web hosting

The Importance of PCI Scanning

Formed in 2004, the PCI SSC (Payment Card Industry Security Standards Council) was established to provide a universal set of security standards that is to be adhered to by merchants who process and transmit credit card data.  The council was founded by five of the top credit card companies: American Express, Discover, JCB, Mastercard and Visa.  In order to become a PCI compliant company, your business must comply with the standards set in place by PCI Security Standards Council.  There are currently 12 standards across six categories that must be met.  These standards are as follows:

1.) Create and Maintain a Secure Network

1. Protect cardholder data by implementing and maintaining a reliable firewall configuration.

2. Never use manufacturer-supplied default passwords as means for security mechanisms.

2.) Protect Cardholder Data

3. Protect cardholder data on servers and other storage mediums.

4. Encrypt cardholder data traveling over public and other open networks.

3.) Maintain a Vulnerability Management System

5. Install, use and regularly update malware protective software on all systems commonly affected by malicious programs.

6. Create, deploy and maintain secure systems and applications.

4.) Implement Strong Access Control Polices

7. Restrict access to cardholder data to authorized personnel on a need-to-know basis.

8. Assign each individual with access to cardholder data a unique set of login credentials.

9. Restrict physical access to cardholder data.

5. Test and Monitor Networks Regularly

10. Track and monitor user access to cardholder data and all network resources.

11. Perform regular tests of policies and security systems.

6. Maintain a Policy for Information Security Purposes

12. Implement and upkeep a policy that addresses information security issues.

How PCI Scanning Works

PCI scanning is performed by approved vendors that help online merchants become PCI compliant by providing services that enable them to meet the standards set forth by the Council.  The actual scan itself refers to the process of the vendor going through firewalls and other security elements a business has in place to determine if vulnerabilities exist.  In the end, PCI compliance benefits all parties involved, including the consumer, retailer and credit card company.  After the scanning has been performed, its ensures that your website is free of infection and less vulnerable to threats.  When shoppers see that your site is PCI compliant, they will be more comfortable that their personal and financial information is protected from web criminals.  Not only is this good from a regulatory standpoint, but from a public perspective as it can help lead to more conversions and sales for the retailer.  For the credit card company, it means less reports of fraud and identity theft, thus resulting in fewer headaches.

The market for PCI scanning is growing rapidly, with McAfee and Trust Guard being among the leading service providers.  There are also a number of web hosting firms that offer services with security features to help organizations become PCI compliant.  A wider variety enables small scale retailers to leverage the best of both worlds in regard to PCI scanning and traditional website security.

The Need for PCI Compliant Hosting

More web hosting providers are offering services that provide customers with the help they need to achieve PCI (Payment Card Industry) compliance.  Achieving compliance requires the use of numerous security tools and policies to meet the standards that apply to any business that accepts, processes and stores credit card information.  Those who do not adhere to these requirements are subject to penalties and may eventually lose their privileges to accept credit card payments, which is the most common method of payment on the web.  If you sell products or services online, investing in a PCI compliant hosting solution may be worthy of your consideration.

Though PCI standards were introduced to protect consumer information and ensure integrity across various industries, they have also introduced a new level of frustration for the smaller business that has a need to sell products or services online, but doesn’t possess the resources to meet compliancy.  There is a lot that goes into protecting sensitive card data and unfortunately, one too many organizations are not equipped to provide this protection.  Everyday, companies are scattering in attempts to gather the necessary resources to not only fend off attackers, but also keep the government out of their business.  Difficulties aside, PCI compliance is needed as threats are growing rapidly in terms of numbers and sophistication.

PCI-Friendly Hosting Features

Achieving compliance requires a multitude of security components.  Some of the essentials include:

Malware Protection – Malicious software such as viruses, worms, Trojans and keyloggers pose a direct threat to card data stored on any computer or web server.  Businesses are strongly advised to keep their systems protected with reliable solutions capable of detecting and eradicating the latest malware programs.

Firewall - A firewall provides an organization with the ability to control inbound and outbound traffic going to and from the system.  With the right configurations, it can halt malicious traffic and also help to prevent basic hacking attacks.

Intrusion Detection – Though very effective, a firewall can only do so much.  An intrusion detection system enables PCI compliance by detecting the presence of malicious activities that pose a potential threat to card data resting on the system.

Network Monitoring – Even with all the right security mechanisms, card data can still be at risk due to a wide range of circumstances.  This could related to hardware failure or a problem with a backbone provider.  Network monitoring allows companies to stay one step ahead of such issues by watching over the network and reporting its status to system administrators.

SSL Certificate System - SSL (Secure Sockets Layer) is a must-have security feature for any business that sells goods or services over the internet.  Credit card data is in jeopardy whenever transactions are made on any website that isn’t protected.   With an SSL certificate, businesses can ensure the protection of sensitive information as the protocol creates an encrypted tunnel for which credit card details to travel through.

Not all hosting providers make the commitment to aid in PCI compliance but more are getting onboard with the concept.  Those who are should be commended for their efforts to aid in business-friendly solutions that take the stress out of meeting these demanding standards.