Posts Tagged 'Myths'

October 5, 2012

Spark::red: Tech Partner Spotlight

This guest blog comes to us from Spark::red, a featured member of the SoftLayer Technology Partners Marketplace. Spark::red is a global PCI Level 1 compliant hosting provider specializing in Oracle ATG Commerce. With full-redundancy at every layer, powerful servers, and knowledgeable architects, Spark::red delivers exceptional environments in weeks, instead of months. In this video we talk to Spark::red co-founder Devon Hillard about what Spark::red does, how they help companies that are outgrowing current solutions, and why they chose SoftLayer.

The Three Most Common PCI Compliance Myths

As a hosting provider that specializes in Oracle ATG Commerce, Spark::red has extensive experience and expertise when it comes to the Payment Card Industry Data Security Standards (PCI DSS). If you're not familiar with PCI DSS, they are standards imposed on companies that process payment data, and they are designed to protect the company and its customers.

We've been helping online businesses maintain PCI Compliance for several years now, and in that time, we've encountered a great deal of confusion and misinformation when it comes to compliance. Despite numerous documents and articles available on this topic, we've found that three myths seem to persist when it comes to PCI DSS compliance. Consider us the PCI DSS compliance mythbusters.

Myth 1: Only large enterprise-level businesses are required to be PCI Compliant.

According to PCI DSS, every company involved in payment card processing online or offline should be PCI Compliant. The list of those companies includes e-commerce businesses of all sizes, banks and web hosting providers. It's important to note that I said, "should be PCI Compliant" here. There is no federal law that makes PCI compliance a legal requirement. However, a business IS required to be PCI compliant technically in order to take and process Visa or MasterCard payments. Failure to operate in with PCI compliance could mean huge fees if you're found in violation after a breach.

Payment card data security is the most significant concern for cardholders, and it should be a priority for your business, whether you have two hundred customers or two million customers. If you're processing ANY credit card payments, you should make sure you are PCI-compliant.

There are four levels of PCI compliance based on the number of credit card transactions your business processes a year, so the PCI compliance process is going to look different for small, medium-sized and large businesses. Visit the PCI Security Standards Council website to check which level of PCI compliance your business needs.

Myth 1: Busted.

Myth 2: A business that uses a PCI-compliant managed hosting provider automatically becomes PCI-compliant.

Multiple parties are involved in processing payment data, and each of them needs to meet certain standards to guarantee cardholders' data security. From a managed hosting provider perspective, we're responsible for things like proper firewall installation and maintenance, updating anti-virus programs of our servers, providing a unique ID for each person with computer access to restrict access to the most sensitive data, regular system scanning for vulnerabilities. Our customer — an online retailer, for example — would need to develop its software applications in accordance with PCI DSS, keep cardholders data storage to a minimum, and perform application-layer penetration tests that are out of their hosting provider's control.

If you're pursuing PCI compliance, you have a significant advantage if you start with a PCI-compliant managed hosting provider. Many security questions are already answered by your PCI-compliant host, so there is a shorter list of things for you to be worry about. You save money, time and effort in the process of completing PCI certification.

Myth 2: Busted.

Myth 3: A business that uses SSL certificates is PCI compliant.

Secure Sockets Layer (SSL) certificates allow secure data transmission to and from the server through data encryption that significantly decreases the network vulnerabilities from IP spoofing, IP source rooting, DNS spoofing, man-in-the-middle attacks and other threats from hackers. However, SSL cannot protect cardholder data from attacks using cross-site scripting or SQL injection, and they don't provide secure audit trails or event monitoring. SSL certificates are an important part of secure transactions, but they're only part of PCI DSS compliance.

Myth 3: Busted.

If you have questions about PCI compliance or you're interested in Oracle ATG Hosting, visit Spark::red, give us a call or send us an email, and we'll do what we can to help. When PCI compliance doesn't seem like a scary monster in your closet, it's easier to start the process and get it done quickly.

-Elena Rybalchenko, Spark::red

This guest blog series highlights companies in SoftLayer's Technology Partners Marketplace.
These Partners have built their businesses on the SoftLayer Platform, and we're excited for them to tell their stories. New Partners will be added to the Marketplace each month, so stay tuned for many more come.
August 5, 2010

Security Myths part 2

Security Myth #4: A hardware firewall will stop the evil hackers from the internet. They also stop viruses and spam emails.

The Facts: A hardware firewall will filter your traffic based on a set of rules. If properly configured, this will certainly harden your system from certain types of attacks. However, if you want to stop intrusion attempts on your server, you probably want to implement brute force protection or intrusion detection (IDS). Most operating systems nowadays include brute force protection in one form or another (although it may not be turned on by default). If you want an IDS, there are several options available. Here at SoftLayer, we offer McAfee Host Intrusion Protection System (or HIPS for short) for Windows systems. This will offer you some additional protection against intrusion attempts, but it is no substitute for a well patched system with strong passwords. This is especially important to know if you contract with an outside agency to configure your firewall for you. It’s easy to delude yourself into a “set it and forget it” attitude toward security. I can’t tell you how many administrators I’ve talked to that have asked “how did I get hacked? I had a firewall!”

The Side Effects:

  • Having a hardware firewall means an additional step to allow access to ports. Can be time consuming.
  • Having a hardware firewall can potentially mean an additional point of failure.
  • Too many rules can mean degraded performance.

Security Myth #5: I run a Unix/Linux based system, so I can’t get hacked.

The Facts: I have seen a fair share of Unix based systems get hacked, simply because the user is unfamiliar with the OS. Running everything from within a control panel is convenient, but make sure you or one of your administrators is familiar with command line access.

The Side Effects:

  • Running a control panel can cause more security holes

Security Myth #6: I have my Wordpress (or other web application) patched to the latest version, so I should be fine.

The Facts: WordPress is a piece of cake to install. You don’t even need to know how to code in HTML. This means you can install it and have it working properly, and still forget to correct your filesystem permissions. You need to make sure that you read the installation documentation and complete all steps. If you just stop reading once the application starts working, you could potentially forget to correct your permissions and someone could gain access as an administrative user. I ran into a situation one time where a user was utilizing a web interface to manage an online marketplace. I was shocked to find out that the link he sent me allowed me in without the use of a password! Make sure that your application doesn’t use the default password or a blank password.

The Side Effects:

  • Having the latest version is great, but make sure you take a 360 degree look around to make sure nothing is out of place

Security Myth #7: I am getting SPAM messages, but I have a firewall.

The Facts: A firewall does not filter SPAM messages. You might look into the free SpamAssassin software that will filter email for potential SPAM. http://spamassassin.apache.org/

Subscribe to myths