Posts Tagged 'Pci Compliance'

June 22, 2015

3 Reasons Citrix NetScaler Should Be in Your PCI DSS Compliant Application Stack at SoftLayer

Whether you already process credit card information or are just starting to consider it, you’ve likely made yourself familiar with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS’s 12 requirements (plus one appendix for service providers) outlines what you need to do to have a compliant workload and to pass your audits.

While SoftLayer handles the physical access and security aspects on our platform, we also offer tools to supplement your internal tools and processes to help you maintain PCI-DSS compliance such as the Citrix NetScaler VPX and MPX Platinum Edition product line.

Unique Features NetScaler Offers That Support PCI-DSS

  1. Mask Payment Account Numbers (PANs)
  2. With NetScaler Platinum Edition it’s possible to configure the device to block or mask PANs to prevent leakage of cardholder data—even if your application is attempting to present the data to a user. This is extremely useful when adhering to PCI-DSS Section 3.3—the first six and last four digits are the maximum number of digits to be displayed.

    NetScaler provides reporting as well so that your developers can tighten up that aspect of your application for more identification protection.

  3. Detect and Prevent Web-based Attacks
  4. By deploying a Web application firewall into your application stack, you can fully comply with PCI-DSS Section 6.6, which requires addressing new threats and vulnerabilities on an ongoing basis and ensuring these applications are protected against known attacks. The NetScaler Application Firewall module included in Platinum Edition provides continuous protection and can dynamically adjust to changes in your application code.

  5. Prevent Buffer Overflow, XML Security, Cross Site Scripting, & SQL Injection
  6. The NetScaler Web Application Firewall helps close the door on many common coding vulnerabilities outlined in PCI-DSS Section 6.5. By utilizing XML security protections, form tagging, dynamic context sensitive protections, and deep stream inspection, you can block, log, and report on these common security vectors and ensure your development team can shore up you applications

How to Order
SoftLayer offers Citrix NetScaler VPX Standard and Platinum Editions in multiple bandwidth packages—10Mbps, 200Mbps, and 1Gbps. Order these quickly and easily from your customer portal devices page (click order devices, scroll to networking devices, and select Citrix NetScaler).

SoftLayer also provides the NetScaler MPX for customers that require a dedicated hardware appliance running the NetScaler OS that can handle thousands of concurrent SSL transactions. To order the MPX product, chat with one of our sales advisors.

Be sure to take a look at some of the other features included with Citrix NetScaler.

Learn More About PCI-DSS
SoftLayer supports PCI workloads by providing the physical security required in the DSS. Within the customer portal you’re able to pull our most recent SOC 2 Type II audit report. You can use this as part of your compliance strategy. The rest is up to you to take advantage of the tools and services to make sure you meet the remaining PCI standards. Additionally, when you’re working with your PCI-DSS qualified security assessor, we can also provide an Attestation of Compliance.

For more information on compliance standards, check out http://www.softlayer.com/compliance.

-Seth

Categories: 
October 5, 2012

Spark::red: Tech Partner Spotlight

This guest blog comes to us from Spark::red, a featured member of the SoftLayer Technology Partners Marketplace. Spark::red is a global PCI Level 1 compliant hosting provider specializing in Oracle ATG Commerce. With full-redundancy at every layer, powerful servers, and knowledgeable architects, Spark::red delivers exceptional environments in weeks, instead of months. In this video we talk to Spark::red co-founder Devon Hillard about what Spark::red does, how they help companies that are outgrowing current solutions, and why they chose SoftLayer.

The Three Most Common PCI Compliance Myths

As a hosting provider that specializes in Oracle ATG Commerce, Spark::red has extensive experience and expertise when it comes to the Payment Card Industry Data Security Standards (PCI DSS). If you're not familiar with PCI DSS, they are standards imposed on companies that process payment data, and they are designed to protect the company and its customers.

We've been helping online businesses maintain PCI Compliance for several years now, and in that time, we've encountered a great deal of confusion and misinformation when it comes to compliance. Despite numerous documents and articles available on this topic, we've found that three myths seem to persist when it comes to PCI DSS compliance. Consider us the PCI DSS compliance mythbusters.

Myth 1: Only large enterprise-level businesses are required to be PCI Compliant.

According to PCI DSS, every company involved in payment card processing online or offline should be PCI Compliant. The list of those companies includes e-commerce businesses of all sizes, banks and web hosting providers. It's important to note that I said, "should be PCI Compliant" here. There is no federal law that makes PCI compliance a legal requirement. However, a business IS required to be PCI compliant technically in order to take and process Visa or MasterCard payments. Failure to operate in with PCI compliance could mean huge fees if you're found in violation after a breach.

Payment card data security is the most significant concern for cardholders, and it should be a priority for your business, whether you have two hundred customers or two million customers. If you're processing ANY credit card payments, you should make sure you are PCI-compliant.

