PCI Compliance

From Hostek.com Wiki
Revision as of 15:36, 5 April 2014 by Briana (Talk | contribs) (Visa E-commerce Security Checklist Questionaire)

Jump to: navigation, search


Obtaining PCI Compliance

You need PCI Compliance if your website/business: accepts, transmits or stores any cardholder data.


If that is you:

Find a Quality Security Accessor such as SecurityMetrics or TrustWave, there are many such vendors. They will help you determine the type of compliance required for your business and provide the services to achieve and maintain compliance.


How do I know what level / validation type?

The Quality Security Accessor will help you determine this and based on PCI DSS Standards.

  • The level of "compliance" required (1-4) is based on transaction or monetary volume.
  • The "Validation Type" determines the assessment requirements and is based on how much card data you store.

A copy of the PCI DSS is available here. More general unofficial details can be found at here.

How Hostek complements efforts for PCI compliance

  1. Insuring PCI standards can be met and kept for our own systems.
  2. Providing firewall protection for all servers and the option for PCI compliant firewall rules to be applied to customers environment.
  3. Providing VPN for customers to securely connect and manage environment remotely.
  4. Providing VLAN (virtual private network) for customers environment with multiple servers so their database server is completely isolated from public access.
  5. Including or offering Anti-Virus scanning on VPS and/or Shared Hosting servers.
  6. Protecting physical access to network and servers. Data centers are managed & monitored 24x7 by security cameras and on-site staff.

Hostek.com

PCI compliance requires quarterly scans from a PCI compliance vendor. Hostek.com goes above and beyond this requirement by having regular scans from two different PCI compliance vendors. One vendor's scans are done quarterly. The other's scans are done nightly. This ensures that all potential PCI compliance issues are accurately identified and dealt with promptly.

Hostek.com PCI Compliance Report

Hostek.com PCI DSS Compliance report: Media:PCI-DSS-Compliance-hostek-com.pdf

Datacenter

The data center where the hostek.com equipment is housed maintains SOC 2 Certification (File:SOC2 CERT 2013.pdf). This replaced the SSAE16 Certification.

Full audit report part 1: File:SOC2-2013 CYBERCON Full Report PART-1.pdf

Full audit report part 2: File:SOC2-2013 CYBERCON Full Report PART-2.pdf

Previous Certifications

2011-12 - SSAE 16 Certification (audit report). This replaced the SAS 70 Type 2 Certification.

Common PCI Compliance Resolutions

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure

aka: BEAST (Browser Exploit Against SSL/TLS) Vulnerability

NOTE: If you are on a shared server or a managed VPS, please submit a support ticket [1] and attach/include your PCI scan report. The information below is for our non managed VPS customers.

  • Place the following text in a file named TLS.reg and execute the file. It will add registry values to enable TLS 1.1 and TLS 1.2 support:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
  • After completing the above step, go to Start -> Run -> (type gpedit.msc) -> (click OK)
  • Navigate to Computer Configuration -> Administrative Template -> Network -> SSL Configuration Settings
  • Right click on SSL Cipher Suite Order and choose Edit (Windows 2008 R2) or Properties (Windows 2008)
  • Select Enabled and replace the text in the textbox under SSL Cipher Suites(not to be confused with the Notes textbox) with the following long line of text(All on a single line - no line breaks or spaces):

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5

  • Click OK
  • Reboot server

Disable SSLv2 & Strong Cyphers Only & Strong Protocols Only

If you are on a shared server, please open a support ticket and attach the PCI scan report.

For VPS's: This generally applies to a Windows based server. If you see one of these items on your PCI scan report, download this zip [2] and extract the appropriate .reg file and put that on your VPS and double click it to make the appropriate registry change to fix the issue. Generally if one of these show on your report, we suggest running all three .reg files to fully take care of the issue at one time.

NOTE: You will need to reboot the server for these changes to take affect.

