Knowledge Base

Answers to Common liveSite Questions

Back to Knowledge Base

 
Site Management

How do I make my website PCI compliant?

PCI DSS is a security standard for handling cardholder information.  In general, if you are accepting cardholder information on your website, then you must be PCI compliant.  You may contact your acquirer or merchant service provider in order to determine exactly what you need to do in order to become PCI compliant.

First, it is important to understand that the liveSite software is PCI compliant, however we do recommend following the steps below.

  • Install an SSL certificate (If secure hosting with us, then we have done this for you.)
  • Enable Secure Mode in the liveSite's Site Settings.
  • Use a payment gateway so that cardholder information is not stored in liveSite.
  • Follow your acquirer/merchant service provider's instructions for becoming PCI compliant.
    See info below.

There are items outside of liveSite's control which must also be PCI compliant (e.g. secure hosting environment).  Your acquirer/merchant service provider can guide you through the process of becoming PCI compliant.  There are generally penalties if you fail to meet their requirements.  They will probably recommend a Qualified Security Assessor (QSA) that can scan your website for compliance issues, and they might also require that you complete a questionnaire.

Once you have selected a QSA that your acquirer/merchant service provider recommends, the QSA will run a compliance scan on your website.  The scan will look for SSL certificate issues, security vulnerabilities, and etc. that would result in your website being insecure.  If the scan reports failing PCI issues and you are not hosted with us, then we recommend that you contact your hosting provider about the issues.  Alternatively, if there are failing issues and you are hosted with us, then please see below.

First, it is important to understand our liveSite Cloud Hosting is fully PCI compliant already.  Unfortunately, the QSA scan can sometimes result in false alerts.  This is because the QSA scanner sometimes makes incorrect assumptions.  For example, the scan will look at software version numbers in order to determine if there might be a security vulnerability.  This is a poor way of detecting security vulnerabilities because automatic updates by the operating system backport security fixes and leave the version number unchanged.

In order to become compliant the QSA requires that we (i.e. the server administrator) appeal each false alert.  Unfortunately, you cannot do this yourself, because the appeal process requires answering technical questions about the server.  Fortunately, we are happy to help you with this.  Please contact us and provide the QSA scan report that shows the false alerts, so we can prepare an estimate for you.

Once all of the false alerts are successfully appealed by us, the QSA will declare that your website is PCI compliant and they will pass this information on to your acquirer/merchant service provider, so that you are not penalized.  Please be aware that your QSA might require that false alerts be appealed again (e.g. quarterly).  Please feel free to contact us each time you need our help.

Below is a list of some of the things that we do on our servers in order to be PCI compliant or to minimize QSA false alerts.

  • We apply security updates regularly.
  • We install an SSL certificate from a reputable provider so that the SSL certificate is trusted and credit card information is submitted securely.
  • We enable a firewall so that only necessary ports are open.
  • We disable SSLv2, SSLv3, and weak SSL ciphers.
  • We hide version numbers in order to minimize false alerts.  An old version number does not indicate a security vulnerability because security patches are backported, so the version number remains the same.
  • We disable UserDir in Apache.
  • We disable TRACE/TRACK http methods.
  • If the server is a DNS server, then we disable DNS recursion.

TLS 1.0

You may have received information from your QSA about TLS 1.0 no longer being allowed at some point in the future.  If you are hosting with us, we keep TLS 1.0 enabled on your website, for now, because many website visitors still require it, because they have older clients. Disabling TLS 1.0 would cause website visitors to no longer be able to visit your website and complete orders, which is obviously undesired. Fortunately, TLS 1.0 is still considered to be reasonably secure, and is PCI compliant. We plan on disabling TLS 1.0 by June 2018, as required by PCI DSS.

Your QSA might require a "Risk Mitigation and Migration Plan" concerning the use of TLS 1.0.  If your QSA requires this, and you need our help to create that, then please feel free to contact us.

 

 


 
Add Feedback:
Was this page helpful? Please let us know how we can improve it.
Please login or register to add your feedback.