If you wish to do selling online, PCI compliance cannot be neglected. In order to protect the client’s sensitive information like credit card details, e-commerce sites should hold this PCI DSS. PCI DSS means the Payment Card Industry Data Security Standard.
But most of the hosting companies can’t perform this task. The only thing done by many hosting companies is to let you know what plans haven’t got PCI compliant and what plans haven’t got PCI compliant. Hence you can neglect the plans without PCI compliant.
So you have to choose a somewhat larger company and higher up plans. Some of the best PCI compliant web hosts are SiteGround, InMotionHosting, WP Engine, Host Papa, GreenGeeks, etc.
How did we choose the Best PCI Compliant Hosts?
We did a study on a thousand number of hosting plans which grant PCI compliance. After that, we start to look for somewhat higher up hosting companies from that selected list. Hence they normally tend to provide high-security e-commerce plans. So that supports the user to protect their client’s sensitive information like credit card details.
What you’ll learn
Before moving into this article about PCI compliance, you must have even a little bit idea of What you want to know about PCI Compliance, the way it archived, and who are the ones responsible for doing that archive.
So this article will help you to get an idea about What is PCI Compliance, What are the businesses responsible for it and way to find the best PCI Compliant web host.
Industry Payment Security Standards
Payment Card Industry Security Standards Council(PCI-SSC) lead to creating this Payment card Industry Security Standard (PCI-DSS). It provides a solution for every fraud and corruption occurs through exposing details of credit and debit cards such as Visa, Mastercard, and American Express.
It provides great support to online merchants in order to have secure processing, storing, and transferring of their client’s credit card details. If you fail to have this standard it’ll cause you a huge loss. You’ll sometimes get fines or face a sudden increase in fees of processing card, or get a suspension of privileges in the processing of credit card.
Who’s Responsible for PCI Compliance?
The responsibility or the duty of maintenance and achievement may equally divide among merchants, web developers, and web hosting service providers. Each of them gets an equal length of acting in this play of PCI compliance. Especially merchants must secure their websites. And also web hosting providers must surely provide the approved standards in the industry.
Who should use the PCI Compliance Questionnaire?
The self-assessment questionnaires are most suitable for small businesses that do not have the resources to hire external assessors to assess a company’s compliance with PCI standards. Hence through these questionnaires, companies can track problems in security and solve them before an occurrence of a breach.
What are the requirements for achieving PCI Compliance?
In order to achieve the PCI Security Standards Council’s PCI compliance, you must have to complete 12 requirements. Those 12 requirements divide into six main categories(security goals).
The 12 Requirements of PCI DSS Compliance
- should protect your system by a firewall.
- should configure passwords and settings.
- must protect the stored data of your cardholders.
- should encrypt cardholders’data when it transfers across open public networks.
- must use antivirus software and must regularly update it.
- should regularly update and patch systems.
- should restrict access to cardholders’data that businesses need to know.
- must assign an independent ID to each person who has access to a computer.
- must be careful to restrict physical access to your workplace and cardholder data.
- should implement logging and log management.
- should hold vulnerability scans and penetration tests.
- must-do documentation and risk assessments.
PCI DSS Requirement 1: Protect your system by a firewall
Firewalls can support you to protect your card data environment. But in order to do that, it should be properly configured. Firewalls are capable of controlling incoming and outgoing traffic by using rules and regulations configured by your organization. There are 2 categories of firewalls as hardware and software. You may want to install both categories.
Hardware firewalls support you to protect your network and its traffic entering and leaving at the perimeter of your network. As a result hardware firewalls are also named as perimeter firewalls. But the problem is, hardware firewalls are somewhat expensive and take some time to configure it properly. Not only that it should be maintained and reviewed regularly.
Software firewalls provide a second line of defense for your network against cyber attacks. These firewalls can track not legitimate or malicious programs when it tries to access the internet. It does this using a frequently updated database. Software firewalls are much cheaper and easier to maintain than hardware firewalls.
PCI DSS Requirement 2: Configure password and settings
Usually out- of -the -box devices like routers, POS systems have factory settings like default usernames and passwords. So you must not keep vendor-supplied defaults around. Although defaults make the process of installation a lot easier, it also means that every same type of model has the same username and password. It’s a more simple thing to guess default password and most of them are available on the internet.
