Posts Tagged ‘PCI Compliant Hosting’

Newer Entries »

New Data Center for FireHost Clients

by FireHost Evangelist on February 17th, 2011

At FireHost, we continually strive to make the unique secure hosting services we provide even better. Our top priority is keeping our customers running securely and worry-free around the clock.

With that, we’re pleased to announce our expansion into a new data center facility in April 2011. The new facility is located in Richardson, Texas and represents FireHost’s third data center footprint in the US. The new facility brings a serious set of top-notch security, connectivity and redundancy features that will not only benefit our new customers, but also our existing customers who will migrate from our current Dallas facility.

Here are some of the major benefits you’ll experience with our data center expansion:

Redundant Connectivity InfrastructureConnectivity

  • Diverse fiber entry and intra-building fiber paths
  • Fully redundant internal network distribution
  • Multiple 10 Gbps connections from multiple premium carriers

Redundant Power Infrastructure

  • Complete 2N Electrical InfrastructurePower
  • Redundant Utility Feeds
  • Redundant Transformers in Ring Configuration
  • Redundant Power Distribution Units (PDU)
  • Redundant 2,000 kw Diesel Generators
  • 72+ hours fuel supply onsite with priority re-fueling status

(more…)

Tags: , , , , ,
Posted in: Cloud Hosting, FireHost News | No Comments »

Decoding PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications

by FireHost Evangelist on June 24th, 2010

The main directive of the Payment Card Industry Data Security Standard (PCI DSS) Requirement 6 is to “develop and maintain secure systems and applications.” At a high level, the requirement seems reasonable and the language in the title is simple and straightforward. Closer investigation, however, reveals a much more complex compliance scenario.

While most of the contents of Requirement 6 are not technically difficult to achieve, maintaining the balance between an eCommerce organization’s business requirements, brand integrity, usability requirements, and security is challenging. It is the responsibility of the development team to weigh the best interests of the organization against its wish list, all while adhering to the best practices and requirements set forth in the PCI DSS standard to protect the organization and its customers.

Requirement 6 affects almost every aspect of the development process, from the planning stage to post-launch maintenance. Some of the provisions of Requirement 6 are very specific in nature and will vary depending on your deployment and development environment, and thus, this article will cover all of the general compliance guidelines.

System Configuration, Maintenance and Security

As with all of the PCI DSS requirements, it is important to consider all of the required accommodations early on and throughout the planning phase. The scope of Requirement 6 reaches beyond code to the configuration of the development and production environments as well as the administration of both.

This includes simple things, such as the requirement in Provision 6.1 that all systems (both production and development servers, as well as all developer workstations) have the latest security patches installed within 30 days of their release (or 90 days if your company’s policy requires roll-out testing); and that all security patches are tested against the vulnerability they fix prior to deployment in a production environment. Provisions 6.3.2-6.3.3 require that production and development environments be completely separate, and that a policy exists to provide a separation of duties, responsibilities and privileges between users with access to either system.

Additionally, specific system vulnerabilities may be addressed in code or as system configuration adjustments. The solution to each will be different for each configuration. Most PCI-certified vulnerability monitoring solutions will provide additional, detailed guidance for each specific instance discovered.

(more…)

Tags: , , ,
Posted in: Compliance | No Comments »

Decoding PCI DSS Requirement 4: Encrypting and Storing Credit Card Data

by FireHost Evangelist on May 19th, 2010

Data encryption seems complicated, and in most cases it lives up to that complexity. This is especially true when encryption requirements go beyond the basics, such as names and passwords, to include highly confidential information like social security numbers, credit card numbers, and protected health information.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that help govern the way credit card information should be handled and protected. Its nomenclature can oftentimes be a bit confusing. So in a short series articles (starting with this one), we’ll break down the most important elements of the PCI DSS as it relates to data encryption.

PCI DSS Requirement 4

Requirement 4.1 of PCI DSS addresses the encryption protocols and instructs any entity that accepts, handles, transmits, or stores credit card data to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”
 
Let’s start with understanding what information is encrypted per Requirement 4. PCI DSS requires that all cardholder data (specifically the cardholder’s name, the card number, expiration date, and billing address) be encrypted when stored or transmitted.

Here are some common questions and answers about Requirement 4 to help developers navigate through it.

(more…)

Tags: , , ,
Posted in: Compliance, Technology | No Comments »

Understanding the Whole PCI Compliance Pie – Which slice do you own?

by FireHost Evangelist on March 30th, 2010

When you develop Web sites that collect payment via credit card for goods and services sold online, part of your responsibility is to establish and maintain PCI compliance. If followed properly, the Payment Card Industry Data Security Standard (current version 1.2) does a very effective job of providing a safe shopping experience for customers. However, achieving compliance is easier said than done, especially for startups and developers for small online retailers.

After reviewing the 200-plus sub-policies, procedures, activities, and technical nuances that make up the PCI Data Security Standard, most small and startup E-commerce companies will choose to outsource portions of their website operation to third party service providers. In this scenario, each party is independently responsible for maintaining control over compliance for their respective organization. You shouldn’t fall into the trap of assuming that someone else is handling your compliance needs. Everyone involved in your online store is responsible for a piece of the security compliance pie.

Anyone that touches or has access to credit card data in any capacity is responsible for PCI compliance, regardless of their role.  This includes the online retailer, the Web application developer, and the hosting provider.

The most important steps every E-Commerce developer should complete as they establish a PCI compliant business:

  • Step 1 – Become educated about the payment card industry mandates. Taking the time to become knowledgeable here can go a very long way.
  • Step 2 – Identify which portions of the PCI DSS you directly control and which items will be outsourced to third parties (A QSA – Qualified Security Assessor – can help with this step)
  • Step 3 – Select service partners that have expertise in protecting personally identifiable information (PII).
  • Step 4 – Thoroughly review each service partner’s ROC (report on compliance) to make sure there are no unfulfilled requirements or pending remediations for critical items

(more…)

Tags: , , ,
Posted in: Compliance | No Comments »

Security, Speed, and Scalability for E-commerce: A Guide to Getting Started

by FireHost Evangelist on March 19th, 2010

All new E-commerce businesses should address one vital question first and foremost: Will you collect and store payment card information on your Web site or offload credit card processing to a PCI Compliant merchant like Paypal? The answer to this question is paramount and should be well thought out when you are planning and developing your E-commerce Web application.

When feasible, outsourcing the storage and handling of credit cards to a trusted, capable, and PCI compliant payment processing provider is the most secure and most budget-friendly course of action. Even when you outsource payment processing (the riskiest piece of running an E-commerce business), you still must ensure your hosting environment can deliver speed and scalability that meets user expectation and includes security measures that protect your shoppers from a damaging hacker encounter.

Here are the tools and services that you should be looking for:

Web Hosting Security Basics – the minimum requirements you need to transact business securely online

Redundant firewall protection — Firewalls help stop cyber attacks before they can penetrate the network perimeter. Having firewalls tuned and working in tandem helps ensure protection for your E-commerce environment.

Web application protection – In addition to traditional firewalls, you’ll need a Web application firewall (we call them WAFs). This technology helps protect E-commerce organizations from application-level attacks like SQL injections and Cross Site Scripting (XSS) attacks. Application-level attacks is where the hacker is attacking the website itself; your contact forms, login boxes, etc. Traditional firewalls are helpless to these kinds of attacks and WAFs are required.

(more…)

Tags: , , ,
Posted in: Security | No Comments »

Newer Entries »