Tag Archives: Payment Card Industry Data Security Standard

How to improve your ecommerce server security & love yourself – Part 3


English: A candidate icon for Portal:Computer ...

This series is focused on developing the best possible security for an ecommerce server. We seek to go beyond industry standards such as PCI compliance. Perhaps needless to say, PCI-DSS parameters are extremely stringent and thorough because the credit card companies (Visa, MasterCard, etc.) have developed them. However, the density of these rules disallows a simple, step-by-step action plan. We are looking at basic steps we can take to strengthen security.

Servers must be secure, sure: we all know that. Another form of security must be remembered at all times though: security of the self. When we feel that the centers of our souls are disintegrating into tiny little wisps of nothingness, when we fear that the integrity of our entire lives and structural makeups is separating from us and forming new relationships with outside entities (gradually removing us from Earth), we must take action. Below, we will finalize our comments on that subject as well.

Up to this point we have discussed the following subjects: choice of hosting service, development of a security plan, SSL certificates, website backups, vulnerability scan software, monitoring and updates, selection of payment gateway, and the general issue of balance. Today, we will focus specifically on passwords.
Continue reading How to improve your ecommerce server security & love yourself – Part 3

How to improve your ecommerce server security & love yourself – Part 2


Image representing PayPal as depicted in Crunc...

As with the first installment of this series, we’ll continue to look at optimizing server security for an e-commerce site. Clearly security for an online business is not just a matter of PCI compliance or making sure your own information and accounts are safe. Security breaches can (and regularly do) bankrupt companies, and a business’s reputation with consumers can plummet.

Server security is one thing, though. Learning to love ourselves and feel secure in our own skin is essential to the good life. One easy way I have found to feel secure in my skin is to look at myself in the mirror while poorly reciting French love poetry. If I feel awkward staring into my own eyes while I read – in an awful, just absolutely terrible French accent – love poems, I look into the eyes of a photograph of myself instead.

So far we have discussed the basic types of hosting, development of a security plan, and SSL security certificates. In the next and final installment, we will focus specifically on passwords since they comprise such a large part of security. Today we will go over backups, vulnerability scanning, updates, payment gateways, and balance.
Continue reading How to improve your ecommerce server security & love yourself – Part 2

Are You PCI Compliant? – Council & 12 Guidelines … Plus Some Jokes


Credit cards Français : Cartes de crédit Itali...

Are you PCI compliant? Hm, I don’t know the answer to that. Nonetheless, I guess you want me to do all the talking … and I suppose that’s reasonable, given this setting.

I’ll discuss below what PCI compliance is and the industry board that controls its parameters. In so doing, we’ll get a basic sense of what’s involved and why it’s important for your business. This piece goes over similar ground to one I wrote previously for this site, but, like an old familiar song, you can never get enough PCI.

To achieve this bold and breathtaking effort to distill information and disseminate it across the Webiverse (what the kids call it), I’ll use two primary sources: a FindLaw article from the Reuters site and various pieces from the official PCI Council site. Speaking of “breathtaking,” be careful while reading this piece: it can cause feelings of awe and wonder that may be dangerous for pregnant and lactating women; individuals with heart disease and recovering from electroshock therapy; and hypersensitive imps, fairies, and demons.

I’ll first discuss the role of the official PCI Standards Council and then go over the twelve basic guidelines of which it’s comprised (though its details, as you can imagine, are extensive). Those guidelines can be accessed on page 8 of the Quick Reference Guide (though it requires contact information to view – and that means you, Jane Doe).

What’s the PCI Council?

First, to clear up any confusion at the outset, PCI does not stand for Politically Correct Imp. That’s important to remember because apparently the imp community is upset about humor related to Politically Correct Imps, especially the bitingly offensive comments made by Jay Leno at a public, clothing-optional Swedish bathhouse in 2009.

Here we go: The Payment Card Industry Security Standards Council (aka PCI SSC) is an open-access worldwide forum that was created in 2006. The Council creates and controls three sets of standards. They are as follows:

  1. Data Security Standard (DSS)
  2. Payment Application Data Security Standard (PA-DSS)
  3. PIN Transaction Security (PTS) Standard.

