PCI DSS is a set of technical and operational requirements created by the PCI Security Standards Council (PCI SSC) to protect cardholder information. These standards apply to everything from storing, processing and transmitting payment card data.  Sean Bruton, NeoSpire’s Security Director gives a you a few quick tips for becoming PCI compliant [VIDEO].

It’s a  common misconception that PCI compliance only applies only to e-commerce or large corporations and doesn’t affect small businesses. However, PCI compliance applies to any company that stores, processes or transmits cardholder information. With the increasing instances of credit card fraud, it is more important than ever for businesses dealing with payment cards to be knowledgeable about PCI-DSS compliance and how the repercussions of non-compliance can be disastrous to their business.

A Quick Overview of PCI Security Standards

Build and Maintain a Secure Network
Just as you would never leave the doors of your home or business unattended and unlocked, failing to change the default passwords on your system software will leave you equally exposed to malicious individuals. It’s one of the easiest ways cardholders’ data is stolen. Always change the vendor defaults to your own personalized passwords and login.

Another vital layer of PCI security is installing and maintaining a secure firewall on any business computer or other device connected to the internet that can be used to access cardholder data is.

Protect Cardholder Data

1. It is critical that you encrypt transmission of cardholder data transmitted across any open or public networks. Encryption renders transmitted data unreadable by unauthorized personnel.
2. It is best not to store cardholder data unless it is absolutely necessary for your business. When sensitive information is stored, restrict physical access to cardholder data, by maintaining strict controls over data storage and accessibility.
3. Establish a system of controls and procedures which limits physical and technical access to cardholder data, such as ensuring unauthorized visitors, contractors or vendors are not allowed access to areas where cardholder information is stored.

Maintain a Vulnerability Management Program
Establishing a system for finding weaknesses (vulnerabilities) in your company’s PCI security system, including making sure that you have installed all vendor-provided security patches and critical systems software patches are updated. Always use anti-virus software and be sure to keep all anti-virus software or programs regularly updated.

When selecting an internet hosting company, ask about their data security procedures  and their PCI Compliance hosting features. NeoSpire Managed Hosting offers PCI Security Services that cover over 75% of the 220 controls mandated in the PCI-DSS, such as event logging, patch management, monitoring testing.

For more information, Email  sales@neospire.net  or call 1.888.774.2253.

PCI Compliance  is a set of 250 procedures and compliance rules set by the PCI Data Security Council to address the growing concerns about credit card fraud and security. Working together, in 2004 the 5 major credit card companies, including VISA, MasterCard, AMEX, Discover and JCB created the PCI Data Security Standard (PCI DSS), which is divided into 12 sections that cover technology and procedural controls to help ensure the safe handling of sensitive payment information.

It is a common misconception that PCI compliance applies only to e-commerce or large corporations and doesn’t affect small businesses. However, PCI compliance applies to any company that stores, processes or transmits cardholder information. With the increasing instances of credit card fraud, it is more important than ever for businesses dealing with payment cards to be knowledgeable about PCI-DSS compliance and how the repercussions of non-compliance can be disastrous to their business.

A Quick Overview of PCI Security Standards

1. Build and Maintain a Secure Network

Just as you would never leave the doors of your home or business unattended and unlocked, failing to change the default passwords on your system software will leave you equally exposed to malicious individuals. It is one of the easiest ways cardholders’ data is stolen. Always change the vendor defaults to your own personalized passwords and login.

Installing and maintaining a secure firewall on any business computer or other device connected to the Internet that can be used to access cardholder data is another vital layer of PCI security.

2. Protect Cardholder Data

Encryption makes transmitted data unreadable by unauthorized personnel, therefore it is critical that you encrypt transmission of cardholder data transmitted across any open or public networks.

It is best not to store cardholder data unless it is absolutely necessary for your business. When sensitive information is stored, restrict physical access to cardholder data, by maintaining strict controls over data storage and accessibility.

Establish a system of controls and procedures which limits physical and technical access to cardholder data, such as ensuring unauthorized visitors, contractors or vendors are not allowed access to areas where cardholder information is stored.

