Visa E-commerce Security Checklist Questionaire

Visa E-commerce Security Checklist Questionaire

Physical Security

Q: Where is the server physically located?
A: St. Louis, MO, USA (in most cases)

Q: Who has access?
A: Authorized personnel only.

Q: Who authorizes access?
A: Data Center 

Q: What is the access control mechanism?
A: Multi-step: Security cards, manual ID inspection, manual access entry.

Q: Are there motion detectors, cameras, etc...?
A: Several 24x7 recorded cameras/video throughout.

Q: Where are the backups stored?
A: Generally offsite in Dallas, TX, USA

Network Security

Q: Are the appropriate contacts defined in DNS?
A: Yes

Q: On what VLAN is the host? Where does this VLAN exist?
A: Virtual VLAN via vmWare

Q: Is there a network firewall in place?
A: Yes

Q: Is there a host-based firewall in place?
A: Yes

Q: What are the firewall rules for remote administrative access?
A: Internal only

Q: What kind of logging is in place?
A: Standard logging (generic question)

Q: Are the logs periodically reviewed and acted on?
A: Yes

Q: What services are available to the Internet?
A: Only needed services to allow the site to function.  All others blocked.

Q: What network access controls are in place for the database server?
A: Internal access only for admin access, requiring strong username/password authentication.

System Security

Q: What OS is running on the system?
A: Depends.  If you have cPanel, it's Linux.  If you have MochaPanel/WCP, it's Windows.

Q: What is the OS version? Is it nearing end of life?
A: Depends on the plan chosen.

Q: Is the OS patched? What is the process for applying security patches?
A: Yes.  The servers are routinely patched as releases are made.

Q: What is the server used for, other than this application?
A: Our shared web servers are only used as web servers.  

Q: What software is installed?
A: Depends on the OS type.

Q: What services are running?
A: Only those services needed by a web server.

Q: Is the clock synchronized via NTP?
A: Yes

Q: What are the login accounts on the system?
A: N/A

Q: What authentication methods does the system support?
A: Depends on the OS.

Q: Does the system authenticate against a domain/realm/external database?
A: No

Q: How does one get root/Administrator privilege?
A: You don't on a shared server.

Q: Are strong passwords used? Is usage enforced?
A: Yes

Q: Are there shared accounts?
A: Users are not shared.  The web server is a shared server.

Q: What is the state of the file system security? (world writable files, suid root)
A: Files have restricted access to the account owner.

Q: How are backups done?
A: We utilize CDP Backup from R1Soft to perform Nightly Backups.  Nightly backups are processed for Shared and Reseller accounts.  Virtual Servers (VPS) are recommended to add the Nightly Backup option.  

Q: What kind of logging is in place?
A: Standard logging.

Q: Are the logs periodically reviewed and acted on?
A: Yes

Database Security

Q: Where does the database server run?
A: On a separate database server.

Q: With what privileges on the system does the database server run?
A: Depends on the type of database server.  The user account privileges are restricted to that specific database.

Q: What access controls are in place for the application's data?
A: (Customer needs to answer)

Q: What database privileges does the application have?
A: (Customer needs to answer)

Q: What information is stored in the database?
A: (Customer needs to answer)

Q: What database users/roles are defined, and what privileges do they have?
A: (Customer needs to answer)

Q: What is the data retention policy?
A: For Shared and Reseller accounts, backups are retained up to 14 days on shared web and database servers.  For VPS customers choosing the Nightly Backup option, backups can be retained between 5 and 30 days depending on the option selected.

Q: How is the database backed-up?
A: Nightly

Q: What kind of logging is in place?
A: Standard logging

Q: Are the logs periodically reviewed and acted on?
A: Yes

Web Server Security

Q: Does the server force SSL/TLS to the application?
A: (Customer needs to answer)

Q: Is the SSL/TLS keypair adequately secured?
A: Yes

Q: Are weak ciphers disabled?
A: Yes

Q: Is SSLv2 disabled?
A: Yes

Q: Are unnessesary modules/plugins disabled?
A: Yes

Application Security

Customer needs to answer those questions as they are application specific.