* This post was originally posted on November 28, 2014, and has been updated for accuracy.
Purchases happen with the click of a button, a swipe of a finger, or simply, no human interaction at all. Whether it’s our monthly subscription to Netflix, the plane tickets that just went on flash sale, or the book that we purchased with Prime shipping, our request for immediacy and automation has placed our credit card information all over the web. Though scary in context, the Payment Card Industry Security Standards Council has developed a set of data security standards that merchants storing credit card information on servers need to abide by. Luckily, for hosting providers using cPanel servers, we’ve already loaded you with the equipment to better ensure your information is secure, your customer’s information is protected, and your customer’s customers have secure transactions on the web.
What is PCI Compliance?
Established by the major credit card providers, Visa, MasterCard, Discover, and JCB International, the Payment Card Industry Security Standards Council was launched as an independent body in 2006 to focus and advise on the rapidly evolving landscape of the payment transaction process. What resulted was an organic set of criteria, with twelve major tenets, called the Payment Card Industry Data Security Standards (PCI DSS).
The Big 12
- Install/Maintain firewall configuration that will protect cardholder data
- Do not use vendor-supplied defaults for system passwords or any other security parameter
- Many switches/routers (i.e. wireless)/applications have a default admin account, that uses a default password. Remove them if possible, or at least change the password to something very complex
- Protect stored cardholder data
- Disable direct root logins. A simple configuration file that is in a publicly accessible directory can still cause issues, even if the permissions on the directory forbid direct access. Storing the data in a database is an added level of security, especially if encrypted and hashed.
- Encrypt transmission of cardholder data across open, public networks
- Keep the cardholder data being sent across networks to a minimum and encrypt with the highest possible strength
- Use and regularly update antivirus software
- The antivirus database needs to be up-to-date to ensure any threats created/surfaced after last manual update can be caught.
- Develop/Maintain secure systems and applications
- Restrict access to cardholder data
- Machines holding card info should be available on the private network only and a two-factor authentication or higher security level should be required for access.
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track/Monitor all access to network resources and cardholder data
- Audit access logs frequently.
- Regularly test security systems and processes
- Maintain a policy that addresses information security
- Create a system of internal policies to ensure the proper, regimented handled of secured information.
While cPanel isn’t PCI compliant right out of the box, turning on SSL Cipher along with a few other features, and keeping your software up to date should have you ready to accept and administer transaction on your cPanel server.
To find out more about PCI, check out these slides from the cPanel Conference Session PCI Talk, or contact session author Ryan Sherer for more info.