3. Maintain a Vulnerability Management Program

Establishing a system for finding weaknesses (vulnerabilities) in your company’s PCI security system, including making sure that you have installed all vendor-provided security patches and critical systems software patches are updated. Always use anti-virus software and be sure to keep all anti-virus software or programs regularly updated.

When selecting an Internet hosting company, ask about their data security procedures and their PCI Compliance hosting features. NeoSpire Managed Hosting offers PCI Security Services  that cover over 75% of the 220 controls mandated in the PCI-DSS, such as event logging, patch management, monitoring testing.

Related Links

• Top 10 PCI Misconceptions A Collection of Important Myths About PCI Compliance
• The Consequences of PCI DSS Noncompliance
• Watch Sean Bruton, NeoSpire Director of Security talk about PCI SecurityStandards  [VIDEO]

This is Part 2 of the series, 5 Things to Know About ASV Scans for PCI-DSS: Taking the Uncertainty Out of ASV Scanning

4.     PCI Failure Due to an Unsupported OS.

The term “unsupported” means that whatever OS/package/program was inspected is no longer updated or maintained. The PCI-DSS(Payment Card Industry Data Security Standard) is unclear on unsupported applications, however, PCI requirements dictate that unsupported OS’s are an automatic PCI fail.

Regarding unsupported applications, I have seen businesses get by on their application software no longer being supported, and that the removal of it would cause their business to essentially come to a halt, but have shown they are working on replacing the unsupported software.  The key to maintaining compliance is effort in resolving the issue where the failure to meet a requirement is detected.

5.    Validating Your Results

ASV scans always have to be reviewed and validated because the scanner flags items based on version rather than on actually producing the vulnerability. Much like web app scans that produce vulnerabilities based on a 200 OK – even though the attempt to pull a non-existent page redirects to the main page or a custom error page.

It’s a catch-22 for scanners to produce viable results based on the exploitation of a flaw is highly dangerous to the application or system on which the scan is being conducted. Opting for a non-invasive scan where the scanner uses generally known and publicly available data will continue to require this time-consuming task of validating the results to maintain compliance until scanners include vulnerability information for all OS platforms and distributions by detecting the OS and version.

Some ASV’s will do this footwork for you for a nominal fee. For customers who have numerous systems in their environment, it could take days or months to validate if an efficient system is not in place. This is one reason many large businesses seeking compliance complain to the council about this requirement.

Very large businesses are generally still mapping out fixes for their last scan when the next ASV scan results are compiled and more vulnerabilities are found.  This is usually due to new exploits or new scanning techniques. To help our PCI Solutions  subscribed customers with this task NeoSpire  provides the validation of ASV scan results as a value-added service.

Summing It All Up

The PCI Council stated in their Summit meeting last November that QSA’s need to take into account the effort taken to reduce the vulnerabilities found in scans and not be so stringent upon denying compliance if 4 passing scans per quarter are not achieved. The council realizes it is difficult, this is why NeoSpire is committed to helping our customers with any questions and providing PCI Solutions to help serve your needs.

It is not my intention to imply that businesses should not upgrade, but merely to educate and offer the benefit of my experience with the requirements for handling scan results. Understanding all aspects of the vulnerabilities detected by ASV scans can help you avoid PCI-DSS issues in the future.

Related Article: Top 10 PCI Misconceptions: A Collection of Important Myths About PCI Compliance

Payment Card Industry Data Security Standard (PCI-DSS) requires a business to have at least one passing Approved Scanning Vendor (ASV) scan per quarter, however for some it’s not always entirely possible to have a scan return clean.

This is the first part of a 2 part series on Understanding Approved Scanning Vendor Scans for PCI-DSS.

 1.   Know Your Environments

As a Security Operations Supervisor, I’ve encountered many scenarios in which businesses are unaware that they have the ability to dispute or appeal the vulnerabilities claimed in the ASV scan results. They believe that they must upgrade and migrate entire environments to other operating system platforms in order to achieve a compliant scan result.

