PCI standard or Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Basics of getting PCI Compliant.
1) First of all, if is hardly possible of a Shared hosting environments as they will not mitigate certain threats coz others customers will have multiple issues connecting to the services.
2) If you own a Dedicated server/VPS you are good to go.
3) There are tonnes of companies who provide PCI scan reports and will finally get you the PCI Compliant seal that you can proudly put on on your site.
4) There are major three type of ratings that you will see, High >> Red, Normal >> yellow and Pass >> green.
High are potential threats and needs to be mitigated at the earliest.
Medium and pass can be ignored, as they don’t really matter.
5) There is a good point that you wanna keep in mind, if you are running Old CentOs versions or any other flavours like Ubuntu 12.x or below you should seriously upgrade first and then submit for the PCI scan.
For guys with CentOS servers 6.8 and above you really do not need to do anything special. Redhat and CentOS come in with a feature called backporting, and they down;load the patched on the current builds so no matter what comes out you are alwaye secured. You may want to call in your host and get them to check if all the CVE are backported.
Get the results that they give you and provide the same to the scanning commany so that they can whitelist the results oin the next scan. This way it may take a couple of scans but you will get the goal at hand. 🙂
To whom does the PCI DSS apply?
The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data
Am I PCI compliant if I have an SSL certificate?
No. SSL certificates do not secure a web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI compliance.
A secure connection between the customer’s browser and the web server
Validation that the website operators are a legitimate, legally accountable organization
What is a vulnerability scan?
A vulnerability scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network.