January this year we wrote a post explaining the basics of PCI DSS Compliancy and its importance if you’re planning to run your own online e-commerce website.

Since then – we have been working alongside Trustwave and our clients to ensure our webhosting solution is and stays 100% PCI compliant.

Here we share some further information that we have gained along the way to further help our customers and readers.

 

You’re Website:

Another factor that has since been identified to stop your PCI scan from completing is your website updates.

If your website was created using a CMS platform i.e WordPress, Joomla, Magento and many more that’s out there, then it must be updated with the latest security patches/updates that you are notified about in your admin area when you login.

Website owners must know that their website is not a set and forget product. Failing to regularly perform vital updates will now be flagged up in your PCI security scans that companies like Trustwave run each month.

 

SSL Encryption:

Ensuring that your webhosting server & your website are secured by a valid SSL certificate that has been purchased from a provider is important for PCI.

Websites that are secure begin with https:// before the domain name.

If a self assigned certificate generated by the server itself is found in use your scan will instantly fail as these types of certificate are not considered safe when selling products online.

Note: Always make sure that your certificate is renewed each year and configured on the server in advance of it’s expire date. If your ssl provider takes 24/48 hours to process your certificate – you may not only run into PCI issues, but your website could be offline for that period of time loosing sales.

 

Ongoing Changes:

Changes to PCI Compliancy can happen quickly due to outdated software and identified security risks/exploits within the hosting solution or client’s website.

A good PCI Compliant webhosting company works closely with their customers and PCI governing authorities to ensure that they are always up to date and informed at all times, proactively updating the website environment before problems arise.

 

Latest Update: TLS 1.0 Deactivation

The regulating bodies of PCI DSS decided that it was time to retire old server security protocols (TLS 1.0) that are now known to be vulnerable to attack.

Old browser software that uses the TLS 1.0 settings can now be used to exploit websites. This has been identified and flagged up as part of your usual security scan.

You will need to contact your PCI Compliant Webhosting Company to modify the server so that it doesn’t use this protocol.

Once completed – old browser software will no longer be a threat, how-ever – you will need to make sure that your clients are using an updated browser when accessing the site to avoid any disruption occurring.