Active readers of the blog will know that I tend to write articles that you can apply to your everyday hosting. In the past, I’ve written you articles on backing up your software, determining if you need a dedicated server, what exactly is DNS and the list goes on. The one common thread these articles have is that each article assumes you have some type of hosting or possible server. In fact, these articles assume that you’re selling or possibly interested in selling products online. When you branch to selling your products online, you need to be aware of some type of mysterious item called Payment Card Industry Data Security Standard or PCI DSS. This will be the focus of our post today so let’s jump right into it.

 

What is Payment Card Industry Data Security Standard (PCI DSS)?

 

The payment card industry data security standard is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment for their customers. PCI DSS compliance is there to ensure that cardholder data is not stolen and shared around the globe. As a store owner, whether this be a website or a physical store, it’s your responsibility to ensure your customers data is protected and secure. PCI  DSS compliance is a standard set by the PCI Security Standards Council(PCI SSC). You can read about the standards here:

 

https://www.pcisecuritystandards.org/

 

PCI compliance against common belief isn’t actually a federal law in the United States, however, some U.S. states refer directly to the PCI DSS. For example, in 2007, Minnesota enacted a law that prohibits the retention of payment card data. In the 2009, Nevada followed suit. In the state of Nevada, merchants  are now required to comply with the PCI DSS standard. This allows those merchants to be shielded from liability should a breach in security occur. The following year, in 2010, Washington state incorporated standard into law. However, merchants are not required to abide by the PCI Compliance, but those are who, are shielded from liability. You can read more about this here:

 

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard#Mandated_compliance

 

 

Now that we’ve covered what exactly PCI DSS compliance is, let’s see if this currently applies to your situation.

 

Do I need to be PCI DSS compliant?

 

To answer this question, I must first ask you one back. Are you currently taking online payments from your customers? If so, yes, I would HIGHLY recommend becoming PCI DSS compliant especially if you’re based in the United States or the UK.  To take this either further, yes, you’ve setup your ecommerce site and you’ve begun taking payments. At this point, you need to decide between two options

 

1. Allowing a 3^rd party website known as hosted payment gateway to process payments
2. Taking payments directly from your website

 

Each method has its pros and cons. Using a 3^rd party or a hosted payment gateway is the safer route. The hosted payment gateway will store, process and transmit the account data. You will then use the 3^rd party’s Merchant ID to collect the money and greatly simplify your PCI DSS compliance. Of course, there are different type of hosted payment gateways which we won’t get into for this article but they are listed below:

 

1. Redirect method that sends your customer to a different site to process payment and then return them back to your site once payment is completed
2. Iframe method places a payment form that’s fully hosted by your payment provider into your website. The customer stays on your site and is never redirected
3. Direct post method sends the data directly to the payment service provider

 

If you decide to take payments directly on your website, you will be storing, processing and transmitting account data to your server. You will have to sign up for your own merchant account and comply with the highest level of the PCI DSS standards. As you can see from above, if you’re taking online payments, you will need some PCI compliance to provide your customers with a safe state of mind when providing payments to services off your website.

 

Now that you know what PCI DSS compliance is and know that if you’re running an ecommerce site, what are the steps that you need to take to achieve the PCI DSS compliance

 

Steps to PCI DSS compliance

 

Listed below are steps to PCI DSS compliance. You can go to https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs to get a further in depth guide to the steps you would need. These steps below should be taken as a general guide

 

1. Build an maintain a secure network
   1. Install and maintain a firewall configuration to protect cardholder data
   2. Do no use vendor-supplied defaults for system passwords and other security parameters
   3. Protect cardholder data
      1. Protect stored cardholder data
      2. Encrypt transmission of cardholder data across, open public networks
      3. Main a vulnerability management program
         1. Use and regularly update anti-virus software or programs
         2. Develop and maintain secure systems and applications
         3. Implementing strong access control measures
            1. Restrict access to cardholder data by business need to know
            2. Assign a unique ID to each person with computer access
            3. Restrict physical access to cardholder data
            4. Regularly monitor and test networks
               1. Track and monitor all access to network resources and cardholder data
               2. Regurarly test security systems and processes
               3. Maintain an information security policy
                  1. Main a policy that addresses information security for all personnel

 

Following those general steps whether you’re processing payments directly on your website or using a 3^rd party payment gateway, will help to ensure that your customers account data is protected and secure. It will also help to ensure you’re complying with PCI DSS standards and while PCI DSS standards aren’t federal law in the United States, complying merchants will greatly reduce the risk they could suffer from liabilities from a data breach

 

Currently, here at Turnkey Internet, we’re 100% PCI DSS compliant. All of our payments are secure and consistently monitored and updated to ensure that all customer data is secure. Being PCI DSS compliant at Turnkey Internet allows us to offer our customers a piece of mind that non PCI DSS compliant merchants can’t offer. Personally, if a company isn’t compliant it makes me wonder if I can truly trust the merchant with my secure account data.

