Best configuration for PCI

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
NickJ
Ensign (ENS)
Ensign (ENS)
Posts: 10
Joined: Mon Oct 13, 2008 8:59 pm

Best configuration for PCI

Post by NickJ » Wed Oct 15, 2008 9:46 am

Ok, simple question.... The best practices guide says to have the SQL server on it's on box. Not a big deal... but what about the SQL box behind a 2nd firewall? Would Able support that? My rational is that if the data is behind a 2nd firewall where the only thing that can penetrate it is something like a web service then we'd be that much more secure.

Would this even be possible?

User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
Posts: 3055
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA
Contact:

Re: Best configuration for PCI

Post by Shopping Cart Admin » Wed Oct 15, 2008 10:01 am

Hello Nick,

Yes it's supported as you still are leaving the needed ports open though the firewall between the web/sql server.
Thanks for your support

Shopping Cart Guru
AbleCommerce.com
Follow us on Facebook

User avatar
Kalamazoo
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Wed Apr 01, 2009 6:10 pm

Re: Best configuration for PCI

Post by Kalamazoo » Wed Jun 23, 2010 12:25 pm

If we always use a payment gateway like authorize.net and never store credit cards in Able 7, then do we need the firewall and separate SQL hosting box? I was told no where we host, but I would like more knowledge on this topic.

Thanks,

Phil

User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
Posts: 3055
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA
Contact:

Re: Best configuration for PCI

Post by Shopping Cart Admin » Wed Jun 23, 2010 12:43 pm

Hello Phil,

The information they have given you is incorrect. If you accept cc payments on your website then you must be using only pci certified applications by July 1st and be following all of the other rules as well.

If you're using a payment gateway such as paypal or google checkout where the payment is made on paypal's or googles website, then the pci rules wouldn't apply.
Thanks for your support

Shopping Cart Guru
AbleCommerce.com
Follow us on Facebook

User avatar
Kalamazoo
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Wed Apr 01, 2009 6:10 pm

Re: Best configuration for PCI

Post by Kalamazoo » Wed Jun 23, 2010 1:06 pm

Time to order the dedicated SQL box and lock them down. I am sure its somewhere in the forums but who do you recommend for PCI scanning of installed websites? Thanks Mike.

Phil

User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
Posts: 3055
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA
Contact:

Re: Best configuration for PCI

Post by Shopping Cart Admin » Wed Jun 23, 2010 1:10 pm

Hello Phil,

Currently we use McAfee Secure, but there are a number of lower cost alternatives including one from our ssl provider.

http://www.instantssl.com/hackerguardia ... iancy.html

If it's any kind of serious store then the McAfee 'brand' is worth the extra money, if you're using the seal.
Thanks for your support

Shopping Cart Guru
AbleCommerce.com
Follow us on Facebook

User avatar
Kalamazoo
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Wed Apr 01, 2009 6:10 pm

Re: Best configuration for PCI

Post by Kalamazoo » Wed Jun 23, 2010 4:34 pm

McAfee Secure has a nice enterprise edition for the year for 20 IP's which will handle our data center for now. We have been watching all the Trustwave PCI seminars for a long time and they are free. https://www.trustwave.com/ . We are also looking at the http://www.alertlogic.com infrastructure. It's not that PCI is hard, it's just mandatory and providers and customers just have to prepare for it properly.

Thanks for the PCI complaint software. Now we just have to finish the job at the data center and the customers at their workplace.

Have a great day!

Phil Chrisman

User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
Posts: 3055
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA
Contact:

Re: Best configuration for PCI

Post by Shopping Cart Admin » Wed Jun 23, 2010 5:17 pm

Howdy Phil,
PCI complaint software
Just to clarify AbleCommerce 7.0.x is PCI PA-DSS 1.2 CERTIFIED compliant which is required after July 1st 2010 IF you accept credit cards. Prior to July 1st 2010 you need only be using products which 'claim' to be compliant.

There are already a number of state laws (mostly protecting the CC companies) being put on the books which make PCI the law of the land. The law states if you have a breach then the enormous cost of the investigation goes to the merchant UNLESS they are following the PCI requirements.

It's really ironic how many people just don't understand that the vast majority of shopping cart products will be 'DOA' July 1st or at the very least a ticking time bomb of liability, fines and other such joys.

Last time I checked there are maybe a dozen shopping cart products which will be allowed after July 1st, out of the estimated 500 carts that practical ecommerce has identified on the market.

https://www.pcisecuritystandards.org/se ... dards/vpa/

Due to the nature of open source development, I'm not even sure you could get them PCI certified as much of the certification process is about procedures, training, and such of the development team.

There is an October deadline as well: The 12 month deadline on phase 4 where VNPs and agents must decertify all vulnerable payment applications. Merchant account providers and payment gateways have been compiling a list of 'vulnerable payment applications' which they must decertify within 12 months of identification. Products most at risk for decertification are high profile open source products such as OSCommerce that would have been identified by multiple VNPs and agents by now.
Thanks for your support

Shopping Cart Guru
AbleCommerce.com
Follow us on Facebook

User avatar
Kalamazoo
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Wed Apr 01, 2009 6:10 pm

Re: Best configuration for PCI

Post by Kalamazoo » Thu Jun 24, 2010 6:51 pm

Mike,

Many sharp thinking people are finding this information suggestive of being only a tier 4 and thus PCI-DSS is only a minor issue for them right now.
Merchants who are interested in receiving more information on a PCI Data Security Standard Self-Assessment can visit https://www.pcisecuritystandards.org/saq/index.shtml or Visa's Website at http://usa.visa.com/merchants/risk_mana ... l#anchor_2
and thus from Level 4:
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

* Annual SAQ recommended
* Quarterly network scan by ASV if applicable
* Compliance validation requirements set by acquirer
This information confuses people from one extreme to another, such as "...I don't need to think about it..." all the way to "...only one ecommerce application can run on the IP facing machine and the subsequent database on another machine with no other ecommerce customer sharing said resource..."

Anyway I have agreed with you on the the need for the architecture, SAQ, Proactive scans and taking immediate action, but what about the multiple accounts per dedicated IP facing box and separate database box? What are your findings in this last area?

Thanks for the timely thread Mike,

Phil Chrisman

Post Reply