PCI Hosting Solutions

PCI DSS Compliance

PCI DSS Compliant Hosting

The Payment Card Industry Data Security Standard (PCI DSS) was put together by the leading credit card brands to enforce a set of security controls. Any business that accepts, transmits or stores cardholder data must abide by this control set in some format, including all eCommerce platforms.

As a PCI DSS compliant organisation, you must use a PCI DSS compliant hosting provider, who is involved in your cardholder data processing journey.

KubeServers is committed to ensuring card payments are carried out safely and securely, to protect your data and that of your customers. KubeServers provides PCI DSS compliant services across our Grid and Dedicated Server hosting platforms from our UK based data centre.

Hosting with KubeServers does not automatically mean that you are covered by our certification. Your business must become uniquely certified by the PCI Security Standards Council.

Our PCI DSS accreditation is integral to our promise to you, to maintain a secure network that is regularly tested and constantly monitored, while maintaining a strong information security policy for the protection of your data.


PCI Compliant Hosting Requirements: 12-Point Checklist

The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

PCI Security Standards are developed specifically to protect payment account data throughout the payment lifecycle and to enable technology solutions that devalue this data and remove the incentive for criminals to steal it. They include standards for merchants, service providers, and financial institutions on security practices technologies and processes, and standards for developers and vendors for creating secure payment products and solutions.

#1 Installed and correctly configured firewalls

When you want to secure traffic  entering and leaving a network, or to restrict certain critical areas, you need to include a firewall. Implementation of firewalls and setup of routers  to better control traffic is a fundamental PCI compliant hosting requirements.

#2 Replacement of default passwords

If default passwords are left alive, your system is vulnerable. When access is needed to your infrastructure, they match together easily accessible default username and/or passwords with software that maps all the devices on your network. When you deploy any new system, change those default settings and passwords immediately.

#3 Protect Stored cardholder data

Storage of cardholder data is generally not recommended by the PCI standards. The data that is on the chip or stripe should never be put into storage. If your company  does store permanent account numbers, or PANs (in this case payment card numbers), they should be encrypted. When displayed, they should be masked. All users should only be able to see at the maximum, the first 6 digits and last 4 digits.

#4 Encryption of data transmission on networks

When sending cardholder data through any public network, use IPsec or SSL/TLS to encrypt. Strong encryption should be implemented both for authentication and for data transmission. If you want a sense of best practices for these PCI compliant server requirements, the PCI Council points to IEEE 802.11, which is a set of standards for wireless local area networks.

#5 Regularly used & updated antivirus

Antivirus and anti-malware programs detect known malicious software. In fact, Hostgrid now uses predictive analytics and artificial intelligence to detect malware before it spreads. KubeServers deploy these tools on all systems, and select a solution that creates audit logs.

#6 Maintenance of secure software and systems

A hacker can easily hack into a system or application with a security weaknesses, potentially allowing them to steal or view PAN. When the developer of a product or platform releases a patch, it should be immediately installed since it solves a known problem. Patches should be implemented on critical systems first, followed by less critical systems, adhering to a vulnerability management program.

#7 Business need-to-know access control

Employee roles and business need-to-know should guide the development of access controls so that unauthorised use does not occur. The idea of need-to-know is that you only give the extent of privileges and amount of data to a user that is necessary to conduct their tasks. Zero Trust should be integrated into your access control system, as indicated by the PCI Council’s instructions to “‘deny all’ unless specifically allowed.”

#8 Unique IDs for everyone with access

You have to know who is doing what within any system, and all activities need be easily trackable. Do not give anyone access to critical systems or data unless you have first given them a unique user ID. A password, passphrase, or multi-factor authentication (MFA) should be used. MFA should be used for remote access. Virtual private networks, tokenization, or authentication and dial-in should be implemented for remote use.

#9 Stringent physical access controls

Data is stored on physical systems, and access to physical systems presents the opportunity for theft. In order to achieve PCI compliant hosting requirements, KubeServers’s data centre always restricts physical access. Facility entry controls are used. Before any outsider enters a space in which cardholder data is present or is being processed, they should receive a physical token that they give back prior to departure. Our Data centre also has 24 hour manned security with secure car parking and anti tail gating.

#10 Network and data access monitoring & tracking

Being able to track exactly what any user is doing by logging all steps taken allows you to perform vulnerability management and log forensics. Logs allow you to review all activity if there are any issues. Logs allow you to understand how hacking or other improper use occurs. Automated audit trails in place so that you can review any activities. Hostgrid’s Overwatch system is deployed here.

#11 Testing of all security mechanisms

Security issues can often be exposed through hacking. Testing security protocols, hardware, and software will keep you secure long-term. Check to see what wireless devices are being used with a wireless analyser at least quarterly. Alternately, use a wireless intrusion detection system (IDS). Network vulnerability scans should be performed once each quarter and also following major adjustments within the network. Perform penetration testing annually at a minimum.

#12 Information security policy

Beyond PCI compliant server requirements, you also need personnel interacting with the systems to be well-equipped. Everyone on staff should know their responsibilities for safeguarding sensitive data. Create, update, and distribute an information security policy that lets your employees know about PCI DSS rules. For internal environments, create usage policies to shape expectations for employees and contractors.