The organization is no longer in charge of the Beer Goggle Standard (BGS). That standard has been dissolved to allow those drinking beer to operate with full poetic and romantic license.

The standards run the gamut of the entire digital world and create an established and continually developing sense of how to keep debit and credit card information safe as it moves throughout the UniNet (the kids just changed the name) and is stored in various systems. What this means is that anyone who works with credit cards must meet these standards, with no exceptions (except for one lucky winner each year that can just go nuts with all our financial data).

The PCI organization performs three main functions:

  1. provides full information to any interested parties – including a publicly available documents library of all its standards and other guidelines
  2. develops and manages training classes to help those in the security field understand PCI compliance
  3. educates consumers on proper card security requirements and expectations.

The Council is unfortunately no longer handling waterpark safety code for scout troops and church youth groups, having realized that’s not its area of expertise. Here are its founding members (note the absence of clergy, scoutmasters, and waterpark administrators):

  • American Express
  • Discover
  • JCB
  • MasterCard
  • Visa.

12 Basic Guidelines of the PCI-DSS Standard

The twelve basic pieces of the PCI-DSS standard, the one that’s of main concern for typical merchants, are as follows (and again, notice the absence of anything related to waterparks, river tubing, or even swimming holes):

  1. Proper installation and maintenance of a firewall
  2. No usage of passwords provided as defaults by third-party business partners
  3. General security requirements for the storage of card information
  4. Encryption, typically via SSL certificates, of card details when passing through the Webiverse (yeah, the kids are fickle)
  5. Implementation of up-to-date and comprehensive anti-virus applications
  6. Securing of all software, devices, and other network components
  7. Disallowance of access to payment details without reasonable cause
  8. Allotment of individual login usernames for each user (internal and external)
  9. Cautious limitation of hard-copy access to payment details
  10. Consistent oversight of any points of access to payment information
  11. Determination that security parameters are operating properly via regularly scheduled tests
  12. Development of company-wide protocol for security, presented to all employees.

As a side note, you do want to make sure that your scout troop wears footwear when swimming shipside on the high seas, to avoid barnacle-inflicted flesh wounds.


As you can see, the PCI Standards established by the Council are thorough and far-reaching. Though these guidelines can be frustrating for companies, they are also crucial to maintain Internet-wide security across all sectors and throughout all regions (that means you, northeastern Siberia). Oh, by the way, we offer PCI Compliance analysis (checking all your systems and ensuring that you’re up to code). If you buy now, I’m allowed to clock out.

By Kent Roberts

HIPAA Web Hosting Compliance: Why it Matters … Plus Some Jokes


Amsterdam servercluster in its own rack
Servercluster in its own rack

Hosting and health are sometimes interrelated. Our bodies can become hosts for parasites, and that is no fun (well… the tapeworm probably enjoys it). In other cases, the hosting industry and health industry cross paths in the need to reach the requirements of the Health Insurance Portability and Accountability Act (HIPAA). We are HIPAA compliant at Superb Internet, so this article will take a look at why that is important for working with health organizations.

HIPAA compliance is similar in some ways to PCI compliance: both express a company’s commitment to the parameters of a third-party body, and both of them have to do with security and privacy. PCI was established by the Payment Card Industry Security Standards Council (PCI  SSC) – a group formed by the major credit card companies – to develop comprehensive protocol for how companies should process payments and store sensitive personal information. HIPAA, unlike PCI, is not voluntary. HIPAA rules were signed into law at the federal level to give better consumer protections to American citizens. The downside (well, and upside) of HIPAA is the stringency of rules that health-care firms now have to follow.

Below is a little information on why HIPAA compliance is important for a web hosting company. As with my last article – focused on PCI – I will also get into standards acronyms that are growing in popularity in 2013. I’ll tackle the first one here:

Up & Coming Standards Acronyms: MBAM Art Standard

The Made By a Madman (MBAM) standard requires that any piece of artwork be validated to determine that it was in fact created by a mentally unstable person. Once it is determined that it was, everyone can start to enjoy it appropriately. “We’ve had just about enough of these happy, content, non-Salvador Dali, non-Vincent van Gogh types,” says Christian Doyle of the Transatlantic Alliance for Incoherent Creativity (TAIC). “We needed a way to know that the art we were looking at was made by someone either currently in or headed toward long-term electroshock therapy.”