Frequently ASV’s do not educate consumers on what their options are. Until recently, most of them did not account for backported fixes in popular Linux distributions – many of them still do not. In order for a scan to be non-invasive it relies on some very generic data to exist. With some Linux based operating systems, that data can be quite misleading.

Often businesses are misled or even frightened of the results of their ASV scans because of a lack of understanding of their environment and of the requirement. When I find customer requests for PCI related upgrades, I do my best to educate the customer and provide them with options on how to deal with the perceived vulnerability.

2.  Understand the Vulnerability

For instance, you may have the latest version of Apache2 installed on a popular Linux distribution.  The security tracking site may show it be vulnerable. Some people stop right there and think “I need to upgrade,”only to find out there is no distribution based upgrade to fix the vulnerable package available! At this point they are plagued with uncertainty and fear that their compliance is on the line and are entertaining thoughts of moving to another OS.

However, reading what the vulnerability is about and discovering how it’s triggered or exploited is the first step to validating the scan result. For instance, the vulnerability cited in CVE2009-3095 where the weak link is the module mod_proxy_ftp in the package Apache 2 in versions prior to 2.2.9-10+lenny6. Although the module may be vulnerable – the entire Apache2 package is not. If the module is neither installed nor enabled it renders the vulnerability implausible. Thus, it can be appealed or disputed and dismissed as a false positive.

3.    Validating Scan Results

With popular Linux distributions, backporting fixes is common. For most Linux based results the versions cited in the vulnerability description the CVE (Common Vulnerabilities and Exposures)-mean nothing – you must refer to the distribution’s bug and security tracking to determine the vulnerabilities existence or perform a case analysis to determine if the vulnerability exists by actually attempting to exploit it.

You should also take into account the application’s supporting packages. If a vulnerability exists only when two packages are used in conjunction and only one of those packages is installed; you would need to appeal the vulnerability based on the fact that the vulnerability requires the presence of both packages to exist.  If the tracking site shows that package is vulnerable when a specific function, module, or setting is used;  then you need to determine if you actually use the vulnerable function/module/setting on your server or in your code. If not, you can appeal and get it dismissed.

If you do not see a fix for a specified CVE or vulnerability in your Linux distro’s security/bug tracking information you will need to dig further to determine your vulnerability status, you may not be vulnerable depending on the vulnerability and its mechanics and how it applies to your system and its configuration.

This is Part 1 of a 2 part series. If your Approved Scanning Vendor results are alarming, come back next week, for Part 2 of  5 Things to Know About Approved Scanning Vendor Scans for PCI-DSS: Taking the Uncertainty Out of ASV Scans.

Drupal, the popular content management system known for a vibrant open-source community  creates powerful and robust websites and has proven itself in its ability to power many high profile sites. The high traffic demands of thousands of enthusiastic fans made Drupal the logical choice for Justin Bieber’s popular site, BieberFever.com. What do web developers need to ensure that their Drupal-powered sites will have a robust hosting infrastructure that will can withstand demands of any anticipated traffic?

1. Unreliable Performance Hosting

Start with a good plan. Are you anticipating a surge in demand? Commercial sites, like Dallas Cowboys.com often experience traffic spikes after a winning game or with a sales promotion. If your hosting environment isn’t capable of scaling quickly to accommodate these changes, you risk frustrating users and incurring potential losses in revenue.

2.  Inadequate Security  

With Drupal’s increase in popularity, it has of course become a target for those who are seeking either information or publicity. They might attempt to deface or disrupt sites they can’t access or course criminals might attempt to penetrate any site that deals in credit cards, social security numbers or other confidential information. To counter these assaults, your hosting company must go beyond standard firewalls and port filtering, to include firewall rule sets such as Access Control Lists. Web application firewalls are another way to prevent specialized attacks like SQL injection, remote command execution or cross-site scripting. These precautions will help to ensure that your Drupal site remains active and secure.