The problem here is that most of the time third parties install hardware and software and protected it with a simple (non-secure) password. And they will not aware of the merchants about that. The vendor also tends to use weak or default passwords in order to make service easier. But it’s not a good thing to do.
PCI DSS Requirement 3:Protect the stored Data of your cardholders
Most of the merchants don’t aware of the fact that their stored card data must be encrypted by using industrially accepted algorithms not by using an unencrypted primary account number(PAN). Not only that there should be protection for encryption key also. For that, you can use a solid PCI DSS encryption key management process. In order to do this, you must create and document a current cardholder data flow diagram(CHD) for each and every one of your organization’s card data flows.
A graphical representation of the way of card data transfer across an organization can be called as a CHD flow diagram. Most importantly, if you going to describe your environment you must make sure every organization and department gets cardholder information and document their answers. And also you have to check whether those answers may change card data flows.
It will be better if you usually run data discovery tools such as PAN scan or Pll scan. This type of tool supports you to detect the location of unencrypted PAN and other sensitive information. Then you can delete or encrypt them in a more secure way.
PCI DSS Requirement 4:Encrypt cardholders data when it transfers across an open public network
Here, you must be aware of the location where you have to send cardholder data. There are some common places where these primary account numbers are sent such as processors, backup servers, third parties that store PAN, outsourced management of systems or infrastructure, and corporate officers. So in this process, you must be sure to use encryption and more security policies as these cardholder data are sent to open public networks.
PCI DSS Requirement 5:Use and regularly update antivirus software
Installation of Anti-virus software is a solution for malware threats. You must make sure to update this anti-virus software regularly for better performance. It will support you to be free from malware infections to your system. In addition to that, you should make sure that you or your POS vendor are regularly run antivirus scan of your software.
It may be better to updated about current and existing threats of malware. It can do through outside sources such as a vendor or anti-virus threat feeds. Then you can configure your systems. So that you can get alerts and reports on suspicious activities like the addition of a new file to a known directory of malware or attempt to get unauthorized access.
PCI DSS Requirement 6:Regularly update and patch systems
Manufacturers often release updates to patch security holes in order to make applications more perfect. When a hacker enters through a security hole, they pass that information on to the other hackers. So it will be a greater disaster if not the patch updated soon. Implementing security updates as fast as you can is important to your security posture. You must patch everyone of the critical components in the pathway of card flow. It may include components like internet browsers, firewalls, application software, databases, POS terminals, and operating systems.
So be sure to continuously update the software associated with your system without forgetting to update critical software installation such as credit card payment applications and mobile devices. In order to get frequent updates, tell your software vendor to let you access their patch or upgrade notification list.
PCI DSS Requirement 7:Restrict access to cardholders data that business need to know
In order to do this, you have to get a role-based access control system (RBAC) that offers you access to card data and systems according to a need-to-know basis. If you need to make sure that sensitive data with you won’t expose to ones who don’t have to know them, you must be sure to configure administrator and user accounts.
You must supply PCI DSS 3.2 a defined and up to date list of employees(role) who have access to the card data environment. That list must be consist of details like a definition of each role, their access to data resources, current privilege level of them, and what level of privilege should they have in order to do their usual business responsibilities. You must make sure your authorized user gets fit into one of the roles you mentioned.
PCI DSS Requirement 8:Assign an independent ID for each person who has access to a computer
All user IDs and passwords must be somewhat complex and independent from each other. You must be cautious not to use group or shared passwords. But you can’t depend only on the complexity of a single password.
PCI DSS Requirement 9:Restrict physical access to your workplace and cardholder data
You should not store sensitive information like credit card details in open places where criminals can easily get hold of that data. You must sure to limit the physical access as much as possible to areas of cardholder data and also for the documents related to that area. Those documents may about the ones who have access to a secure environment and the purpose of their access or description of devices that are using or list of authorized device users etc.
In order to regularly inspect all devices, you can implement automated lockout or timeout controls on your workstations.Especially you must aware of your staff often about facts like physical security, rules and regulations, and social engineering.
