Pci DSS

PCI COMPLIANCE

WHAT IS PCI COMPLIANCE

PCI (Payment Card Industry) data security standards provide a set of general rules and practices that ensure the security of credit card data, when a credit card is used for purchasing goods and services. PCI standards are to be followed by companies that store and process credit card data.

When a web site accepts and stores credit card data, the credit card processing company requires the server and the site software to be PCI compliant. Such status is obtained through companies that provide PCI compliance certification. Usually, the certification company will run a PCI scan on the site/server to make sure that it is compliant.

DISCLAIMER ON OBTAINING PCI COMPLIANT STATUS FOR SITES ON OUR SERVERS

If you want to obtain a PCI DSS certification for a website that runs on our servers, you should have in mind the following before you purchase the certification service:

  1. In general, shared hosting services are not meant to provide PCI compliance. Therefore, we cannot give a guarantee that your site will be able to pass a PCI scan. The types of scan differ through different companies, and while most of the scans can be passed, it is possible some certification companies to have requirements that cannot be fulfilled. This is due to the nature of the shared hosting service with more than one customer on the server.
  2. Additional services on our side, such as specific port blocking, may be available only on some of our hosting plans.

COMMON STEPS YOU CAN TAKE BEFORE RUNNING A PCI SCAN

The list below include the most common items that could appear in a PCI scan report as failed. You can take these steps prior to running the PCI scan, or simply have the scan run, and then fix the "failed" points in it.

1. Obtain a personal certificate for your domain
The default certificate on our servers is issued to the server name. Therefore, if you want your site to be accessed over https:// without raising warnings, you need to obtain a personal certificate for your domain, and it should be installed on the server on a dedicated IP address. You can contact your hosting provider for assistance in obtaining and/or installing an SSL certificate on a dedicated IP. You will not be able to pass a PCI scan without having a personal certificate and a separate IP address for your domain.

2. Force HTTPS on statistics folders (http://yourdomain.com/stats)
PCI compliance usually requires all parts of your website to be accessible through HTTPS. As the statistics folder is a system one and it is not a part of your web site, forcing HTTPS over it is done separately from the site.
You can force HTTPS connection to your statistics page through the hosting Control Panel -> Site Statistics section.

3. Disable directory listing
Some PCI scans will require the directory listing for your website to be blocked, so that files are not visible if an index page is not present in some directory. Directory listing can be disabled for your site at the hosting Control Panel -> Protection -> Web access protection section. There, you need to click on the button Disable under "Directory listing" for the folder in which your website is (usually - /www/www)

4. Maintaining the website software.
While we maintain the server software and are responsible for its security, it is a responsibility of the customer to run secure software on their website. PCI scans also test your website for SQL injections, cross scripting vulnerabilities, remote inclusion vulnerabilities, etc. If any such issues arise, they must be fixed by the developer of your website.

5. Additional port blocking / firewall protection
Most companies that provide PCI compliance certification require the server to have open ports only for the web service (ports 80 and 443), and not to have open ports for FTP, SMTP, SSH, MySQL etc. This can be achieved on our servers by adding firewall rules so that only ports 80 and 443 are open.
To have this feature enabled:

  • your site must have a separate IP address. You will have such if you have a personal certificate installed on your domain.
  • you should perform certain DNS modifications before enabling the port blocking, so that your mail services continue to work.
  • your hosting plan must include this feature. You can contact our support team for more details on this.
  • once the feature is enabled, your email, FTP, and remote MySQL services will be available only on the server default IP address, and not on your domain IP address.
  • DNS modifications
    The DNS modifications you need to make are meant to point the MX record for your domain to the default server IP address. This will ensure that your email services will continue to work when the ports on your domain IP address are blocked. If your domain uses our DNS service, the modifications are to be made through the DNS Manager section of the hosting Control Panel. In general, if the MX record for your domain is "mail.domain.com", the A record for "mail.domain.com" must be pointed to the default IP address of the server. Then you need to allow at least several hours for DNS propagation, prior to enabling the port blocking.
    If your domain uses a third-party DNS service, you need to make the required DNS changes there.
  • Enabling the port blocking
    The additional port blocking can be enabled only by our system administrators. You can contact our support team for assistance. We will check whether your DNS records are set properly, and will have the feature enabled.
  • Mail, FTP, MySQL, and SSH services with port blocking enabled
    You must have in mind that with this port blocking enabled, all services except the HTTP/HTTPS service will be available only at the server IP address/hostname. Therefore, you should modify your email programs to connect to "mail.servername.com" instead of "mail.domain.com". The same is valid for FTP/MySQL/SSH programs - use the server name to connect to the server instead of your domain name.