VPS-Windows 2008 Servers

This free tool can be used to determine if vulnerable or weak protocols or cypers are enabled, and provides the option to disable them.

https://www.nartac.com/Products/IISCrypto/Default.aspx

Changes using this tool require a server reboot to complete them.


Websites that allow testing for SSL Protocols and Cyphers:

https://www.ssllabs.com/ssltest/index.html

http://www.serversniff.net/sslcheck.php



Visa E-commerce Security Checklist Questionaire

Physical Security

Q: Where is the server physically located?
A: St. Louis, MO, USA (in most cases)
Q: Who has access?
A: Authorized personnel only.
Q: Who authorizes access?
A: Data Center 
Q: What is the access control mechanism?
A: Multi-step: Security cards, manual ID inspection, manual access entry.
Q: Are there motion detectors, cameras, etc...?
A: Several 24x7 recorded cameras/video throughout.
Q: Where are the backups stored?
A: Generally offsite in Dallas, TX, USA

Network Security

Q: Are the appropriate contacts defined in DNS?
A: Yes
Q: On what VLAN is the host? Where does this VLAN exist?
A: Virtual VLAN via vmWare
Q: Is there a network firewall in place?
A: Yes
Q: Is there a host-based firewall in place?
A: Yes
Q: What are the firewall rules for remote administrative access?
A: Internal only
Q: What kind of logging is in place?
A: Standard logging (generic question)
Q: Are the logs periodically reviewed and acted on?
A: Yes
Q: What services are available to the Internet?
A: Only needed services to allow the site to function.  All others blocked.
Q: What network access controls are in place for the database server?
A: Internal access only for admin access, requiring strong username/password authentication.

System Security

Q: What OS is running on the system?
A: Depends.  If you have cPanel, it's Linux.  If you have MochaPanel/WCP, it's Windows.
Q: What is the OS version? Is it nearing end of life?
A: Depends on the plan chosen.
Q: Is the OS patched? What is the process for applying security patches?
A: Yes.  The servers are routinely patched as releases are made.
Q: What is the server used for, other than this application?
A: Our shared web servers are only used as web servers.  
Q: What software is installed?
A: Depends on the OS type.
Q: What services are running?
A: Only those services needed by a web server.
Q: Is the clock synchronized via NTP?
A: Yes
Q: What are the login accounts on the system?
A: N/A
Q: What authentication methods does the system support?
A: Depends on the OS.
Q: Does the system authenticate against a domain/realm/external database?
A: No
Q: How does one get root/Administrator privilege?
A: You don't on a shared server.
Q: Are strong passwords used? Is usage enforced?
A: Yes
Q: Are there shared accounts?
A: Users are not shared.  The web server is a shared server.
Q: What is the state of the file system security? (world writable files, suid root)
A: Files have restricted access to the account owner.
Q: How are backups done?
A: Nightly.
Q: What kind of logging is in place?
A: Standard logging.
Q: Are the logs periodically reviewed and acted on?
A: Yes

Database Security

Q: Where does the database server run?
A: On a separate database server.
Q: With what privileges on the system does the database server run?
A: Depends on the type of database server.  The user account privileges are restricted to that specific database.
Q: What access controls are in place for the application's data?
A: (Customer needs to answer)
Q: What database privileges does the application have?
A: (Customer needs to answer)
Q: What information is stored in the database?
A: (Customer needs to answer)
Q: What database users/roles are defined, and what privileges do they have?
A: (Customer needs to answer)
Q: What is the data retention policy?
A: Backups are retained up to 14 days on shared database servers.
Q: How is the database backed-up?
A: Nightly
Q: What kind of logging is in place?
A: Standard logging
Q: Are the logs periodically reviewed and acted on?
A: Yes


Web Server Security

Q: Does the server force SSL/TLS to the application?
A: (Customer needs to answer)
Q: Is the SSL/TLS keypair adequately secured?
A: Yes
Q: Are weak ciphers disabled?
A: Yes
Q: Is SSLv2 disabled?
A: Yes
Q: Are unnessesary modules/plugins disabled?
A: Yes


Application Security

Customer needs to answer those questions as they are application specific.

