Monday, January 18, 2010

Demystifying PCI-DSS and PA-DSS Compliance For Web Hosting Customers

Considering it's almost impoosible to demystify it for web hosts themselves this may be a tall order. But I'll try...

First thing first, the difference between PA-DSS and PCI-DSS. These two things have exactly two things in common.

1. They are both Digital Security Standards (thus the DSS in their names)

2. They are both overseen by the PCI Security Council

Second, a website and/or webhost can not be PA-DSS compliant. PA-DSS compliance is only for software providers that make Payment Applications (the PA in the name) that are online and exposed to the credit card number. For the webhosting world this primarily includes Shopping Cart providers but also includes terminals and other payment apps where they're exposed to credit card numbers.

Third, PA-DSS is coming up upon it's mandatory deadline, all related software providers must be PA-DSS compliant no later than July 1, 2010. This date has no relation to PCI Compliance. Technically anyone accepting credit cards online ALREADY has to be PCI Compliant.

Fourth, being PCI-Compliant has almost nothing to do with passing a scan. Yes most online merchant are Level 4 merchants from a PCI perspective and most of them only need to fill out the SAQ and pass a quarterly scan. What I normally see is that most business owners fill out the SAQ and don't take it seriously, they routinely just answer everything yes and then assume because they pass a scan that they're good to go. This is something like casually filling out your income tax forms and assuming you're good to go. You're only good to go until the trouble begins.

Part of filling out the SAQ is being an officer of the company and verifying your company is following these proceedures and that it's network architecture is as described. If there's a breach it's the officer and the company who are going to be in a very tough spot as the responsibilities for the breach fall on to them and can easily put them out of business.

So what do you have to do to be PCI Compliant even if I'm a small company? I'm not a QSA (Qualifed Security Assesor, essentially an approved PCI auditor) so this advice should all be gone over with your QSA, but I've been going through this process long enough to know a little bit and here's what I know are must haves thus far:

1.From a hosting perspective your network needs to have a minimum of three separate machines.

•Your webserver which needs to (obviously) sit behind a secure firewall

•Your transaction database server which needs to be a different machine and it must be on the otherside of another firewall from the webserver

•Your encryption keys database server which needs to be on a different machine than your transactions and also through a different firewall.

2.Your machines need to have their security patches kept up to date

There's a whole lot more to PCI compliance than just those two items, but these two items when it comes to hosting are must haves, what probably goes without saying is you really can't get all the moving parts you need to be PCI compliant and pay only $10 a month for it. thewhir

1 comment:

  1. It is a good article. I have a similar one, just an extract from the PCI DSS on what is required for the webhosting companies