Coeus Blue developed a fully PCI-compliant hosting solution for our Magento hosting offerings. Our environment fulfills the 12 principles of the PCI DSS.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

We maintain two tiers of firewall protection. The environment as a whole is protected by the cloud firewall, segmenting your servers from the internet and grouping them by role. The second tier is an immutable, highly restrictive APF configuration on each server. This configuration is set at boot time and cannot be changed from within the system. This means that a compromised system cannot compromise other systems.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

System passwords are set to be very difficult to discern. Remote login into system root or administrator accounts is not allowed. Access to system passwords is limited to only those people doing emergency maintenance.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

For Magento hosting, cardholder data is not stored in the hosting environment.  When data retention is required, data are encrypted when stored. Access to the database is not possible from outside the environment. Intra-environment access is limited to engineers and the application itself.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Cardholder data is transmitted from the customer's computer to the environment using Secure Socket Layer connection. Any transmission of the data from the environment to card processors is done via SSL or VPN connections.

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update antivirus software

Antivirus software is utilized and updated on all Windows systems. Avast Linux antivirus is setup on all Linux systems and can be used (at a pass-through cost) if required. In general, PCI auditors do not believe that Linux servers require this protection.

Requirement 6: Develop and maintain secure systems and applications

Coeus Blue hosting environments are fully security hardened. Remote administration access to all systems is only possible via a VPN that requires a key and a password. Client environments are separated by firewalls and configuration design. Backups are encrypted before storage. Unnecessary services have been disabled and potentially dangerous system tools are removed.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Role-based user group assignments allow for granting privileges to specific classes of data, to only those users who require it.

Requirement 8: Assign a unique ID to each person with computer access

Ldap-based single sign on allows unique IDs to be assigned to each user with access to any system. This allows for consistent password strength rules and rotation policies, access revocation, and role-based permissions.

Requirement 9: Restrict physical access to cardholder data

Physical access is strictly limited to only those engineers making changes or repairs to physical hardware. These engineers are separate from the engineers who manage and maintain the operating system and software tiers of the environment. Configuration changes have been made to the image boot process to force interactive login even for physical access or “single user mode.” This separation of duties and access means that no one with physical access holds the user privileges required to access cardholder data, and no one with user privileges has physical access.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Firewall, system access, and privileged command actions are logged to a central secure log server for monitoring and retention. Tripwire is utilized and its results are centrally recorded and monitored.

Requirement 11: Regularly test security systems and processes

Regular internal scans are performed using nessus, nmap and custom tools we have developed in house. Clients are strongly encouraged to have their environments scanned regularly by commercial PCI scanning vendors.

For additional information about the security protocols used by Amazon for the physical servers that host our cloud offerings see Amazon’s Overview of Security Processes whitepaper.