 

Hopefully this article will help guide you to a PCI DSS compliant ecommerce website that will ofer the same piece of mind that Turnkey Internet offers all of our customers.

 

Listed below are some references that will provide you greater details on the process of becoming PCI DSS compliant

 

Until next time

 

https://www.pcisecuritystandards.org/index.php

https://www.pcisecuritystandards.org/smb/

https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

 

Follow Us :
Share :

Avid readers of the blog know that I’m a slayer of tickets and protector of the Turnkey Internet realm of support tickets. If you have a support need with your software that you’ve purchased from Turnkey Internet, more than likely, I will be one of the team members who works on your issue. I wanted to write you gentleman and ladies, a post on a support request I see at least once a week if not more. I will start this article off by asking one question. Have you ever been locked out of your house? You walk out the house not thinking about the door, but then you realize that you need to go back into the house to grab your keys. However, the door is locked.

 

What will you do? If you’re a super prepared individual, you may have a spare key laying around somewhere, but if you’re like me, this may not be the case. So, what’s next? Maybe you start thinking, “hmmmm, I wonder if I have any windows unlocked?” You walk around the house hoping, praying, that you have a window unlocked. You soon discover, that you’re a very safety conscious individual and all of your windows are locked? Well, what do you do now? You have no spare key. No windows are unlocked. While that rock on the ground could easily go through the window, do you really want to pay money to get the window repaired?

 

This usually leaves you with no other option then contacting your local locksmith. Pay the ridiculous amount to have them drive out and let you back into your house in a matter of minutes. Now, what if that happens on your server? For the sake of this article, we will assume you have a server, VPS/Dedicated/Cloud, that has cPanel installed. You haven’t changed the password, but all of a sudden you can’t login to your cPanel or WHM anymore. What do you do? Well, if you purchased your services from Turnkey Internet, the quickest way would be to open a support ticket and have one our engineers allow you back in, but what if you’re a do it yourself type of person? Is there a back spare key you can use?

 

Now, just to be clear, I’m not talking about not being able to view your site in a browser, but specifically about your cPanel password, that you’ve not changed, no longer working. You may get the first thought that, holy crap, my account has been hacked. Someone has stolen my password and is slowly but surely stealing all of my data. While yes, this could be a possibility especially if you have an insecure password, e.g. CAT123, but what if you have a secure password. A 12 character password. It’s more less likely that your cPanel password has been stolen and more likely that you’re locked on our your account by cPHulk.

 

It’s very possible that you’ve heard of cPhulk before. For those of you who haven’t, the link below will explain exactly what cPHulk is:

 

http://docs.cpanel.net/twiki/bin/view/11_30/WHMDocs/CPHulk

 

cPhulk is a brute force protection software that is installed by cPanel by default. This little piece of software constantly monitors the server to ensure no one is brute forcing their way into your server. For users who do not know what brute forcing is, please see the link below:

 

http://en.wikipedia.org/wiki/Brute-force_attack

 

To summarize that link, brute forcing is when a hacker tries every iteration possible to login to your account. They start with a dictionary of commonly used username and passwords and attempts to login to your account with each one. This is called a brute force attack and is what cPHulk is written to protect against. However, cPHulk can be a bit over zealous at times and end up blocking you out of your own accounts. So, how do you fix?

 

This fix assumes that you have root access to the server and a SSH client such as Putty to access the server.