3. Poor Performance

The performance of your site depends on how well your infrastructure is optimized for Drupal’s unique characteristics. To guarantee efficient operation, your hosing provider must go beyond the typical Apache-PHP-MySQL solutions. Does your provider use Solr, a platform for Drupal search, which is faster than Drupal’s native search?

 Does your hosting service provider have these add-ons to help you avoid site slowdowns?

• Directly linked to effective data caching.
• Varnish, a reverse proxy cache will increase your data availability.
  Varnish is custom-designed to cache content based on HTTP headers.
• APC (Alternative PHP Cache)
• Memcached that can reduce external data calls and speed site responsiveness.

4. Not Load-Testing Your Site

Site performance will be increased by load-balanced application servers. It is a good idea for the system to employ some form of replication and failover at the database layer to ensure that your Drupal databases aren’t adversely impacted. These customized, technical improvements will have a major impact on the robustness and scalability of your Drupal site.

It is a good idea to not only load-test before your Drupal site is deployed, but to do it on a periodic basis to make sure it can handle anticipated traffic. A reputable hosting partner will also provide you with 24/7 monitoring and a fast response when issues arise.

Avoiding  these mistakes will help you to create a  fast and reliable site that takes advantage of  Drupal’s content management power.

Satisfied or Dissatisfied, does it matter??

How often do you take the time to fill out a satisfaction survey after a service has been provided? Do you only fill it out when you’ve had a horrible experience? At times it may seem like satisfaction surveys are a nuisance or time consuming, but have you ever stop to think why companies have satisfaction surveys?  

I recently had a pleasant experience purchasing a car (how often does that happen?).  During the process my motoring advisor (sales rep) asked that when I receive a satisfaction survey from the dealership to fill it out since it goes towards his performance.  In most cases I may have deleted the email thinking it was a piece of spam from the dealership. But after he mentioned it went towards his performance,  it had more weight and definitely made me want to fill it out since he did a stellar job. When I received the email I immediately filled out the survey  and provided a lengthy paragraph describing my experience and my complete satisfaction,  along with kudos to my motoring advisor.  It felt good knowing that I impacted another individual’s life positively.

How does NeoSpire accurately measure customer’s satisfaction?

At NeoSpire,  we receive survey responses from most of our customer’s after a support ticket has been completed, which provides us with  a good barometer on whether or not we are meeting our customers’ needs and expectations.  NeoSpire takes the customers voice seriously since ticket surveys are a big part of our ongoing quality controls. The feedback received from our customer surveys are sent to NeoSpire’s leadership team, enabling real-time awareness of what is and isn’t working well for our customers so we can take action to remedy a situation.

Knowing that my opinion counts whether it’s positive or negative goes a long way. Next time you get a survey for services received, think twice before deleting it or throwing it away, your feedback is worth more than you know.

Commitment – the act of committing, pledging, or engaging oneself.
Excellence – the fact or state of excelling; superiority; eminence

The definition is; committing or engaging oneself to the state of excelling. Who would argue that? I don’t think anyone can or would, but how is this applicable to professionals or corporate culture? No CEO would ever admit that their organization or company is not committed to excellence, that’s just bad for business. So where does the rubber meet the road? Why is this a difference maker? Why does it matter?

While sitting in a meeting, I was looking at NeoSpire’s core values prominently displayed on the wall of the conference room. I started to think about my own commitment to excellence. I listened to my coworkers commend employees for their commitment to excellence. Several times I thought, “Is that really being committed to excellence or is it simply doing your job?” To be honest I asked myself, “What the hell does it actually mean  to be truly committed to excellence?” I understood or thought I understood what the words themselves meant.  I was familiar with Al Davis and the Oakland Raiders’ anthems; “Commitment to Excellence” and “Just Win Baby“.  I thought I understood what it meant to me, but what did it mean to my coworkers, my teammates and our leadership? Was it open to my own interpretation?

As a core value, my company has defined “commitment to excellence” as: Aspiring to perfection and going above and beyond.

