At ForLinux we work with clients from a range of industries such as On-line Retail, Web Agencies, Travel and Tourism companies and Education Providers. We have built our reputation on our ability to provide secure and fully managed hosting environments. As part of our continual improvement drive we saw the need to offer a comprehensive PCI compliant hosting solution and have since achieved full PCI accreditation.
Overview of Case study
The business challenge
- To ensure that the client was fully PCI compliant when storing credit cards for subscriptions.
- The client wanted to reduce the amount they were paying to a payment processing gateway provider in per transaction charges.
- To try to reduce the costs associated with building and maintaining a PCI compliant environment.
- The implementation of a new, secure infrastructure whilst minimising interruption to the organisation and its customers.
The Solution
- ForLinux built and continues to maintain a PCI compliant environment which secures the clients credit card and customer data, and protects the reputation of the clients business in a cost effective and sustainable manner.
- By working with the client and performing a systems audit ForLinux was able to identify areas of vulnerability and potential threat, which were then addressed within the solution.
- By taking a consultative and holistic approach, ForLinux provided complete guidance from the conceptual phase through to implementation and management.
- Using our knowledge and experience, ForLinux delivered a secure and robust infrastructure which complies to the required PCI standards.
- ForLinux provided extensive support during the implementation process to ensure continual compliance and the required audit trail to protect the clients business.
The business outcome
- By selecting a trusted and secure managed hosting provider, such as ForLinux, the client was able to entrust the complicated technical aspects of PCI compliance to a single point of contact, which enabled them to focus on nurturing and growing their businesses.
- The client was able to make substantial cost savings through reducing and avoiding transactional charges.
- The client was relieved of the burden of PCI compliance, safe in the knowledge that ForLinux was managing their solution in order to protect their brand reputation.
- The client was able to reduce their reliance on key individuals within their organisation, safeguarding their future growth.
About PCI and who it affects
The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard developed by the major credit card companies. The purpose of the standard is to reduce credit card fraud through increased controls around the handling and storage of sensitive data in order to minimise the likelihood of a breach. PCI DSS governs all payment channels including telephone orders and e-commerce purchases.
All companies irrespective of their size that handle, process or store credit card information must comply with the PCI Data Security Standard. PCI compliance is not an off the shelf solution that companies can simply throw money at in order to achieve compliance. It is about the management and processes that govern the handling of sensitive data, combined with a technically secure solution that is continually monitored and managed to ensure sustainable compliance.
There are 12 requirements that companies must fulfil in order to achieve compliance, these are set out in Table A. However these requirements break down further into over 200 specific actions that must be completed and maintained across an organisations infrastructure within designated time scales. Many of the requirements relate to an organisation's server and network infrastructure and as such, companies need to ensure their hosting provider is consistently complying with the standards set out.
Failure to comply can result in serious damage to organisations such as:
- large fines being imposed by the credit card companies,
- negative press on the back of a data breach leading to low customer confidence and falling sales
- companies being banned from accepting and processing credit card payments, effectively shutting off one of their largest revenue streams overnight.
How we helped a client achieve compliance
Our client, who has asked to remain anonymous, is a SME retailer selling UK branded products across the globe via mail order and directly through their e-commerce website. Whilst our client had a secure and up to date network infrastructure, the site was not PCI compliant. As their business grew, the site became increasingly busy with more and more transactions being made on-line, the owners began to turn their thoughts towards the potential impact of a data breach.
The pressure to comply
Although the PCI Data Security Standard had been in place for several years, our client, like many other organisations, had found the standard difficult to understand and complicated to implement, as such it had inadvertently remained on the “to-do list”.
As hackers continued to refine their techniques, more and more high profile data hacks were hitting the headlines. With large corporations falling foul to attacks the urgency of achieving PCI compliance increased throughout our client's organisation.
In 2008 the PCI standard underwent a major revision and the credit card companies began to ramping up their drive for compliance. Retailers began receiving heavy fines from the credit card companies for failure to demonstrate their systems were compliant, even if they had not actually suffered a security breach. It became apparent to our client that they would require additional assistance in order to achieve a compliant solution, at this point they approached ForLinux to help them build and maintain a PCI compliant environment.
By selecting ForLinux as a trusted partner to build and manage the PCI solution and provide the hosting environment, our client was able to outsource the entire project to a single point of contact.
How compliance was achieved
In our role as PCI solution provider, we met with our client to undertake a full assessment of their current solution which highlighted areas of potential exposure. ForLinux then worked with the client's internal teams to build a solution that delivered full compliance, advising on the whole solution. All of the 200 plus steps were broken down to clearly define which areas would come under which party's remit. This high level of transparency was welcomed by our client as it removed much of the ambiguity associated with the standard.
All card-holder data was held in a secure location with multiple layers of physical security. This was backed up by system controls including a 2-factor authentication process. As part of the solution we built for our client, we installed a Intrusion Detection System to monitor real-time threats in addition to the multiple levels of firewalls and security features, to deliver in depth defence. These requests are picked up and actioned by qualified technicians on a daily basis.