 

1. SSH to your server
2. Type mysql
3. Connect cphulkd;
4. Delete from brutes;
5. Delete from logins;

 

That will clear all IP’s currently blocked on the server and allow you to login to cPanel/WHM. At which point, you can go to Security Center -> cPHulk Brute Force Protection  and white list your own IP to keep this from occurring in the future. You’ve essentially just become your own cPanel locksmith. If you’re still having issues, you can always open a support ticket with us directly at: https://helpdesk.turnkeyinternet.net/

 

Until next time…

Follow Us :
Share :

Jeremy here again with another post for you this week. Today, we will be covering security. Namely, network security. Now, if I ask you, what exactly is network security, what would your answer be? If you’ve been in the hosting industry or Information Technology field for extended period time, you have no issue answering that question. However, for most readers, they may not be 100% certain on what exactly a network is and how it affects your hosting. For this article, lets first start with what exactly a network is in terms of your website and then we will get into securing that network so without further ado…

 

What is a network?

 

If you’re reading this article, more than likely, you’re on a computer connected to the internet. The computer that you’re reading this article on is more than likely in a local network. Before we get too carried away, lets define what a local network is. Directly from our friends over at Wikipedia:

 

http://en.wikipedia.org/wiki/Local_area_network

 

A local area network is a computer network that connects computers within a limited range such as homes, schools, libraries or office building. To ground the idea further in your mind, lets say that you have purchased a desktop PC, a laptop and have a cellphone from your local electronics store. You also purchased a router as well. Your router is a piece of networking technology that creates a local area network for your home and then allows you to connect to the internet. When your devices connect to the router, it places them into a local area network. This allows the devices to communicate with one another. It also allows them to communicate with the rest of the world via the internet.

 

You have different types of networks such as a WAN or Wide Area Network. This network is a much larger type and usually covers broad areas such as a college campus or metropolitan area. Now you may be asking, what does this have to do with my website? Well, glad you asked. You see, when you purchase hosting from Turnkey Internet, you’re paying to host your site on our network. This is what people generally mean when they purchase hosting. They are paying a provider to be included in their network and give their website a home.

 

As you have already gathered, if something was to go wrong with the network, your site may go off-line. This leads us to our next topic

 

Why do I need to secure my network?

 

If you are hosting in the cloud – you still connect over your network.  While cloud hosting from Turnkey Internet lets your be assured that your site is on a network that has multiple layers of network security, however, this article isn’t about securing our network at Turnkey Internet, but how you can take some preventative steps to secure your own network. Maybe you have a dedicated server and you’re managing the server yourself. Knowing how to secure the network your server is located on goes a LONG way to ensure you’re providing your customers with a top notch website.

 

You may thinking, well what do I need to protect my network from? Many network security threats spread over the internet with most common including:

 

• Viruses, worms and Trojan horses
• Spyware and Adware
• Zero-day attacks
• Hacker attacks
• Denial of service attacks
• Data interception and theft
• Identity theft

 

While this is no way an all inclusive list, those items listed above are the most common type of network threats you will find on the internet. Now some of those attacks have to be mitigated at network level such as Denial of Service attacks. You can read about denial of service attacks below:

 

http://en.wikipedia.org/wiki/Denial-of-service_attack

 

Some of the other network attacks you can help mitigate at a server level which you can read about below

 

How do I secure my network?

 

In order to truly secure your network, you must understand that there is no one single solution that will protect you from every threat listed above. In fact, a highly secure network has multiple layers of security. If one layer fails, another layer just takes its place. Network security is best accomplished through hardware and software.  The software should be updated in regular intervals to ensure that you’re running the most up to date version. Ideally, a network security system will contain many parts with all parts working together.  This helps to ensure maximum security and minimize maintenance and improve security.

 

Your most common type of network components are listed below:

 

• Anti-virus software
• Malware detection
• Firewall that blocks unauthorized access
• Intrusion prevention systems that will identify fast spreading threats such as a zero day attack
• Virtual private networks(VPN) setup to provide secure remote access

 

If you have a few or all of those components working together, you will help ensure your network remains stable. Effective network security targets a variety of threats and stops them from entering or spreading through your network. This will protect the usability, reliability, integrity and safety of your network and data.

 

Here at Turnkey Internet, we have multiple layers of network security. From our DDOS protection system which monitors our entire network and instantly notifies us of a DDOS attack. We also install and configure firewalls on all of our shared servers. We run daily malware detection scans as well as constantly update software to ensure we’re protected from the latest threats. Doing these things helps us to provide a secure and reliable network for all our customers. It may be time you invested in your own network security.

 

Until next time…

Follow Us :
Share :