That’s great!  Companies all over the world have adopted similar mantras. Google it…it shows up everywhere. That being the case, what makes my company any different than others with similar core values? Is there any difference? Should there be? The answer is yes, there should be a difference. YES my company’s commitment to excellence is a differentiator and here’s why:

I believe it. I have committed myself to getting better each and every day. I have committed myself to engage in the state of excelling. I’m not saying I am excellent, just that I want to be and will bust my ass in an effort to be.

 So the skeptic would say, ‘ok big shot…I’m just as committed as you are, now what?’  The difference is this, I will commit myself to not only strive for excellence in everything I do each day, but I’m going to hold myself, my teammates, my peers and my leadership accountable to the same standards. And when they aren’t,  I’m not afraid to tell them so, and they need to be willing to reciprocate. Are we at that place today? No we are not. Do we need to be? Absolutely! When, as a collective, we are holding each other accountable for being committed to excellence, then and only then will we have the level of transparency, honesty and strength to make this company different…special.

Start now, ask yourself, take a personal inventory. I challenge each of you to make an assessment of your personal and professional commitment to excellence? More importantly, are you sincerely confident and unwavering in your commitment that you are willing to hold everyone around you account.

How many times has this happened to you? You bought a product from a terrific sales person who sold you on the attributes of their company and the product, only to be left dealing with an apathetic Support department who has little knowledge and less concern about you (the customer) and very things that made the offering so compelling during the sales process?

We’ve  heard the horror stories from our family and friends who bought a new car, only to have it serviced for the first time and could not get anyone to help them. Maybe we are too familiar with the story about the company that gets the great new copier/scanner/fax that is amazing until it stops working. At which point, business comes to a halt while everyone waits for the service guy to appear several hours, if not days later.

The Importance of Sales Support

Understanding that the Sales department is simply the beginning of the sales process is important to fully understanding the holistic expectations of customers, and what makes them stay with a vendor (not just buy from them). Having a Support team that understands that every customer interaction, no matter how trivial or how desperate the reason for the contact may be, is just another step in a never ending Sales cycle that started with the first prospecting call, before contracts or solutions were decided.

It is important to realize that Support is simply the continuation of the Sales promise.  The fact makes hiring, retaining and developing the right personal on the Support  team one of the most important things a company can due to bolster Sales.

For those of us who are not used to getting in front of a camera and speaking, the thought of having to do a webcast can be quite daunting. Recently, our CEO, Mitch Gervis suggested that it would be a good idea for each member of the Sales Leadership Team to pick a subject relating to our departments and make a webcast for our website.

As I sat in our meeting listening to this request I could slowly feel the dread coming over me at the thought of speaking in front of a camera. While my fear consumed me, a more courageous coworker spoke up and asked, “Is this mandatory?” I felt a sudden glimmer of hope at the possible response to this brave question. The CEO calmly stated it wasn’t mandatory and that he would not force us to do this if it made anyone uncomfortable. I was poised to raise my hand to say that I preferred not to participate when his next comment stopped me dead in my tracks. “But I can’t understand why any of you wouldn’t want to do one”. The rest of the meeting was a complete blur while I contemplated the prospect of the dreaded task ahead

Webcasting is a way of broadcasting over the Internet. A webcast can either be a live event or in pre-recorded form and played on-demand on your website or sites like YouTube. Fortunately, in my case it would be pre-record, which gave me the time I needed to prepare before I went in front of the camera.

Step 1: Writing the Script

Once I had chosen the topic for my webcast, I began the preparation by writing the agenda and the script with dialogue for the other participants. Fortunately, I was familiar with the topic well which made writing the dialogue much easier. Wanting to keep the webcast short, but interesting, I wrote an outline of the points I wanted to cover. From the outline, I wrote the script and dialogue for the webcast. The outline and script will also be helpful if you are planning to use slides in your presentation.

Step 2: Practice, Practice, Practice

Once the script was completed, I began the mental preparation of facing down my fear of being on camera. I didn’t want to sound like a bumbling idiot. Practicing is the answer. Even the most seasoned professional speaker or broadcast journalist needs to practice. To alleviate my fears and build up my confidence, I practiced in front of a mirror, all the while saying to myself, “I can do this”.

