Articles

Guide to PCI Compliance

Introduction

The Payment Card Industry (PCI) Data Security Standard is an information security standard for the handling of credit card information.

The PCI requirements have six objectives:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

Your organization and website can be PCI compliant without ever paying for a compliance validation service to perform testing and reporting. Additionally, smaller merchants and service providers are not required to explicitly validate compliance.

Maintaining PCI Compliance

ServerPilot configures your server securely, manages updates, and installs a firewall; however, this is not enough to make you PCI compliant. PCI compliance is fundamentally about the practices of your organization.

To be PCI compliant, your internal practices and your apps must be PCI compliant. Some factors to consider when determining whether you need to be and are PCI compliant include the following:

  • Is credit card or cardholder information stored by your app?
  • Who has access to your apps and data?
  • Is HTTPS used everywhere on your site?
  • Are your apps and plugins kept updated with security patches?

Dealing with Scans That Have False Positives

Some PCI compliance scanning companies and tools may report false positives when performing PCI compliance scans of your server or apps. Scans can report false positives for many reasons.

For example, a common approach to releasing package security updates that is used by Ubuntu and other Linux distributions is to apply a patch to a package rather than update the software to the latest version. This is called "backporting" and is done to maintain stability while keeping your server secure. Many PCI compliance scans will look only at the software version and will not take into account the particular distribution and package release number. In many of these cases, informing the scanning agency of the specific package version and Ubuntu version is sufficient to address false positives.