Coeus Blue developed a fully PCI-compliant hosting solution for our Magento hosting offerings. Our environment fulfills the 12 principles of the PCI DSS.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
We maintain two tiers of firewall protection. The environment as a whole is protected by the cloud firewall, segmenting your servers from the internet and grouping them by role. The second tier is an immutable, highly restrictive APF configuration on each server. This configuration is set at boot time and cannot be changed from within the system. This means that a compromised system cannot compromise other systems.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
System passwords are set to be very difficult to discern. Remote login into system root or administrator accounts is not allowed. Access to system passwords is limited to only those people doing emergency maintenance.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
For Magento hosting, cardholder data is not stored in the hosting environment. When data retention is required, data are encrypted when stored. Access to the database is not possible from outside the environment. Intra-environment access is limited to engineers and the application itself.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Cardholder data is transmitted from the customer's computer to the environment using Secure Socket Layer connection. Any transmission of the data from the environment to card processors is done via SSL or VPN connections.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update antivirus software
Antivirus software is utilized and updated on all Windows systems. Avast Linux antivirus is setup on all Linux systems and can be used (at a pass-through cost) if required. In general, PCI auditors do not believe that Linux servers require this protection.
Requirement 6: Develop and maintain secure systems and applications
Coeus Blue hosting environments are fully security hardened. Remote administration access to all systems is only possible via a VPN that requires a key and a password. Client environments are separated by firewalls and configuration design. Backups are encrypted before storage. Unnecessary services have been disabled and potentially dangerous system tools are removed.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Role-based user group assignments allow for granting privileges to specific classes of data, to only those users who require it.
Requirement 8: Assign a unique ID to each person with computer access
Ldap-based single sign on allows unique IDs to be assigned to each user with access to any system. This allows for consistent password strength rules and rotation policies, access revocation, and role-based permissions.
Requirement 9: Restrict physical access to cardholder data
Physical access is strictly limited to only those engineers making changes or repairs to physical hardware. These engineers are separate from the engineers who manage and maintain the operating system and software tiers of the environment. Configuration changes have been made to the image boot process to force interactive login even for physical access or “single user mode.” This separation of duties and access means that no one with physical access holds the user privileges required to access cardholder data, and no one with user privileges has physical access.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Firewall, system access, and privileged command actions are logged to a central secure log server for monitoring and retention. Tripwire is utilized and its results are centrally recorded and monitored.
Requirement 11: Regularly test security systems and processes
For additional information about the security protocols used by Amazon for the physical servers that host our cloud offerings see Amazon’s Overview of Security Processes whitepaper.