There are four levels of PCI compliance based on the number of credit card transactions your business processes a year, so the PCI compliance process is going to look different for small, medium-sized and large businesses. Visit the PCI Security Standards Council website to check which level of PCI compliance your business needs.

Myth 1: Busted.

Myth 2: A business that uses a PCI-compliant managed hosting provider automatically becomes PCI-compliant.

Multiple parties are involved in processing payment data, and each of them needs to meet certain standards to guarantee cardholders' data security. From a managed hosting provider perspective, we're responsible for things like proper firewall installation and maintenance, updating anti-virus programs of our servers, providing a unique ID for each person with computer access to restrict access to the most sensitive data, regular system scanning for vulnerabilities. Our customer — an online retailer, for example — would need to develop its software applications in accordance with PCI DSS, keep cardholders data storage to a minimum, and perform application-layer penetration tests that are out of their hosting provider's control.

If you're pursuing PCI compliance, you have a significant advantage if you start with a PCI-compliant managed hosting provider. Many security questions are already answered by your PCI-compliant host, so there is a shorter list of things for you to be worry about. You save money, time and effort in the process of completing PCI certification.

Myth 2: Busted.

Myth 3: A business that uses SSL certificates is PCI compliant.

Secure Sockets Layer (SSL) certificates allow secure data transmission to and from the server through data encryption that significantly decreases the network vulnerabilities from IP spoofing, IP source rooting, DNS spoofing, man-in-the-middle attacks and other threats from hackers. However, SSL cannot protect cardholder data from attacks using cross-site scripting or SQL injection, and they don't provide secure audit trails or event monitoring. SSL certificates are an important part of secure transactions, but they're only part of PCI DSS compliance.

Myth 3: Busted.

If you have questions about PCI compliance or you're interested in Oracle ATG Hosting, visit Spark::red, give us a call or send us an email, and we'll do what we can to help. When PCI compliance doesn't seem like a scary monster in your closet, it's easier to start the process and get it done quickly.

-Elena Rybalchenko, Spark::red

This guest blog series highlights companies in SoftLayer's Technology Partners Marketplace.
These Partners have built their businesses on the SoftLayer Platform, and we're excited for them to tell their stories. New Partners will be added to the Marketplace each month, so stay tuned for many more come.
January 21, 2010

2010 PCI Compliance and You

I know you already know everything about PCI compliance, especially the if’s, and’s, and but’s that go along with it. But, just in case you forgot, here it is in a nutshell.
Is PCI compliance a Federal law? Nope! Not yet anyway. Some states do make it a crime to let credit card data “be” stolen.
What is PCI? It is actually PCI DSS and it stands for Payment Card Industry Data Security Standard.
Who needs it? Anyone that accepts, transmits, or stores ANY credit card data.
Are there different levels? Yes, I am glad you asked.

  • Level 4 – Any merchant processing fewer than 20,000 credit card e-commerce transactions in a 12 month period
  • Level 3 – 20,000 up to 1 Million transactions
  • Level 2 – 1 Million up to 6 Million
  • Level 1 – 6 million + (or any merchant that Visa feels should meet level 1 to minimize risks) This is what we are all striving for, right?

Who cares if you are PCI compliant? For starters, YOU should! And secondly, your merchant bank will care. They will care more the larger you get. See minimize risks statement above.
Since it isn’t a federal law should I risk it, because I know my security and I am impenetrable? I wouldn’t take that risk because you can still pay fines, card replacement costs, and pay for forensic audits, etc if someone were to get in and steal data.
How can SoftLayer help? For starters and a quick level 4 fix you can go here and get free scanning on a single IP. Combine that with a “quick” questionnaire about your physical and data security policies and voila, no onsite visit needed and you are now PCI Level 4. Mcafee can help you with you higher level compliance if you would like. Don’t take the questionnaire too lightly because remember you do care about PCI!
Ok so if you have made it this far then you must like boring reading. Go read this. It might come in handy someday. It is the “do this if you get hacked” cheat sheet.
On to 2010! MasterCard stepped up in 2009 and stated that even their Level 2 merchants had to have an onsite QSA assessment by December 31, 2010. That has now been pushed to June 30, 2011. There seems to be some confusion from the other Credit Card companies and they didn’t all jump on board. One thing that they did all agree on is that you can’t put credit card info on WEP secured wireless at all after July 2010. Just don’t do it! And don’t use old un-patched payment applications because they are insecure and will not be allowed after July as well.
This could all change just like Texas weather. If you don’t like the new rules, then just wait a couple of days and they may change it more to your liking. There are still a few things they are looking at going forward that I will let you in on and then I assure you I will stop typing. PCI 1.2 is still about stopping hackers from getting in, there is a new interest in the community on addressing “internal” hackers. The current focus of PCI is aimed at card data “after” authorization but doesn’t say much about card data that is kept prior to authorization, so you can bet that will be added soon too and of course cloud infrastructure and card data has to be on everyone’s radar screen soon.

Subscribe to pci-compliance