The requirement 12.8 and 12.9 of the PCI Data Security Standard mentions that all service providers having access to cardholder data should comply with the standard. This specifically includes shared hosting providers also. The requirement 2.6 also necessitates the need for shared hosting providers to secure the cardholder data and hosted environment of each entity. The additional PCI considerations for shared hosting providers are for those providers that intend to provide their clients with a PCI compliant environment.
Requirement A.1: Shared hosting providers must protect the cardholder data environment.
A hosting provider needs to fulfill all these additional requirements along with the basic requirements of the PCI Data Security Standard to achieve full compliance. A hosting provider is a third-party that provides outsourced services to its clients. They take care of the administrative functions, infrastructure, software and data, and communicate with the clients usually through internet. The shared hosting providers must therefore, protect and secure the CDE in the following ways:
A.1 Protect each entity’s (that is, merchant, service provider, or other entity) hosted environment and data, per A.1.1 through A.1.4:
To evaluate the PCI compliance of a shared hosting provider regarding the protection of merchants, service providers and/or other entities, take a sample of servers such as unix/linux or windows from the hosted entities and then carry out the following checks on them:
A.1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data environment.
Instead of allowing access as a privileged user, a unique user ID should be used for every service provider or merchant who run their applications on the shared server. To verify this, select a sample and run a check to see that no merchant or service provider should be able to use a shared user ID on the web server, and the CGI scripts run by the entities must be executed from their own unique IDs.
CGI stands for Common Gateway Interface. This interface is an arrangement to transfer data or information from World Wide Web server to a CGI program, or vice versa. CGI program is a program that is specifically formulated to accept and return information that abides by the specification of CGI. For being able to pass the PCI compliance scan by the shared hosting providers, it is also important to disable the default guestbook.cgi script provided by cPanel. This is necessary because this particular script is enabled by default, and running a PCI compliance scan with the script being enabled can cause the test to fail. The cPanel/cgi-sys/guestbook.cgi script usually causes websites to fail when conduction their PCI scans.
A.1.2 Restrict each entity’s access and privileges to its own cardholder data environment only
- Access of every merchant and service provider should be restricted to their own cardholder data environment and to regulate this, the following controls must be exercised:
- Entities should be allowed to enter the system through their own unique IDs. For this, verification needs to be done that a user logged in through an ID is not a privileged user.
- They should be given reading, writing and execution permission. To achieve compliance, verify that every entity has read, written and executed only the files and directories that personally belong to the entity. No entity should share their files in a group and all files should be accessible only by members of the same entity.
- They should be given system binary writing permissions. No users of an entity should be allowed to have a written access to shared binary services.
- They should be given permission to access their log files. Here again, you must verify that every entity is able to view its own logs and not that of others.
- One entity, i.e. service provider or merchant, should not be allowed to form a monopoly over the system resources. Verification should be done for restrictions over the basic system resources such as bandwidth, CPU, memory, disk space.
A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10
Requirement 10 of the PCI Data Security Standard demands tracking and monitoring of all activities involving access to cardholder data and network resources. Tracking user activity and developing a mechanism to monitor logs helps prevent, detect and minimize the effects of data leakage. If regular logs are not maintained, it becomes very difficult to track the culprit and the real reason behind the compromise.
Every merchant and/or service provider should have access to their own cardholder data environment in a shared hosting environment.
To verify that this requirement is being met, and that the logging for every merchant and service provider has been enabled by the shared hosting provider, consider the following:
- Logs should be enabled by default
- Logs should only be viewable by the entity to which they belong
- Logs should be permitted for third-party applications common to all entities
- Log locations should be communicated to the entity to which they belong
A.1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
There must be a formal process developed by the shared hosting provider to conduct a forensic investigation in case a compromise takes place. Verification should be done to ensure that written policies and procedures are there which document exactly how the investigation should be conducted in such a scenario.
In March 2011, the PCI Security Standards Council launched its PCI Forensic Investigator (PFI) Program to provide support to payment brands in selecting recognized forensic investigator companies, and also to officially recognize the companies qualified in this field. With the help of this program, payment card brands or shared hosting providers can require a thorough formal investigation in case of a data compromise, e.g. if cardholder data gets stolen from a computer system. Before this program, forensic investigation would be carried out in different ways, but with the help of PFI program, a uniform procedure is undertaken which is acceptable by all payment card brands.