Cloud Assessment Questions

Q: Is your organization insured by a 3rd party for losses?
A: Yes
Q: Do your organization's service level agreements provide tenant renumeration for losses they may incur due to outages or losses experienced within your infrastructure?
A: The Hostek.com SLA provides for a refund or credit limited to the dollar amount paid for the service during that monthly period.  The refund or credit amount is calculated based on amount paid for the monthly service / number of minutes in a month * number of down minutes.
Q: Do you collect capacity and utilization data for all relevant components of your cloud service offering?
A: Yes.  Daily.
Q: Do you provide tenants with capacity planning and utilization reports?
A: No.
Q: Do you have a documented procedure for responding to requests for tenant data from governments or third parties? 
A: Yes
Q: Do you process, transmit or store any credit card related information on behalf Cisco?
A: In our St. Louis facility, we do not use Cisco.  In our Dallas facility, we do.
Q: Please provide any documentation on policies and procedures for controls you have in place to protect tenant's intellectual property and sensitive data from unauthorized access.
A: Utilization of IPS and IDS.  Customer has ability to lock down server access.  Internal access information is stored encrypted and only available via internal access.
Q: Please provide any documentation and policies you have regarding how you may access, mine, utilize tenant data and/or metadata.
A: We do not mine nor utilize tenant data.  Access to tenant data would occur if tenant asked for help in resolving a situation which may require such access.
Q: Please specify any inspection technologies used for collecting or creating metadata about tenant data usage (search engines, etc.?).
A: We do not inspect tenant data.
Q: What is the process for tenants to opt-out of having their data/metatdata accessed/mined via inspection technologies?
A: N/A as we do not inspect tenant data.
Q: Can you provide the physical location/geography of storage of a tenant’s data upon request?
A: Yes.
Q: Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?
A: No.
Q: Do you allow tenants to specify which of your geographic locations their data is allowed to traverse into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed?) 
A: No.
Q: What capability do you have to use system geographic location as an authentication factor?
A: N/A


Q: Does legal counsel review all third party agreements?
A: Yes.
Q: Do you select and monitor outsourced providers in compliance with laws in the country where the data orignates, processed, stored and transmitted?
A: N/A
Q: Have you established an Information Security Management Program (ISMP?)
A: Our ISMP is being developed.
Q: Do you provide tenants with a right to audit (tenant audit)?
A: No, for security/confidential purposes.
Q: What is the process for tenants to request deletion/removal of data as needed?
Q: Provide the standards used for secure deletion of archived data upon request by tenants.
Q: What is the process to sanitize all computing resource of tenant data once a customer has exited your environment.
Q: What is time period that you retain customer data after explicit user deletion/removal?
A: When a cloud tenant cancels, their virtual machine and backup data is deleted.  Data blocks are reused for new customers, which replace the old blocks.
Q: Do you manage separate production and non production environments & what controls do you have in place to ensure that the production data in not copied to non-production environments?
A: No.  We have a redundant production environment, which is replicated nightly from the primary environment.
Q: Are backups and archives of data using unique encryption keys for each tenant?
A: Each tenant has their own uniquely retained archive.
Q: What is the duration for keeping backed up data? And can you provide information about your backup rotations and rotation of your backup media?
A: The backup duration depends on the plan selected.  By default this will range from 5-10 days.  The backups are full backups with a nightly differential, providing for a full 5-10 day restoration period.

Identity and Access Control

Physical Security and Disaster Recovery

Q: Do you require strong (multifactor) authentication options (card keys+PIN, biometric readers, etc.) for access to your physical facilities?
A: Yes.
Q: Are any of your datacenters located in places which have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?
A: No.
Q: Do you use 24X7 camera monitoring in all the access points of your datacenter and key locations within the datacenter? 
A: Yes.
Q: Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations?
A: N/A