Our qualified technicians also take responsibility for manually installing vendor-supplied security patches as soon as they were made available. ForLinux tracked and monitored all access to the organisation's card-holder data, monitoring file integrity on all servers and systems within the card-holder environment. Testing of security systems and processes, such as internal and external vulnerability scans was undertaken on a regular basis. ForLinux also worked with the client to build and maintain a security policy.
Challenges
In our experience, we have found one of the biggest challenges is getting companies to understand that PCI DSS is a continual standard, it does not just come out of a box as an instant fix. Achieving and retaining the standard takes continued work and requires a complex technical audit trail to be maintained. By providing a clear and transparent guide of all of the steps involved from the beginning, ForLinux was able to work with the client and their internal teams to ensure everyone fully understood their role and the importance of it.
Benefits of a ForLinux PCI compliant solution
- Increased customer confidence which leads to increased purchases and revenue growth.
- Reassurance that your customers' data is safe and your won't face the potentially severe damage that could result from a security breach.
- Achieving cost benefits through the protection of client data and not falling foul to hackers and security breaches.
- Maintaining company reputation and protect your brand.
- Simplifying the management process with a single point of contact for all your infrastructure requirements.
Table A: Overview of the 12 steps to compliance |
---|
Build and Maintain a Secure Network |
Requirement 1: Install and maintain a firewall configuration to protect cardholder data |
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security |
Protect Cardholder Data |
Requirement 3: Protect stored cardholder data |
Requirement 4: Encrypt transmission of cardholder data across open, public networks |
Maintain a Vulnerability Management Program |
Requirement 5: Use and regularly update anti-virus software |
Requirement 6: Develop and maintain secure systems and applications |
Implement Strong Access Control Measures |
Requirement 7: Restrict access to cardholder data by business need-to-know |
Requirement 8: Assign a unique ID to each person with computer access |
Requirement 9: Restrict physical access to cardholder data |
Regularly Monitor and Test Networks |
Requirement 10: Track and monitor all access to network resources and cardholder data |
Requirement 11: Regularly test security systems and processes |
Maintain an Information Security Policy |
Requirement 12: Maintain a policy that addresses information security |
This provides an overview to the types of requirements that must be addressed, however these 12 requirements actually break down into over 200 individual requirements.
Contact Us
If you would like to learn more about achieving PCI compliance, contact us on to arrange an initial consultation with one of our team, alternatively email us at
How ForLinux is working with clients to achieve PCI Compliance
At ForLinux we work with clients from a range of industries such as On-line Retail, Web Agencies, Travel and Tourism companies and Education Providers. We have built our reputation on our ability to provide secure and fully managed hosting environments. As part of our continual improvement drive we saw the need to offer a comprehensive PCI compliant hosting solution and have since achieved full PCI accreditation.
Overview of Case study
The business challenge
- To ensure that the client was fully PCI compliant when storing credit cards for subscriptions.
- The client wanted to reduce the amount they were paying to a payment processing gateway provider in per transaction charges.
- To try to reduce the costs associated with building and maintaining a PCI compliant environment.
- The implementation of a new, secure infrastructure whilst minimising interruption to the organisation and its customers.
The Solution
- ForLinux built and continues to maintain a PCI compliant environment which secures the clients credit card and customer data, and protects the reputation of the clients business in a cost effective and sustainable manner.
- By working with the client and performing a systems audit ForLinux was able to identify areas of vulnerability and potential threat, which were then addressed within the solution.
- By taking a consultative and holistic approach, ForLinux provided complete guidance from the conceptual phase through to implementation and management.
- Using our knowledge and experience, ForLinux delivered a secure and robust infrastructure which complies to the required PCI standards.
- ForLinux provided extensive support during the implementation process to ensure continual compliance and the required audit trail to protect the clients business.
The business outcome
- By selecting a trusted and secure managed hosting provider, such as ForLinux, the client was able to entrust the complicated technical aspects of PCI compliance to a single point of contact, which enabled them to focus on nurturing and growing their businesses.
- The client was able to make substantial cost savings through reducing and avoiding transactional charges.
- The client was relieved of the burden of PCI compliance, safe in the knowledge that ForLinux was managing their solution in order to protect their brand reputation.
- The client was able to reduce their reliance on key individuals within their organisation, safeguarding their future growth.
About PCI and who it affects
The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard developed by the major credit card companies. The purpose of the standard is to reduce credit card fraud through increased controls around the handling and storage of sensitive data in order to minimise the likelihood of a breach. PCI DSS governs all payment channels including telephone orders and e-commerce purchases.
All companies irrespective of their size that handle, process or store credit card information must comply with the PCI Data Security Standard. PCI compliance is not an off the shelf solution that companies can simply throw money at in order to achieve compliance. It is about the management and processes that govern the handling of sensitive data, combined with a technically secure solution that is continually monitored and managed to ensure sustainable compliance.
