08-05-13 | Blog Post
For ecommerce websites, partnering with a PCI DSS compliant hosting provider can help you achieve many requirements of the standard while building a layered security solution to protect credit cardholder information, whether stored or merely in transit. Where should you start? [If you’re not sure what the requirements are, read What is PCI Compliance?]
For a fully protected system with multiple layers of technical security, start with a web application firewall (WAF), a device that sits behind your virtual or dedicated firewall and scans any incoming traffic to web servers for potentially malicious attacks that might affect the web application server, including SQL injection attacks. Using a security tool to protect public-facing web applications is required by PCI DSS compliance requirement 6.6.
Another way to protect against online fraud and unauthorized access to your Virtual Private Networks (VPN) when connecting remotely is two-factor authentication. Using a password and unique user ID in addition to a secondary factor (i.e., push notification on your smartphone) makes it more difficult for external intrusions to occur as a result of employing only one factor of authentication.
Two-factor satisfies requirement 8.3 that says companies must “incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.”
Another method involves vulnerability scanning which is a web application that periodically checks your firewalls, networks and open ports for unsecure code or misconfigured networks. To meet PCI DSS compliance standard 11.2, you need to run vulnerability scans and produce quarterly reports of your system’s security status.
The standard also requires you to run scans after any significant change in the network, including installing new system components, changes in network, firewall rule modifications, product upgrades. etc.
Finally, daily log review fulfills PCI DSS requirement 10.6 that mandates log review for all system components on a daily basis. Log monitoring is not just the tracking, transportation and storage of log events, but it is also the review, analysis and monthly report of system activity.
For a full list of the technical security tools available to create a strong data security solution, visit Technical Security.
For more information about other ways to secure your servers, read about our Technical Security services.
Or, if you’re confused about how to meet technical security requirements of PCI DSS, read our PCI Compliant Hosting white paper. It discusses the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.