OverviewThis article provides a brief introduction to Payment Car Industry (PCI) compliance. Additional information about PCI compliance may be found on the PCI Security Standards Council website.
What is PCI compliance?
PCI compliance is a Data Security Standard (PCI DSS) is a set of requirements compiled by the PCI Security Standards Council. The PCI SSC is made up of businesses associated with credit card providers, debit card providers, credit card/debit processors, and card pre-pay providers. The standards created by the PCI SCC are guidelines to process, store or transmit credit card information while maintaining a secure environment.
Listed below are 12 requirements needed for maintaining a secure PCI compliant operation
- Firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Cardholder data stored and protected
- Encrypted transmission of cardholder data across open, public networks
- Regularly updated anti-virus software
- Maintain secure systems and applications
- Restricted access to cardholder data by business
- Unique ID assigned to each person with computer access
- Restricted physical access to cardholder data
- All access to network resources and cardholder data tracked and monitored
- Security systems and processes regularly tested
- Information security policy maintained
Do I need my site to be PCI compliant?
Many sites do not need to be PCI compliant. If you have not been told that PCI compliance is absolutely necessary, you may not need it. The best approach is usually to evaluate the needs of your site and examine the list of requirements above.
If it is determined that you will need PCI compliance, you should work with your internal teams to come up with a strategy on how to become PCI compliant. Making sure your site is PCI compliant is not supported by (mt) Media Temple. While we can assist with some aspects of PCI compliance, meeting the full requirements listed above will be up to you.
PCI compliance and Plesk
As of Plesk Onyx, Plesk users may use a built in utility that will help with several aspects of achieving PCI compliance. You may still need to install an SSL certificate and adjust other aspects of your server, but Plesk's utility will automatically adjust several settings to meet compliance standards.
Plesk's documentation for using the PCI tuner utility may be found here:
Plesk PCI Linux Tuner
Plesk PCI tuner limitations
According to Plesk's documentation, the utility is subject to these limitations:
- The protocols for qmail mail agent cannot be configured; therefore, qmail is not secure enough to satisfy PCI DSS. It is recommended to use Postfix instead.
- Ciphers for qmail cannot be changed via Plesk utilities (though it is possible to change them via the configuration file).
- TLSv1.1 and TLSv1.2 are not supported on CentOS 5, Red Hat Enterprise Linux 5, and CloudLinux 5.
- The DH parameter's size cannot be managed for Apache from OS vendor (CentOS 5, Red Hat Enterprise Linux 5, CloudLinux 5).
- SSL/TLS compression is not disabled on Debian 7 for ProFTPd, Dovecot, and Postfix. [This does not impact Media Temple Plesk users.]
Can I host a PCI compliant site on the Grid?
Because of its shared environment, sites will not meet PCI compliance if they are hosted on the Grid. This does not mean that eCommerce on the Grid is impossible. Many well-known eCommerce sites do not require PCI compliance, and SSL certificates may still be used to verify the validity of a site and create encrypted connections to transfer information securely across HTTPS. However, without a dedicated hosting environment, the PCI Security Standards Council compliance cannot be met.
Payment gateway services may also be used to satisfy a need for PCI compliance. Some of these include PayPal, Amazon Webpay, Google Wallet, Authorize.net, etc.
If you have any further questions on PCI compliance you may refer to the following sites.