Based on the 2012 Identity Fraud Report by Javelin Strategy and Research, 11.6 million adults’ identities were stolen in the United States in 2011, which was 13% higher when compared to similar incidents in 2010. Moreover according to TrustWave statistics, 89% of hackers break into systems with the goal of stealing customer records.
In the current environment with growing threats of unauthorized users accessing your private payment information, it has become highly important for e-commerce businesses to secure cardholder data. As stated by the PCI Security Standards Council, The Payment Card Industry Data Security Standard (PCI DSS) ‘was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally’.
What is PCI DSS?
Nowadays, PCI DSS is an international standard that sets the requirements for any company that stores, processes or transmits cardholder data, such as banks, web hosting providers, eCommerce businesses, etc. In order to minimize the risk of cardholder data being compromised and to earn online buyers’ trust, many companies get PCI DSS compliance certification.
What is PCI compliant web hosting?
Based on the PCI DSS: Requirements and Security Assessment Procedures Version 2.0, every host that wants to be PCI DSS compliant must meet a number of requirements:
- Build and Maintain a Secure Network; through proper firewall installation and maintenance, changing default system passwords to customized secure formats before installing a system on the network, etc.
- Protect Cardholder Data; encryption of cardholder data and usage of secure protocols like SSH are the most common to protect cardholder data.
- Maintain a Vulnerability Management Program; even if the network is fully secure there is still a possibility that hackers could access cardholder data using trojans, viruses and older versions of applications (as they have already been able to find vulnerabilities present in those applications), on personal computers or servers. Therefore it is very important to update anti-virus programs and other software regularly. Also, in order to prevent system failure, production and development environments should be separated.
- Implement Strong Access Control Measures; helps to minimize the effect of the ‘human factor’ and decreases the possibility of a system’s failure and data being compromised (examples of such measures include having a unique ID for each person with computer access, restricted access to the most sensitive data, etc.).
- Regularly Monitor and Test Network; regularly scanning the system for vulnerabilities, monitoring traffic to cardholder data and alerting personnel about suspected compromises are just a few examples of preventive measures against identity theft and system failure.
- Maintain a Policy that Address Information security for all personnel; one of the PCI DSS operational requirements is to keep employees aware about the sensitivity of certain data and their subsequent responsibility to protect it. Standardization of daily operational security procedures through the company is another way to minimize security risks.
Through meeting the requirements listed above, a managed hosting provider decreases risks for eCommerce businesses’ reputation and helps them to earn customer loyalty.
Levels of PCI Compliance
There are 4 levels of PCI compliance based on the volume of secure Visa transactions a company can sustain per year. Below you can see a chart with limits for each level.
|PCI DSS Compliance Level||Number of Visa Transactions per Year|
In order to become Level 1 or 2 compliant, a managed hosting provider must be scanned quarterly for vulnerabilities and annually audited by a certified independent auditing company. Level 3 and 4 hosts are self-service compliant. That means that company’s own employees assess vulnerabilities.
If you have a large or medium-sized fast growing business you would probably like to make sure that your hosting provider can guarantee you sustainable growth without any security issues. In that case PCI DSS Level 1 compliant host is the right choice for you.
Spark::red has completed its PCI DSS Level 1 certification with TrustWave as a third-party auditor and currently provides worry-free hosting solutions for the biggest e-commerce businesses with significantly busy websites. Moreover we voluntarily do monthly scans instead of quarterly ones to mitigate security risks.