Visa E-commerce Security Checklist Questionaire

Visa E-commerce Security Checklist Questionaire

Physical Security

Q: Where is the server physically located?
A: St. Louis, MO, USA (in most cases)

Q: Who has access?
A: Authorized personnel only.

Q: Who authorizes access?
A: Data Center 

Q: What is the access control mechanism?
A: Multi-step: Security cards, manual ID inspection, manual access entry.

Q: Are there motion detectors, cameras, etc...?
A: Several 24x7 recorded cameras/video throughout.

Q: Where are the backups stored?
A: Generally offsite in Dallas, TX, USA

Network Security

Q: Are the appropriate contacts defined in DNS?
A: Yes

Q: On what VLAN is the host? Where does this VLAN exist?
A: Virtual VLAN via vmWare

Q: Is there a network firewall in place?
A: Yes

Q: Is there a host-based firewall in place?
A: Yes

Q: What are the firewall rules for remote administrative access?
A: Internal only

Q: What kind of logging is in place?
A: Standard logging (generic question)

Q: Are the logs periodically reviewed and acted on?
A: Yes

Q: What services are available to the Internet?
A: Only needed services to allow the site to function.  All others blocked.

Q: What network access controls are in place for the database server?
A: Internal access only for admin access, requiring strong username/password authentication.

System Security

Q: What OS is running on the system?
A: Depends.  If you have cPanel, it's Linux.  If you have MochaPanel/WCP, it's Windows.

Q: What is the OS version? Is it nearing end of life?
A: Depends on the plan chosen.

Q: Is the OS patched? What is the process for applying security patches?
A: Yes.  The servers are routinely patched as releases are made.

Q: What is the server used for, other than this application?
A: Our shared web servers are only used as web servers.  

Q: What software is installed?
A: Depends on the OS type.

Q: What services are running?
A: Only those services needed by a web server.

Q: Is the clock synchronized via NTP?
A: Yes

Q: What are the login accounts on the system?
A: N/A

Q: What authentication methods does the system support?
A: Depends on the OS.

Q: Does the system authenticate against a domain/realm/external database?
A: No

Q: How does one get root/Administrator privilege?
A: You don't on a shared server.

Q: Are strong passwords used? Is usage enforced?
A: Yes

Q: Are there shared accounts?
A: Users are not shared.  The web server is a shared server.

Q: What is the state of the file system security? (world writable files, suid root)
A: Files have restricted access to the account owner.

Q: How are backups done?
A: Nightly.

Q: What kind of logging is in place?
A: Standard logging.

Q: Are the logs periodically reviewed and acted on?
A: Yes

Database Security

Q: Where does the database server run?
A: On a separate database server.

Q: With what privileges on the system does the database server run?
A: Depends on the type of database server.  The user account privileges are restricted to that specific database.

Q: What access controls are in place for the application's data?
A: (Customer needs to answer)

Q: What database privileges does the application have?
A: (Customer needs to answer)

Q: What information is stored in the database?
A: (Customer needs to answer)

Q: What database users/roles are defined, and what privileges do they have?
A: (Customer needs to answer)

Q: What is the data retention policy?
A: Backups are retained up to 14 days on shared database servers.

Q: How is the database backed-up?
A: Nightly

Q: What kind of logging is in place?
A: Standard logging

Q: Are the logs periodically reviewed and acted on?
A: Yes

Web Server Security

Q: Does the server force SSL/TLS to the application?
A: (Customer needs to answer)

Q: Is the SSL/TLS keypair adequately secured?
A: Yes

Q: Are weak ciphers disabled?
A: Yes

Q: Is SSLv2 disabled?
A: Yes

Q: Are unnessesary modules/plugins disabled?
A: Yes

Application Security

Customer needs to answer those questions as they are application specific.