My Merchant Account Blog

Build and Maintain a Secure Network

Thursday, December 04, 2008

There are two requirements in the first core of PCI DSS (Build and Maintain a Secure Network)

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Firewalls can be either hardware or software, but firewall hardware usually tends to be more secure.  Firewalls though are key in helping to protects your servers from hackers.  The firewall should examine all networking traffic and block traffic that does not meet certain requirements.

When you first buy a shopping cart or download a free one, you need a way to access the database.  Usually this is done via web interface in the admin section of the cart.  Most carts give an easy password to enter, like password or 123456.  Merchants must change this password immediately and only allow certain employees access to the data.  Some carts will also allow you to set up users to have access to just specific data, i.e. inventory, mailing list, etc.  If your cart supports this, consider using it as well.

Install and Maintain a Firewall Configuration to Protect Cardholder Data

Usually this requirement is done at the hosting or data center level.  Some hosting and data center companies will tell you they are PCI compliant.  This usually will mean their firewall is set up properly to allow certain protocols besides the Hypertext Transfer Protocol (HTTP), Secure Shell (SSH), Secure Sockets Layer (SSL), Virtual Private Network (VPN), and File Transfer Protocol (FTP).  Compromises usually will happen on unused or insecure ports (remember there are over 60,000 ports and most need to be blocked to avoid exploitations.

There are many protocols that a company might need (or the protocol is enabled by default).  These protocols are used by hackers to breach security in a network.  The protocols should be well documented and justified and security features should be in place, documented, and implemented.  The firewall rules should be reviewed every quarter.

You should also prohibit direct public access between the external networks and any system that might store cardholder data like logs, databases, trace files.

Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

Usually the first step a hacker might try to gain access into your system is the default passwords (password, test, 123456, admin, etc).  These passwords are usually also found on the shopping cart vendor's website FAQ section or in the cart download.  These passwords should be changed before installation or immediately after (to help prevent hackers from possibly creating another administrator user account.

The password that you create should consider of numbers, letters, and special characters.  Try not to use birthdays and family, city and street names.  Your password should be changed at least every six months.  Try not to use your password on any computer that is accessible to the public (library, Internet shop, etc).  Ask your shopping cart vendor if any special characters are not allowed, like ",:,^,&,\,/.  And find out if the password is case sensitive.  This will help to increase the security of your passwords.  Some examples of passwords could be something like

• 0t4ly31p (using numbers and lowercase letters)
• AI6GQ44O (using numbers and uppercase letters)
• lSwSOpf1 (using number and lowercase / uppercase letters
• uq6"=~$i (using number, lower case letters, and symbols)
• 9R1`~hF6x (using numbers, lowercase / uppercase letters, and symbols)

As you can see, these would be more difficult for hackers.  And don't keep your password written down on your desk or anything.

Your server should serve one primary function, i.e. as a web server or database server.  Having your database server on your web server could be at risk since the web server is directly connected to the Internet.

Shared Hosting

Most Level 4 Merchants and some Level 3 Merchants might rely on a hosting company.  Usually these hosting companies will put hundreds, if not thousands, of other websites on the same server.  This is commonly known as shared hosting.  There are some steps the shared hosting company needs to comply with to help you get PCI Compliant:

• If a merchant is allowed to run an application on the server, that application should be ran with that merchant's ID and not a privileged user (which would possibly have access to other merchant's cardholder data.  To ensure that the merchant only has access to their own information
  1. Privileges of the merchant's web server ID
  2. Permissions granted to read, write, and execute files
  3. Permissions granted to write to system binaries
  4. Permissions granted to the merchant's log files
  5. Controls to ensure one merchant cannot monopolize the system resources
• Logs specific to the merchant's cardholder data should be made available to the merchant to ensure no compromises have occurred
• The hosting company must enable a process to provide quick and easy response in the event that a forensic investigation is needed for a potential compromise that is specific to that merchant

Comments

Name
URL
Email	Email address is not published
Access Code
Please enter the access code
Remember Me
Comments