An Overview of PCI Compliance

PCI DSS Requirements

As a host, we are required to adhere to all 12 requirements to maintain our PCI DSS-compliant status. However, merchants share many of these responsibilities. A brief explanation of each primary requirement is listed below.

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder details.

Firewalls stand between our secure networks and the open Internet. They examine all incoming traffic from the untrusted internet and determine which traffic is allowed into our secure trusted networks, blocking any connections that we do not explicitly allow.

The PCI DSS requires that all paths into compliant networks are firewalled to prevent unauthorized access, including eCommerce connections from the Internet, employee Internet access, email connections, business-to-business connections, and all other sources.

We maintain and monitor stateful firewalls for all Nexcess Cloud accounts and eCommerce clients running on Magento and WooCommerce SIP plans. We also provide a web application firewall for protecting against common application layer attacks.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

One of the easiest ways for attackers to infiltrate a trusted network is to exploit unchanged default passwords and other security settings on software and hardware. Vendors set default passwords so that their customers can easily configure hardware and software, but the defaults are publicly available. Changing the default security parameters on all devices connected to trusted networks is therefore essential.

We do not permit default credentials on any of our infrastructure. Our password policy also mandates that all passwords are unique, strong, and changed at regular intervals.

Merchants are responsible for changing all vendor-supplied default passwords to secure and unique passwords.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

The previous two requirements are intended to secure our trusted networks; this requirement details what we must do to protect credit card data within our network. It includes the implementation of a formal data retention policy, the use of strong encryption, clearly defined processes for securely deleting data, and restrictions regarding data storage, such as those preventing merchants from storing the card verification code.

Both merchants and hosts are responsible for meeting this requirement.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

It is trivially easy for someone to intercept data transmitted over insecure networks; all sensitive data should be encrypted using strong cryptographic protocols like TLS 1.1+. Unencrypted cardholder data should never be transmitted over an insecure network, including web browsers, email, and wireless networks.

Merchants, as well as hosts, are responsible for meeting this requirement.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

Even a trusted network with firewalls and encrypted data can be vulnerable to unknown flaws in software, also known as zero day exploits. To defend against potential exploits, all systems handling credit card data and considered at-risk from malware infection must use effective anti-malware scans and update them regularly. Systems not considered at-risk must be regularly evaluated to determine their current risk status. These include any systems that merchants may use to connect to their eCommerce installation.

Requirement 6: Develop and maintain secure systems and applications.

All software within our networks must be regularly updated and security patches must be immediately installed upon release. All custom code should be reviewed for potential security exploits. Processes and change control procedures should be in place to prevent the introduction of new vulnerabilities into our trusted network.

We maintain the security of the underlying operating system along with core services such as SSH and MySQL. However, merchants are responsible for maintaining the security of their eCommerce software installations, and for promptly applying all security patches.

Implement Strong Access-Control Measures

Requirement 7: Restrict access to cardholder data according to need.

It’s not enough to ensure that people outside of our trusted networks can’t access credit card data; we also must restrict access to only the employees, contractors, and vendors who need it. Everyone that interacts with our networks should have no more access to the data than they need to do their work.

Merchants, as well as hosts, are responsible for meeting this requirement for their own application and server access.

Requirement 8: Identify and authenticate access to system components.

Access to our systems must be clearly identified and tracked so we may hold individuals accountable for their actions. This requirement includes defining and implementing identity management procedures, limiting failed access attempts, requiring two-factor authentication for remote network access, and clear access-revocation procedures for people who no longer need to access our networks.

Merchants are also responsible for using the same methods to identify and authenticate access to any of their eCommerce applications, including Magento and WooCommerce.

Requirement 9: Restrict physical access to cardholder data.

Securing the network connections to our PCI DSS-compliant hosting platform is ineffective if the physical servers are easily accessible. These requirements detail how we control physical access to our hardware and data centers. Methods include the following: surveillance, entry control, restricted access to network access points, visitor logging, proper identification procedures, staff training on identification procedures, and restricting staff access to sensitive areas according to need.

We maintain state-of-the-art facilities that include biometric access systems for all entry points leading to the physical servers.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

In order to protect sensitive data, we must log, track, and audit all access to cardholder data, as well as alert the appropriate staff when necessary. This safeguards the data and helps identifies vulnerabilities as they develop, rather than after.

We maintain logging and monitoring histories for the underlying infrastructure hosting Magento, WooCommerce, or other eCommerce software, but merchants are responsible for maintaining and monitoring logs for the application itself.

Requirement 11: Regularly test security systems and processes.

Strong security needs constant adaptation and refinement. New threats and vulnerabilities always arise, and so we routinely and systematically test our security procedures and networks. This requirement includes the following methods: conducting internal network vulnerability scans, performing external vulnerability scans by a PCI-authorized and approved vendor, internal and external penetration testing, and intrusion detection and prevention.

We supplement our quarterly internal vulnerability scan of our infrastructure with an external third party scan and penetration test. These scans focus on the operating system and system services, but merchants are responsible for scanning their own applications like Magento, WooCommerce, and other eCommerce platforms.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

At the heart of any secure system is the staff that implements it. A comprehensive security policy that fulfills all PCI DSS requirements is essential, as is properly training our staff to follow this policy.

This requirement includes the following: establishing, publishing, and disseminating a security policy with regular reviews, implementing a risk assessment process, and provisioning of appropriate training for staff.

We maintain an internal Information Security policy for our own staff to follow. However, merchants are responsible for maintaining their own policies for the portions of PCI DSS that are their responsibility.