After several successful attempts of addressing my audience of one, I was convinced I was ready for the real thing. We recorded a dry run. What a nightmare (or so I thought). Our Director of Marketing and her assistant continually assured me it was going well, if I could just stop blurting expletives every time I made a mistake. So sorry, don’t want to sound like a sailor. Just frustrated at myself after all the practicing in the mirror with no mistakes.

After a few practice runs and some good feedback, I began to settle down and feel a little more confident and comfortable in front of the camera. I began to get feel of it and thought I could actually do this. I made the mistake of looking at the footage of what had been taped. Oh my, I look completely ridiculous. Standing there like a mummy, what was I thinking? This is not my cup-o-tea. How did I get roped in to this? Drowning, sinking, get me out of here!! Of course these were all the thoughts and feelings raging inside my head but not expressed outwardly so as not to seem hysterical. The rational side of me asked could we do it one more time so I wouldn’t look like a talking statue and then I really tried to relax. The last take was bearable and I was assured that at the actual taping if I performed as such, all would be well. I dared to take another look and wasn’t too horrified at what I saw.

Step 3: Relax and Record

For me, diving head first into the murky waters of webcasting was the only way I was ever going to get through it. Addressing and acknowledging my fears by accepting the task at hand gave me the courage needed to complete it. It also let me know that sometimes I’m a little too hard on myself and that I need to lighten up a bit and try something new, step out of my comfort zone for once.  After all is said and done, it really wasn’t  as hard as I had thought and I would like to think that the outcome was a couple of pretty good comments that put the company in a positive light.

Ah clouds…. you immediately conjure up images of white fluffy water vapor floating in the sky, but turn to what it means in the hosting/technical world and (pardon the pun) things get cloudy.  Microsoft commercials would have you believe that a cloud is somewhere you can fix pictures of your family, some hosting companies say that it is an infinite scalable space for your web applications, and then there is the Private Cloud.

Like traditional Cloud Hosting, private clouds are not limited to a specific number of servers; the website/application has access to multiple servers making the processing power virtually unlimited as new servers can be added to scale up.  Private Cloud offers the efficiency, flexibility and scalability that virtualization (Cloud Hosting) offers, but with the added security and resources of a dedicated environment.

Hosted Private Cloud is a popular way for companies to immediately see the benefits of Private Cloud computing while avoiding significant upfront costs of deploying the hardware and software resources in-house, but there are some important things to consider.

5 things to consider when you are thinking about a Hosted Private Cloud

1. Security, Security, Security

Whomever you go with to host your cloud should have audited security procedures in place such as SAS70. The security of the operating system, applications, and other stacks make a hosted private cloud only as secure as hosting provider’s security staff make it. If your private cloud provider does supply patches to the operating system as part of their offering, you should determine how this patching affects your internal application testing, support, and maintenance windows.

2. Have a backup and disaster recovery plan

In a hosted private cloud environment it is critical to understand how your data is being protected by your provider. Some example questions to ask are:

What is backed up or protected?

How fast can deleted files or servers be recovered?

How quickly in a complete site failure will your data be back online?

How can you validate the backups are valid and recoverable?

3. Understand how you will be billed

Private cloud billing can be quite complex with some providers. Memory, processors, CPU, input and output bandwidth, are just a few of the variables that can make your monthly price vary drastically.

4. Develop a monitoring strategy

It is important to understand how the Private Cloud provider will monitor the status and performance of your hosted cloud. This way you can develop a strategy to integrate their process into your existing IT controls to help determine how best to resolve any issue.

5. Make sure you have dedicated equipment

Public clouds are multi-tenant environment similar to shared hosting with some of the same down falls: How secure is your data? Where is your data? How reliable will performance be? However for hosted private clouds, having the server, networking, and storage tiers dedicated to your company will result in the most predictable performance and simplified security model.