Jun 22, 2009

PCI Compliant Hosting

Posted by Binoy at 3:39 PM Labels:

PCI compliant hosting is one of the key aspect you need to look for when you plan to host some of the credit card data of your customers at hosting providers site. Some of the key aspects you should look for from a PCI DSS Compliance perspective are (to qualify a service provider as PCI compliant hosting provider):

  • The hosting provider should support / allow the periodic pci scans/ vulnerability scans /asv scans
  • Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

Specific to the payment card industry data security standard or commonly known pci standard the following requirements should be met by the PCI Compliant Hosting provider:

  • 1.1 Establish firewall and router configuration standards and all the sub controls
  • 1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment and all the sub controls
  • 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment and all the sub controls
  • 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards and all the sub controls
  • 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access.
  • Requirement 5: (5.1 an 5.2) Use and regularly update anti-virus software or programs
  • 6.1 Ensure that all system components and software have the latest vendor-supplied security patches
    installed. Install critical security patches within one month of release.
  • 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by
    PCI DSS Requirement 2.2 to address new vulnerability issues.
  • 6.6 on the web application firewall requirement, if applicable
  • 8.3 You might need to consider this if it is applicable
  • 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components and some of the sub controls
  • Requirement 9: Restrict physical access to cardholder data and all sub controls. This is a key component as all the physical security is the responsibility of the hosting provider

As per my view, this list covers most of the requirements to be met by the service provider to be classify as PCI Compliant Hosting

0 comments

NIST publishes the Guide to Enterprise Telework and Remote Access

Posted by Binoy at 3:27 PM Labels: ,

Final issue has published the final version of the standard for enterprise will telework and remote access security. The standard covers information security issues such as employees working from home and vendors working from remote sites.

The document is very impressive as its covers more or less all aspects of the telework and remote access life cycle. This includes components like security threats and vulnerabilities and associated risks.

It also indicates that a proper risk assessment shall be performed in order to ensure protection of the various devices included in the remote access connectivity is secured.

It urges organizations to protect the client devices from malware infection and implement the security controls accordingly. This security standard requires organizations to harden the internal systems which are made available thru remote access.

Then this standard discusses about the importance of securing the remote access server / system, be it a VPN gateway, a portal / SSL VPN gateway as any compromise of these devices can cause security risks to the organization. It also emphasizes on the importance of the use of encryption while transmitting confidential information over public networks

Read the full standard at http://csrc.nist.gov/publications/nistpubs/800-46-rev1/sp800-46r1.pdf

PCI DSS complaince requirements 8.3 and 12.3 refers to the remote access security and this document will be a great way in implementing those PCI DSS controls

0 comments

Jun 21, 2009

what is visa cisp?

Posted by Binoy at 3:28 PM Labels:

VISA CISP is the Cardholder Information Security Program from VISA. This is similar to the program PCI DSS and is also known as VISA CISP PCI. Presently the visa cisp programme, has been replaced by the PCI DSS Compliance requirement. Visa mandated the visa cisp program with effective from 2001 and requires all its members to be in compliance with the visa cisp.

In 2004, VISA CISP requirements were incorporated into the PCI DSS Standard Payment Card Industry (PCI) Data Security Standard (DSS).

Presently if you want your organization to be in compliance with VISA CISP, then you should look forward to the payment card industry data security standard. Even though VISA is maintaining the name VISA CISP, the visa website discusses the PCI standard in detail.

Is similar program called VISA AIS has been practiced. Again this program is transitioned to the PCI DSS standard compliance.

0 comments
Subscribe to: Posts (Atom)