Difference between revisions of "PCI Compliance"

From Hostek.com Wiki
Jump to: navigation, search
(Hostek.com PCI Compliance Report)
Line 320: Line 320:
  
 
  Q: Are backups and archives of data using unique encryption keys for each tenant?
 
  Q: Are backups and archives of data using unique encryption keys for each tenant?
  A: Each tenant has their own uniquely retained archive.
+
  A: Each tenant with a nightly backup has their own uniquely retained archive.
  
 
  Q: What is the duration for keeping backed up data? And can you provide information about your backup rotations and rotation of your backup media?
 
  Q: What is the duration for keeping backed up data? And can you provide information about your backup rotations and rotation of your backup media?
  A: The backup duration depends on the plan selected.  By default this will range from 5-10 days.  The backups are full backups with a nightly differential, providing for a full 5-10 day restoration period.
+
  A: The backup duration depends on the plan selected and the nightly backup option chosenFor Shared customers, backups range from 7-14 days.  For VPS customers choosing our Nightly Backup option; 5-30 days depending on option selected.  The backups are full backups with a nightly differential, providing for a full 5-10 day restoration period.
  
 
===Identity and Access Control===
 
===Identity and Access Control===

Revision as of 19:25, 27 January 2016


Obtaining PCI Compliance

You need PCI Compliance if your website/business: accepts, transmits or stores any cardholder data.


If that is you:

Find a Quality Security Accessor such as SecurityMetrics or TrustWave, there are many such vendors. They will help you determine the type of compliance required for your business and provide the services to achieve and maintain compliance.


How do I know what level / validation type?

The Quality Security Accessor will help you determine this and based on PCI DSS Standards.

  • The level of "compliance" required (1-4) is based on transaction or monetary volume.
  • The "Validation Type" determines the assessment requirements and is based on how much card data you store.

A copy of the PCI DSS is available here. More general unofficial details can be found at here.

How Hostek complements efforts for PCI compliance

  1. Insuring PCI standards can be met and kept for our own systems.
  2. Providing firewall protection for all servers and the option for PCI compliant firewall rules to be applied to customers environment.
  3. Providing VPN for customers to securely connect and manage environment remotely.
  4. Providing VLAN (virtual private network) for customers environment with multiple servers so their database server is completely isolated from public access.
  5. Including or offering Anti-Virus scanning on VPS and/or Shared Hosting servers.
  6. Protecting physical access to network and servers. Data centers are managed & monitored 24x7 by security cameras and on-site staff.

Hostek.com

PCI compliance requires quarterly scans from a PCI compliance vendor. Hostek.com goes above and beyond this requirement by having regular scans from two different PCI compliance vendors. One vendor's scans are done quarterly. The other's scans are done nightly. This ensures that all potential PCI compliance issues are accurately identified and dealt with promptly.

Hostek.com PCI Compliance Report

Hostek.com PCI DSS Compliance report: Media:Hostek-pci.pdf‎

Datacenter

The St. Louis, MO data center where the hostek.com equipment is housed maintains SOC 2 Certification. This replaced the SSAE16 Certification.


Previous Certification Types

SOC 2 replaced the SSAE 16 certification.

SSAE 16 replaced the SAS 70 certification.

Shared Servers

We support PCI compliance on our shared hosting servers. If your PCI scan shows any issues that are not directly related to your web application, you can attach the report in a support ticket so that we can address any issues.

