Difference between revisions of "PCI Compliance"
(→hostek.com) |
|||
Line 106: | Line 106: | ||
http://www.serversniff.net/sslcheck.php | http://www.serversniff.net/sslcheck.php | ||
+ | |||
+ | |||
+ | ==Cloud Assessment Questions== | ||
+ | Q: Is your organization insured by a 3rd party for losses? | ||
+ | A: Yes | ||
+ | |||
[[Category:Infrastructure]] | [[Category:Infrastructure]] | ||
[[Category:VPS]] | [[Category:VPS]] |
Revision as of 04:19, 5 April 2014
Contents
Obtaining PCI Compliance
You need PCI Compliance if your website/business: accepts, transmits or stores any cardholder data.
If that is you:
Find a Quality Security Accessor such as SecurityMetrics or TrustWave, there are many such vendors. They will help you determine the type of compliance required for your business and provide the services to achieve and maintain compliance.
How do I know what level / validation type?
The Quality Security Accessor will help you determine this and based on PCI DSS Standards.
- The level of "compliance" required (1-4) is based on transaction or monetary volume.
- The "Validation Type" determines the assessment requirements and is based on how much card data you store.
A copy of the PCI DSS is available here. More general unofficial details can be found at here.
How Hostek complements efforts for PCI compliance
- Insuring PCI standards can be met and kept for our own systems.
- Providing firewall protection for all servers and the option for PCI compliant firewall rules to be applied to customers environment.
- Providing VPN for customers to securely connect and manage environment remotely.
- Providing VLAN (virtual private network) for customers environment with multiple servers so their database server is completely isolated from public access.
- Including or offering Anti-Virus scanning on VPS and/or Shared Hosting servers.
- Protecting physical access to network and servers. Data centers are managed & monitored 24x7 by security cameras and on-site staff.
Hostek.com
PCI compliance requires quarterly scans from a PCI compliance vendor. Hostek.com goes above and beyond this requirement by having regular scans from two different PCI compliance vendors. One vendor's scans are done quarterly. The other's scans are done nightly. This ensures that all potential PCI compliance issues are accurately identified and dealt with promptly.
Hostek.com PCI Compliance Report
Hostek.com PCI DSS Compliance report: Media:PCI-DSS-Compliance-hostek-com.pdf
Datacenter
The data center where the hostek.com equipment is housed maintains SOC 2 Certification (File:SOC2 CERT 2013.pdf). This replaced the SSAE16 Certification.
Full audit report part 1: File:SOC2-2013 CYBERCON Full Report PART-1.pdf
Full audit report part 2: File:SOC2-2013 CYBERCON Full Report PART-2.pdf
Previous Certifications
2011-12 - SSAE 16 Certification (audit report). This replaced the SAS 70 Type 2 Certification.
Common PCI Compliance Resolutions
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
aka: BEAST (Browser Exploit Against SSL/TLS) Vulnerability
NOTE: If you are on a shared server or a managed VPS, please submit a support ticket [1] and attach/include your PCI scan report. The information below is for our non managed VPS customers.
- Place the following text in a file named TLS.reg and execute the file. It will add registry values to enable TLS 1.1 and TLS 1.2 support:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
- After completing the above step, go to Start -> Run -> (type gpedit.msc) -> (click OK)
- Navigate to Computer Configuration -> Administrative Template -> Network -> SSL Configuration Settings
- Right click on SSL Cipher Suite Order and choose Edit (Windows 2008 R2) or Properties (Windows 2008)
- Select Enabled and replace the text in the textbox under SSL Cipher Suites(not to be confused with the Notes textbox) with the following long line of text(All on a single line - no line breaks or spaces):
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5
- Click OK
- Reboot server
Disable SSLv2 & Strong Cyphers Only & Strong Protocols Only
If you are on a shared server, please open a support ticket and attach the PCI scan report.
For VPS's: This generally applies to a Windows based server. If you see one of these items on your PCI scan report, download this zip [2] and extract the appropriate .reg file and put that on your VPS and double click it to make the appropriate registry change to fix the issue. Generally if one of these show on your report, we suggest running all three .reg files to fully take care of the issue at one time.
NOTE: You will need to reboot the server for these changes to take affect.
VPS-Windows 2008 Servers
This free tool can be used to determine if vulnerable or weak protocols or cypers are enabled, and provides the option to disable them.
https://www.nartac.com/Products/IISCrypto/Default.aspx
Changes using this tool require a server reboot to complete them.
Websites that allow testing for SSL Protocols and Cyphers:
https://www.ssllabs.com/ssltest/index.html
http://www.serversniff.net/sslcheck.php
Cloud Assessment Questions
Q: Is your organization insured by a 3rd party for losses? A: Yes