|
|
|
PCI Compliant Web Hosting
If you have an
online store and take
credit cards, you and your web host are required to meet the PCI-DSS
standards, there are many that do such as Penguin Web Hosting, a PCI Compliant
Web Hosting provider. These can get very confusing, as they contain a lot of
gray area. Here is some basic info you should know.
First you and your PCI compliant hosting provider need to
be familiar with the 12 areas of the Payment Card Industry Data
Security Standards (PCI-DSS). You can find the official site here:
PCI Security
Standards Council This is the official site for up to date PCI
information. The actual standards can be found here: PCI
Standards PDF Requirements can vary
depending on how much business you do, how many credit card
transactions you process, and what kind of data you store on the server.
 |  |
Second you want to
make sure your web host is familiar with PCI compliance.
Many hosts, such as CHIhost offer information before you sign up on what
you will need. A general rule of thumb is you will need at least
2 servers if you will be storing credit card numbers and this is
typically setup with 1 server on the Internet using a public IP
address, which also has a second NIC Port which goes to a firewall,
then behind the firewall is the database server. This method will
allow you to host your database server on a private network, with an IP
that cannot be reached directly from the Internet.
Third you will want
your host to harden the server for you, and its good to pick a host
that does the security updates for you. Advanced Network Hosts, a
Secure
Web Hosting provider in Chicago, Illinois, offers a firewall and
security updates as part of the include package with every dedicated
server. Not many web hosts offer this, so be sure to check before
signing up. When looking for PCI
Compliant web hosting, you also want to look for one with a good
history, when a site gets hacked, the site owner will often post their
story online. Now a lot of times this is the site owners fault,
but it could also mean that the web host isn't secure, or is not doing
enough to educate and help with the website owner with security.
If you see numerous stories and articles about sites getting hacked at
a particular host, you may want to avoid that host for an ecommerce
site.
"There is a big
price war now with a lot of hosting companies and it seems a number of
them are focusing too much on marketing and not enough on security",
said Nick of CHIhost.com. At CHIhost.com they
set the standard for security, by among other things offer a 17 point
hardening and security package, which includes a number of things to
help meet the PCI DSS requirements, such as a rootkit scanner, port
scan detector, file integrity scanner, and brute force detector. You will want to make sure your Payment Card Industry web hosting provider does the above or something similar to meet or excess the Data Security Standards.
This information
will get you started on you quest for a having secure ecommerce website
and finding a PCI Compliant Web Hosting servicer.
5
Free PCI Compliance Tools
Here are 5 security tools that you should definitely be using in you web hosting environment, whether you have PCI compliant dedicated servers, or are meeting PCI compliance using VPS solutions. If you are not sure how to install these, or need help setting them up, your web hosting provider typically provides assistance with it.
|
#1 R-FX Networks Trio
|
Three tools from R-FX Networks that are commonly
used to secure your server, and to help you be PCI Compliant are:
- APF Firewall- APF is the Advanced Policy Firewall. It is a configuration utility for the Linux based IPtables firewall. The nice thing about APF is you can setup ACLs for each port, and also ban an IP or a block of IPs with 1 command.
- BFD Brute Force Detector- This will detect and block brute force attacks, which is an essential part of security.
- LSM Linux Socket Monitor- LSM will send you email notification if a new port is opened on your server.
|
#2 AIDE
|
AIDE stands for Advanced
Intrusion Detection Environment, and it is a file integrity scanner. PCI rules require you use intrusion detection systems and file integrity scanners.
|
#3 Snort
|
Snort is the defacto standard in
intrusion detection and intrusion prevention. Among the things it
will detect are port scans, which is a requirement of PCI Standards
|
#4 rsyslog / LogAnalyzer
|
Rsyslog is an advanced version
of syslogd, the main benefit of rsyslog is, it allows you to log
securely over the network to a remote log server. LogAnalyzer, formerly known as phplogcon, is a
graphical interface for reading the rsyslog reports. PCI DSS
standards allow, and recommend you use tools, such as LogAnalyzer, to
make reading the logs easier, as part of the PCI requirement to review
logs daily.
|
#5 RKHunter
|
RKhunter is a rootkit
hunter. If your system has been compromised and the hacker
installed a rootkit, RKhunter will detect it and alert you of it. PCI doesn't specifically require this, but as part of the overall security mindset you should look into tools like RKhunter to help you not only meet, but exceed the PCI requirements.
|
|
|
|
