

The most important steps every E-Commerce developer should complete as they establish a PCI compliant business:

  • Step 1 – Become educated about the payment card industry mandates. Taking the time to become knowledgeable here can go a very long way.
  • Step 2 – Identify which portions of the PCI DSS you directly control and which items will be outsourced to third parties (A QSA – Qualified Security Assessor – can help with this step)
  • Step 3 – Select service partners that have expertise in protecting personally identifiable information (PII).
  • Step 4 – Thoroughly review each service partner’s ROC (report on compliance) to make sure there are no unfulfilled requirements or pending remediations for critical items

(more…)

Tags: , , ,
Posted in: Compliance | No Comments »

« Older Entries