TLS 1.0

Browser Support w/ TLS 1.0 Disabled
Browser / OS Status
IE 11 / Win 8.1 Supported
IE Mobile 10 / Win Phone 8.0 Unsupported
IE Mobile 11 / Win Phone 8.1 Supported
Java 6u45 Unsupported
Java 7u25 Unsupported
Java 8u31 Supported
OpenSSL 0.9.8y Unsupported
OpenSSL 1.0.1l Supported
OpenSSL 1.0.2 Supported
Safari 5.1.9 / OS X 10.6.8 Unsupported
Safari 6 / iOS 6.0.1 Supported
Safari 6.0.4 / OS X 10.8.4 Unsupported
Safari 7 / iOS 7.1 Supported
Safari 7 / OS X 10.9 Supported
Safari 8 / iOS 8.1.2 Supported
Safari 8 / OS X 10.10 Supported
Yahoo Slurp Jan 2015 Supported
YandexBot Jan 2015 Supported
Browser Support w/ TLS 1.0 Disabled
Browser / OS Status
Android 2.3.7 Unsupported
Android 4.0.4 Unsupported
Android 4.1.1 Unsupported
Android 4.2.2 Unsupported
Android 4.3 Unsupported
Android 4.4.2 Supported
Android 5.0.0 Supported
Baidu Jan 2015 Unsupported
BingPreview Jan 2015 Supported
Chrome 42 / OS X Supported
Firefox 31.3.0 ESR / Win 7 Supported
Firefox 37 / OS X Supported
Googlebot Feb 2015 Supported
IE 6 / XP No FS 1 Unsupported
IE 7 / Vista Unsupported
IE 8 / XP No FS 1 Unsupported
IE 8-10 / Win 7 Unsupported
IE 11 / Win 7 Supported

We are disabling support for TLS 1.0 on our Shared Windows Servers.

  • Disabling TLS 1.0 is now required for PCI DSS compliance.
  • This change is to ensure that any connection over HTTPS is secured against "eavesdropping" from Man-In-The-Middle(MITM) attacks.
  • The majority of users will be unaffected by this change because it will only affect outdated browsers and old mobile devices that do not support TLS 1.1 or TLS 1.2.

Internet Explorer

  1. After disabling this protocol Internet Explorer 11(only supported on Windows 7 and up) will be the only version of Internet Explorer that can view HTTPS pages on the shared Windows servers.
  2. Users with Windows XP and Windows Vista will have an unsupported version of Internet Explorer. In order to view HTTPS pages these users will need to use an alternate browser (Example: Google Chrome, Mozilla FireFox, Safari, etc.).

Support/Unsupported Browsers/OS's

  • See table on the right


Common PCI Compliance Resolutions

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure

aka: BEAST (Browser Exploit Against SSL/TLS) Vulnerability

NOTE: If you are on a shared server or a managed VPS, please submit a support ticket [1] and attach/include your PCI scan report. The information below is for our non managed VPS customers.

  • Place the following text in a file named TLS.reg and execute the file. It will add registry values to enable TLS 1.1 and TLS 1.2 support:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
  • After completing the above step, go to Start -> Run -> (type gpedit.msc) -> (click OK)
  • Navigate to Computer Configuration -> Administrative Template -> Network -> SSL Configuration Settings
  • Right click on SSL Cipher Suite Order and choose Edit (Windows 2008 R2) or Properties (Windows 2008)
  • Select Enabled and replace the text in the textbox under SSL Cipher Suites(not to be confused with the Notes textbox) with the following long line of text(All on a single line - no line breaks or spaces):

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5

  • Click OK
  • Reboot server

Disable SSLv2 & Strong Cyphers Only & Strong Protocols Only

If you are on a shared server, please open a support ticket and attach the PCI scan report.

For VPS's: This generally applies to a Windows based server. If you see one of these items on your PCI scan report, download this zip [2] and extract the appropriate .reg file and put that on your VPS and double click it to make the appropriate registry change to fix the issue. Generally if one of these show on your report, we suggest running all three .reg files to fully take care of the issue at one time.

NOTE: You will need to reboot the server for these changes to take affect.

VPS-Windows 2008 Servers

This free tool can be used to determine if vulnerable or weak protocols or cypers are enabled, and provides the option to disable them.

https://www.nartac.com/Products/IISCrypto/Default.aspx

Changes using this tool require a server reboot to complete them.