PCI DSS Requirement 10:Implement logging and log management
Information about actions that should be taken regarding computer systems like firewalls, offices, computers, or printers is recorded in system event logs. In order to fulfill this requirement, you should review logs every day to track errors, anomalies, and any suspicious activities that go out pf the limit of the norm. And also you should prepare sets of necessary actions in order to apply in the process of resolving these errors and anomalies.
During this process, you can get support from a log monitoring system like Security Information and Event Monitoring tools(SIEM). These tools will help you to oversee activities of the network, inspect events of the system, get alert on suspicious activities, and to store user actions that happen inside your system.
PCI DSS Requirement 11:Vulnerability scans and penetration tests
The imperfection of web servers, web browsers, email clients, POS software, operating systems, and server interface will be left your data in danger. of course, by fulfilling requirements you can resolve most part of these faults. So that attackers can’t get an advantage from them. But if you need to be sure about this you should locate them and test them. In order to do that you need to do vulnerability scanning and penetration testing every day.
You can use a vulnerability scan to track and get a report on current vulnerabilities. It’s an exhaustive live examination which created to do this process. A penetration test is much similar to a hacker. It can penetrates the whole network environment and look for current vulnerabilities and try to exploit them.
PCI DSS Requirement 12:Documentation and Risk assessment
If you held a PCI audit, you’ll catch up with the idea that how prominence it’s on your documented security policies and procedures. In an assessment, QSAs will prove that specific requirement that is described on companies policies and procedures. Then they’ll conduct a predefined testing process So that they can make sure about the fact that those controls are built up according to PCI Data Security Standard and with written policies of the company.
But you must want to add details about employee manuals, policies and procedures, third-party vendor agreement, and incident response plans to your documentation. In addition, you have to hold an annual formal risk assessment. So that you can get to identify critical assets, threats, and vulnerabilities. As a result, you can manage your information in a better way.
The process of achieving PCI Compliance may take some time. And it may look like an enormous list of demands, but it’ll give you great support to protect your business from threats like cyber attacks.
Who is responsible for maintaining Compliance?
Web hosting providers fulfill some part of this requirement. Merchants and their web developers and designers fulfill the other part of this requirement.
Anyway, in the end, merchants are responsible for being sure to make that all their web-hosting providers, website developer, and third-party vendors of software be PCI compliant.
How much does PCI Compliance Cost?
Most of the business worry about how their budget should be set for PCI Compliance. Often they set very little budget for this. As a result, the IT department and third parties face difficulty in upgrading equipment according to the latest security standards in order to make sure the protection of business data.
Part of the answer depends on the number of transactions you process for a year. According that your business may fall into one of the following categories,
- The business needs to have PCI Compliance third-party validation.
- Businesses that have the ability to self validate their PCI Compliance.
Your organization’s setup may decide the cost of PCI Compliance. There are a set of variables that affect the cost of PCI Compliance. They are,
- Type of your business
- Size of your organization
- Your organizations’ security culture.
- The environment of your organization.
- Your organization’s dedicated staff of PCI.
- Acquirer pre-pays of yours
If you have a small scale business, PCI DSS Compliance cost starts at $300 for a year (it depend on your organization environment)
- self-assessment Questionnaire costs $50 to $200.
- Vulnerability scanning costs around $100 to $200 for an IP address.
- The cost of training and policy development is $70 for an employee.
- Cost of Remediation(Updates of software and hardware) change on the amount of work that needs to be done to attain compliance and security. It has a wide range of costs from $100 to $10,000.
If you’re somewhat large scale business and need a PCI DSS assessment, it may cost $70,000+ totally. (depending on your organization environment)
- Cost of the onsite audit is about $40,000
- Vulnerability scans costs around $1,000
- Payment for penetration testing is around $5,000
- Remediation cost change on the amount of work needs to be done to attain compliance and security.It’s around $10,000 to $500,000.
How much does a PCI audit Cost?
Factors that affect the cost of on-site PCI assessment is the same as the factors that affect the costs of PCL Compliance. Facts like organization size and card processing method mainly cause influence. But a well quality security assessment from a PCI certified QSA may costs normally around $15,000.