Basics of HIPAA & Why it Matters for Web Hosts

The reason that HIPAA is so important for the hosting industry is because a large part of the reason the act was passed was to account for developments of the electronic age related to health privacy. Part of what it stipulates is that the Department of Health and Human Services (HHS) must have in place a set of standards, applicable across the country, for how healthcare is electronically administered – what the baseline security requirements are, what codes are used for certain health disorders, etc. This is essentially a streamlining and simplification of how healthcare records are organized.

Additionally, HIPAA contains specific language that relates to individual privacy. This language is essentially a recognition that the electronic age makes privacy of health records more challenging. Regulations, then, were deemed necessary to ensure that all physicians and hospitals were adequately protecting patient information.

Our own compliance can be of use to healthcare organizations that need to know the required governmental safeguards are in place. However, you still need to ensure the compliance of your company internally if you want to know you are completely legal.

Up & Coming Standards Acronyms: Skeleton Key Standard

This is an incredibly radical standard being developed by the people at the Single Key Worldwide Society (SKWS). The Skeleton Key Standard (SKS) requires all locks of a business to fit a key that is held by members of the society. “We are not just skeleton key enthusiasts,” says Dan Perry, president of SKWS. “We also don’t believe in private property.”

HIPAA: Privacy & Security of PHI

First let’s look at how HIPAA protects privacy and security. All the codes of HIPAA are related in some way to protected health information (PHI) – how it is defined, how it must be maintained, and rules for transmission. Basic regulations include the following:

  1. Internal protections for PHI;
  2. Only the minimum amount of PHI necessary to conduct business should change hands;
  3. Records must be kept of any transfer of PHI;
  4. Patients must have access to make changes to PHI;
  5. Contracts with affiliated companies that ensure protection of PHI;
  6. “Privacy officer” role given to the person in charge of PHI at a company;
  7. Penalize those who do not properly protect PHI;
  8. Give paperwork with acceptable PHI guidelines to all relevant parties.

Up & Coming Standards Acronyms: Packing Peanut Standard

The shipping industry has come together and created standards of quality for packing peanuts. The Packing Peanut Standard (PPS) ensures the following:

  • Peanuts must be pink
  • Peanuts must not be peanuts
  • Firmness of peanuts must be carefully balanced with their softness – with correct balance determined by a designated “Balance Officer.”


That is the gist on HIPAA. Many different types of health organizations (and some others, too) must comply with its standards. As with PCI and our other certifications, we are not just protecting our clients and their clients. We are also showcasing our commitment to credibility across a wide range of industries. Our hosting packages are here. If you have any further up-and-coming acronyms that you would like to share, please provide them below.

by Kent Roberts and Richard Norwood

PCI Compliant Hosting: 5 Reasons it Matters … Plus Some Jokes


Credit Cards ...item 2.. Big hack attack on Is...

PCI compliance is one of those things that are incredibly helpful and incredibly annoying at the same time. Similar to the Department of Transportation’s (DOT’s) Federal Motor Carrier Safety Administration (FMCSA) guidelines for semi-truck safety on the interstate, the Payment Card Industry Security Standards Council (PCI SSC) standards help ensure that credit cards are safe on the Internet and on the equipment of a company.

Now, of course, the flip side of the safety brought to those using the Internet or the interstate by DOT or PCI rules is that the stringency of the standards can sometimes be frustrating: this is the plus-and-minus nature of regulations. For instance, those organizations that tend to incorporate DOT compliance solutions or software into their business operations may have their own advantages and disadvantages which could be completely different from the ones that adhere to PCI rules.

