East Coast Carriers:
· Global Crossing
· SAVVIS
· Cogent
· Verizon
· AT&T
· Tiscali
· Internap
· XO
· Level 3
· Sprint
· Cox Communications

About ZZ Servers headquartered in San Francisco, California. ZZ Servers delivers web hosting and datacenter services to meet current and future business compliance requirements from our facilities in San Francisco, CA and Ashburn, VA. For more information please visit www.zzservers.com or call 800-796-3574.

Contact:
Peter Zendzian
888-406-1838
peter@zzservers.com

If a phone is lost or stolen, your natural reaction may be to change your password. This is not a good idea, because changing the password will make it impossible to do a “remote wipe” of the phone. Fortunately, Kerio Connect offers a solution called “remote wipe”. A “remote wipe” will erase all data on the phone completely resetting all accounts, and in the case of most phones, erasing all apps and completely resetting the phone. Remote wipe is much more effective than changing a password because it protects the user’s privacy, and should be used instead. More information regarding the remote wipe feature can be found at ZZ Servers.

I was able to spend a good 1/2 an hour with the now new customer and help them understand how our approach meets the intent of PCI and is not focused only on trying to “make the sale.”  However, for those that we do not know what questions to ask of a hosting provider I have started a new project where I will be “shopping” for a new hosting provider and will post the communications I have with them, along with some additional comments on what their answers would mean to me if I was in my QSA role evaluating their solutions.  I will keep the communications anonymous to prevent any liability issues, but feel free to use any of the questions or comments I have when discussing hosting solutions with any providers you may be examining; and feel free to use my questions against us when you call and ask about PCI or Compliant based hosting with ZZ Servers.

With that in mind, here is the first discussion with a decent data-center with multiple data-centers fully owned and operated by their staff in the northern midwest.  I have highlighted items that caused me to be concerned about their understanding of PCI and what it takes for merchants or service providers to be hosted with managed PCI solutions.  Please note, anyone can take a rack of hardware and managed / deploy it in a compliant manor.  But that is not what these hosting providers are selling.  They are selling compliant solutions, leading customers who do not fully undersand the requirements to think they are meeting all of the requirements.

***Chat Information*You are now chatting with ‘Paul’
*Paul: *Greetings, my name is Paul. Welcome to <HOSTING PROVIDER> Sales. With
whom am I speaking? How may I be of assistance?
*you: *Hello, i saw your VPS servers have a $50/mo PCI certification?
what does that provide? Does that mean i’ll be compliant? do i need
anything else? does that include my scanning, pen test,
internal/external? log monitoring?
*you: *hello?
*Paul: *Hello, sorry about that
*Paul: *the PCI certification will include all scans for your server to
be entirely compliant
– This is common, many people belive that if you get your ASV scanning & answer questionairre you are compliant..if it was only that simple
*you: *so it is only the scans?
*you: *not the rest of the compliance needs?
*you: *internal & external scans then?
*Paul: *it covers all services needed
*you: *external logging/monitoring, firewalls, IDS, 2 factor remote
access, pen-testing (internal/eternal), asv scanning & internal scanning
(& other stuff i can’t remember atm)??
*Paul: *Yes, it is the complete service
– how can he say it’s scanning, then a complete service? At this point I really believe the sales guy does not know what he is selling
*you: *applicatoin & network penetration testing? how do you have that
for $50/mo? the best quote I have from a professional pen-testing
company is 5000/year
*Paul: *let me double check
*Paul: *yes, it does, I have confirmed
– confirmed? if you can’t tell by now that I am asking questions above his knowledge level; why not conference in someone who knows the answer..
– Many hosting providers want you to email or fill in a form so they can manage their response, if they can’t answer your quetions at all hours
– then are you sure they can manage your compliance needs at any hour?? Get them to bring the expert on the phone while you are asking questions!
*you: *interesting, do you have a detailed whitepaper or pdf on the
complete services offereed?
*you: *and i assume i’ll have to get more than 1 server
*Paul: *No, you can have PCIC with one server
– big big red flag!! If you are only using paypal/google for payments then yes this is right but if you are not then the requirement for “single use” is pretty important
*you: *and that includes firewalls too right? do i have a dedicated
rfc1918 address space?
*you: *you can?
*you: *how do you satisfy the “single purpose” requirement?
*you: *where a server can not be a web & database server
*Paul: *we do not require a cluster for pcic
– I wasn’t asking about a cluster. This is a typical issue, the sales team is use to selling hosting of servers but does not understand PCI. I guess they have not had
– any PCI training (which you merchants & service providers are required to have annually)
*you: *you do not, but PCI requires that
*you: *pci has something somewhere that requires each server have a
single function
*you: *do you have any documentation? or details about what is included
in your PCI services?
*Paul: *I do not have a detailed outline, but I know these are the
standards we follow
– Another warning…PCI is documentation heavy, if they do not have documentation, have they really done all thats required?
*Paul:
*https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
*you: *yes i am familiar with that
*you: *our QSA has ingrained tht into us
*you: *i was just curious because some of your answers do not jibe with
what the PCI-DSS requires
*you: *ok i think i have enough for now; thank you for your time
*you: *Have a great night..oh one last question; where are your
data-centers located?
*Paul: *My pleasure, they are in <LOCATION>
*you: *any other geographic areas?
*Paul: *they are all located in <ONE LOCATION>
*you: *thank you have a great night
*you: *oh one other questoin
*you: *what technology do you use for your remote 2 factor auth & vpn
technology?
*you: *rsa/certificates/?
*Paul: *The only vendors I have info on at the moment are control scan,
security metrics, trustkeeper, and clone systems
*you: *so it’s not included w/the pci service?
*you: *it’s a 3rd party vendor we have to engage?
*Paul: *Send me an email to <SALES-EMAIL> and I will find out for sure
– Remember earlier they said it included all required services? Again, lack of documentation & training lead me to think they just do not know what the requirements are or what they are selling
*you: *ok thank you, have a great night/morning