Websites that allow testing for SSL Protocols and Cyphers:

https://www.ssllabs.com/ssltest/index.html

http://www.serversniff.net/sslcheck.php



Visa E-commerce Security Checklist Questionaire

Click this link to Visa E-commerce Security Checklist Questionaire [[3]]

Cloud Assessment Questions

Q: Is your organization insured by a 3rd party for losses?
A: Yes
Q: Do your organization's service level agreements provide tenant renumeration for losses they may incur due to outages or losses experienced within your infrastructure?
A: The Hostek.com SLA provides for a refund or credit limited to the dollar amount paid for the service during that monthly period.  The refund or credit amount is calculated based on amount paid for the monthly service / number of minutes in a month * number of down minutes.
Q: Do you collect capacity and utilization data for all relevant components of your cloud service offering?
A: Yes.  Daily.
Q: Do you provide tenants with capacity planning and utilization reports?
A: No.
Q: Do you have a documented procedure for responding to requests for tenant data from governments or third parties? 
A: Yes
Q: Do you process, transmit or store any credit card related information on behalf Cisco?
A: In our St. Louis facility, we do not use Cisco.  In our Dallas facility, we do.
Q: Please provide any documentation on policies and procedures for controls you have in place to protect tenant's intellectual property and sensitive data from unauthorized access.
A: Utilization of IPS and IDS.  Customer has ability to lock down server access.  Internal access information is stored encrypted and only available via internal access.
Q: Please provide any documentation and policies you have regarding how you may access, mine, utilize tenant data and/or metadata.
A: We do not mine nor utilize tenant data.  Access to tenant data would occur if tenant asked for help in resolving a situation which may require such access.
Q: Please specify any inspection technologies used for collecting or creating metadata about tenant data usage (search engines, etc.?).
A: We do not inspect tenant data.
Q: What is the process for tenants to opt-out of having their data/metatdata accessed/mined via inspection technologies?
A: N/A as we do not inspect tenant data.
Q: Can you provide the physical location/geography of storage of a tenant’s data upon request?
A: Yes.
Q: Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?
A: No.
Q: Do you allow tenants to specify which of your geographic locations their data is allowed to traverse into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed?) 
A: No.
Q: What capability do you have to use system geographic location as an authentication factor?
A: N/A


Q: Does legal counsel review all third party agreements?
A: Yes.
Q: Do you select and monitor outsourced providers in compliance with laws in the country where the data orignates, processed, stored and transmitted?
A: N/A
Q: Have you established an Information Security Management Program (ISMP?)
A: Our ISMP is being developed.
Q: Do you provide tenants with a right to audit (tenant audit)?
A: No, for security/confidential purposes.
Q: What is the process for tenants to request deletion/removal of data as needed?
Q: Provide the standards used for secure deletion of archived data upon request by tenants.
Q: What is the process to sanitize all computing resource of tenant data once a customer has exited your environment.
Q: What is time period that you retain customer data after explicit user deletion/removal?
A: When a cloud tenant cancels, their virtual machine and backup data is deleted.  Data blocks are reused for new customers, which replace the old blocks.
Q: Do you manage separate production and non production environments & what controls do you have in place to ensure that the production data in not copied to non-production environments?
A: No.  We have a redundant production environment, which is replicated nightly from the primary environment.
Q: Are backups and archives of data using unique encryption keys for each tenant?
A: Each tenant with a nightly backup has their own uniquely retained archive.
Q: What is the duration for keeping backed up data? And can you provide information about your backup rotations and rotation of your backup media?
A: The backup duration depends on the plan selected and the nightly backup option chosen.  For Shared customers, backups range from 7-14 days.  For VPS customers choosing our Nightly Backup option; 5-30 days depending on option selected.  The backups are full backups with a nightly differential, providing for a full 5-10 day restoration period.

Identity and Access Control

Physical Security and Disaster Recovery

Q: Do you require strong (multifactor) authentication options (card keys+PIN, biometric readers, etc.) for access to your physical facilities?
A: Yes.
Q: Are any of your datacenters located in places which have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?
A: No.
Q: Do you use 24X7 camera monitoring in all the access points of your datacenter and key locations within the datacenter? 
A: Yes.
Q: Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations?
A: N/A