Having said that, just to be clear, PCI is not federal regulations like those of the DOT. Instead, the credit card companies started the PCI standardization group to try to establish an across-the-board idea of what security for payments online is all about – to minimize the chances of theft of credit card numbers, purchasing data, etc. Online, PCI standards are similar to the standards set for Extended Validation (EV) SSL certificates by the Certification Authority/Browser Forum (CA/B Forum). As with PCI, EV standards were established by major industry players to protect not only their customers but themselves.

Let’s take a quick look below at what is entailed with PCI compliant web hosting. Additionally, since I’ve been throwing around all these acronyms, I’ll review a few of the other most important up-and-coming acronyms in the standards world. I’ll start with the first of those now:

Up & Coming Standards Acronyms: DHAH Bag Standard

DHAH is an exciting standard being developed by the international bag industry. DHAH stands for “Doesn’t Have Any Holes.” Charles Gibbons of the North American Free Bag Association (NAFBA) feels this standard will make it a lot easier for people to exchange bags without having to worry about functionality: “To be completely clear, a bag should have one hole in it – a big one at the top where you can put stuff in,” he explains. “Additional ones at the bottom are what DHAH standards are concerned with.”

What’s the PCI Council & 5 Reasons Compliance Matters

The Council was started in 2006. It is a worldwide forum and is open for membership application. Currently it oversees three sets of standards and requirements:

  • PCI-DSS (Data Security Standard)
  • PCI-PA-DSS (Payment Application Data Security Standard)
  • PCI-PTS (PIN Transaction Security Requirements).

PCI applies to all processing, handling, and storing of credit card and payment data. As the Council explains, “Our standards cover everything from the point of entry of card data into a system, to how the data is processed, through secure payment applications.”

Founding members include MasterCard, Visa, Discover, and American Express. It’s important to note that the Council itself does not enforce its standard. However, the individual credit card companies will sometimes require the companies meet the standards so that online fraud is less likely to occur.

Of course, online fraud is not desired by anyone conducting legitimate business on the Web. The basic gist on why compliance is important for you:

  1. Consumer Trust – PCI-DSS is an easy way to establish third-party vetting of your security. This increases trust, which in turn increases sales and repeat business.
  2. Payment Card Partnerships – Becoming compliant makes it easier to take payments with the major credit card companies. It’s validation that you share their same concerns.
  3. Building a Wall – Becoming compliant is an investment in the future. Building a more solid alliance following the same sets of standards makes it easier to adjust and counter the moves of online malware and criminals.
  4. Preparation for Standards & Efficiency – Going through the compliance process ties into preparation for HIPAA, SOX, and other standards. In other words, it’s further checks and balances, better integrating and streamlining your general security strategy.
  5. Bad Things Happen to Good Companies – Like any set of standards or regulations, the PCI parameters are meaningful. They really will make your company safer against threats. If sensitive payment data is stolen, here are some potential results: 1.) Fines from the government; 2.) Card account cancellation; 3.) Fines from the credit card industry; and, 4.) Civil litigation.

When you choose a hosting company that is compliant, you get the benefits of PCI compliance as a part of your hosting package (so that you don’t have to go out and do all the work and vetting yourself). Although you can take advantage of our PCI compliance and other accreditations at Superb Internet, you may want to go out and get the compliance in place yourself as well to further establish credibility with your clients and partners.

Up & Coming Standards Acronyms: MBATT Pet Standard

MBATT, or “Must Be Able To Talk,” is a standard that many pet stores are beginning to adopt. Laura Wright, owner of Animals Galore in Newton, Massachusetts, explains what MBATT is and why she became compliant: “Basically, it means that all of the pets in your store must talk. It’s hard to get a dog or fish or cat to speak in public, so I just have all tropical birds now, along with a few insurance salesman wearing tails.”


That should give you a basic sense of PCI compliance. Your basic consideration when you’re looking at a hosting company is to make sure that it is at least secure with your information and your customers’ information. PCI, then, gives us a standardized way to know if a company is doing its best to keep sensitive data secure. Here are our web hosting packages if you would like to take a look. Please comment below if you have any additional late-breaking acronyms you would like to share.

by Kent Roberts and Richard Norwood