Merchant levels and Compliance Validation Requirements

Merchant Types

The “SAQ” is a self-validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level.

Service Provider Levels

Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. Service provider levels are defined as:

By using the charts above, you should be able to easily determine your level and validation type. Knowing this details will go a long way in guiding you through your compliance but it is important to partner with other qualified businesses for your service. ZZ Servers provides PCI focused hosted infrastructure designed for PCI compliance and includes many of controls and measures required for your business infrastructure to be fully compliant.

Many on-line fax services send received faxes by unencrypted email with cleartext (TIFF/JPG or PDF) attachments which are not PCI compliant. One reason for this is PCI clearly states that credit card numbers are not to be emailed in clear-text, they must be encrypted. A fax converted to PDF & emailed is not encrypted and if done that way then both the service provider and the receiver are non-compliant.  During an audit you can’t say you didn’t know, you signed up for the service knowing you were going to receive card numbers.

So, how do you receive credit card payments by fax? The first step is get a phone line w/a $50 fax machine from your local office supplier and come up with a security policy for how to secure the fax machine and incoming faxes. This is cheaper and easier to deal with than trying to make some digital systems PCI compliant. The fax needs to be classified as confidential and handled how your data retention policy dictates, assuming your retention policy is PCI compliant. An example would be a secured fax machine in accounting or other area set aside for receiving secure faxes. Additionally faxes containing credit card numbers need to be stored or archived properly and when disposed of, it needs to again follow your data retention policy and be securely destroyed (cross cut / incinerate, whatever:).

If your company is receiving card data on behalf of your customers, you are liable for all the paths it takes to get to you. Claiming you didn’t know or that it’s out of your hands is not enough when there are secure solutions. Don’t use a fax service unless they can send encrypted emails and securely purge the fax data when sent; otherwise get a real fax machine & secure it and instruct those who have access what it may contain and how to handle it appropriately, and yes training for your employees is a PCI requirement.

In the end, you will find a phone line with $50 fax from your local office supplier is cheaper and easier to deal with than trying to make some digital systems PCI compliant.

PCI DSS, which stands for Payment Card Industry Data Security Standard was developed by major credit card companies to protect themselves, their clients, and the businesses and organizations that use their cards.

PCI DSS began, originally, as five separate programs operating individually through MasterCard, Visa, American Express, Discover, and JCB to protect data security and to create an additional level of protection for customers by ensuring that merchants meet minimum security levels when they process, store, and transmit cardholder data.

The Payment Card Industry Security Standards Council was formed in 2004 when these companies aligned their individual policies and created the Payment Card Industry Data Security Standard. PCI is considered to be one of the more comprehensive standards of data security. It is regarded as being relatively more prescriptive than other similar laws.

PCI Compliance Requirements in Small Business

PCI Compliance is a necessary requirement for all businesses that use credit card machines or process and store credit care information of any sort. This can be quite difficult for many small to medium size business due to the time, money and technical aspects involved. In house efforts for small businesses to become PCI compliant can take up to 18 months and cost upwards of $40,000. Furthermore, hardware and software upgrades could add additional thousands of dollars in order to maintain a safe and secure set of processes.

PCI DSS compliance addresses two crucial components: safe storage and protected payments. Any business that stores or processes any credit card information is required to safely store any and all information it gathers. Remote storage solutions are ideal because they ensure that credit card information is stored separately from other financial information that could be compromised.

Another important factor in PCI DSS compliance is a company’s ability to securely send and receive credit card information online and via the phone. When collecting information online, it would be ideal for the customer to remain on a business’s secure website and not redirected to an external site. This could compromise information and cause a major security risk.

Updating a small business’ systems to comply with PCI DSS regulations can be quite expensive and tiresome; there are alternatives for small to medium sized businesses however.

There are companies available that are PCI DSS experts, and provide PCI compliance solutions for companies around the country. Generally speaking, these companies can get a company within the ranks of PCI compliance within 30 days for relatively low cost — allowing SMB owners to focus on the day to day operations of their business and not alleviating the burden of becoming PCI compliant.

Whether you choose to meet PCI compliancy in house, or outsource that duty to a specialist company, it is a critical to meet compliance and remain compliant to PCI DSS regulations.