There are 12 requirements that companies must fulfil in order to achieve compliance, these are set out in Table A. However these requirements break down further into over 200 specific actions that must be completed and maintained across an organisations infrastructure within designated time scales. Many of the requirements relate to an organisation's server and network infrastructure and as such, companies need to ensure their hosting provider is consistently complying with the standards set out.
Failure to comply can result in serious damage to organisations such as:
- large fines being imposed by the credit card companies,
- negative press on the back of a data breach leading to low customer confidence and falling sales
- companies being banned from accepting and processing credit card payments, effectively shutting off one of their largest revenue streams overnight.
How we helped a client achieve compliance
Our client, who has asked to remain anonymous, is a SME retailer selling UK branded products across the globe via mail order and directly through their e-commerce website. Whilst our client had a secure and up to date network infrastructure, the site was not PCI compliant. As their business grew, the site became increasingly busy with more and more transactions being made on-line, the owners began to turn their thoughts towards the potential impact of a data breach.
The pressure to comply
Although the PCI Data Security Standard had been in place for several years, our client, like many other organisations, had found the standard difficult to understand and complicated to implement, as such it had inadvertently remained on the “to-do list”.
As hackers continued to refine their techniques, more and more high profile data hacks were hitting the headlines. With large corporations falling foul to attacks the urgency of achieving PCI compliance increased throughout our client's organisation.
In 2008 the PCI standard underwent a major revision and the credit card companies began to ramping up their drive for compliance. Retailers began receiving heavy fines from the credit card companies for failure to demonstrate their systems were compliant, even if they had not actually suffered a security breach. It became apparent to our client that they would require additional assistance in order to achieve a compliant solution, at this point they approached ForLinux to help them build and maintain a PCI compliant environment.
By selecting ForLinux as a trusted partner to build and manage the PCI solution and provide the hosting environment, our client was able to outsource the entire project to a single point of contact.
How compliance was achieved
In our role as PCI solution provider, we met with our client to undertake a full assessment of their current solution which highlighted areas of potential exposure. ForLinux then worked with the client's internal teams to build a solution that delivered full compliance, advising on the whole solution. All of the 200 plus steps were broken down to clearly define which areas would come under which party's remit. This high level of transparency was welcomed by our client as it removed much of the ambiguity associated with the standard.
All card-holder data was held in a secure location with multiple layers of physical security. This was backed up by system controls including a 2-factor authentication process. As part of the solution we built for our client, we installed a Intrusion Detection System to monitor real-time threats in addition to the multiple levels of firewalls and security features, to deliver in depth defence. These requests are picked up and actioned by qualified technicians on a daily basis.
Our qualified technicians also take responsibility for manually installing vendor-supplied security patches as soon as they were made available. ForLinux tracked and monitored all access to the organisation's card-holder data, monitoring file integrity on all servers and systems within the card-holder environment. Testing of security systems and processes, such as internal and external vulnerability scans was undertaken on a regular basis. ForLinux also worked with the client to build and maintain a security policy.
Challenges
In our experience, we have found one of the biggest challenges is getting companies to understand that PCI DSS is a continual standard, it does not just come out of a box as an instant fix. Achieving and retaining the standard takes continued work and requires a complex technical audit trail to be maintained. By providing a clear and transparent guide of all of the steps involved from the beginning, ForLinux was able to work with the client and their internal teams to ensure everyone fully understood their role and the importance of it.
Benefits of a ForLinux PCI compliant solution
- Increased customer confidence which leads to increased purchases and revenue growth.
- Reassurance that your customers' data is safe and your won't face the potentially severe damage that could result from a security breach.
- Achieving cost benefits through the protection of client data and not falling foul to hackers and security breaches.
- Maintaining company reputation and protect your brand.
- Simplifying the management process with a single point of contact for all your infrastructure requirements.
Table A: Overview of the 12 steps to compliance |
---|
Build and Maintain a Secure Network |
Requirement 1: Install and maintain a firewall configuration to protect cardholder data |
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security |
Protect Cardholder Data |
Requirement 3: Protect stored cardholder data |
Requirement 4: Encrypt transmission of cardholder data across open, public networks |
Maintain a Vulnerability Management Program |
Requirement 5: Use and regularly update anti-virus software |
Requirement 6: Develop and maintain secure systems and applications |
Implement Strong Access Control Measures |
Requirement 7: Restrict access to cardholder data by business need-to-know |
Requirement 8: Assign a unique ID to each person with computer access |
Requirement 9: Restrict physical access to cardholder data |
Regularly Monitor and Test Networks |
Requirement 10: Track and monitor all access to network resources and cardholder data |
Requirement 11: Regularly test security systems and processes |
Maintain an Information Security Policy |
Requirement 12: Maintain a policy that addresses information security |
This provides an overview to the types of requirements that must be addressed, however these 12 requirements actually break down into over 200 individual requirements.
Contact Us
If you would like to learn more about achieving PCI compliance, contact us on to arrange an initial consultation with one of our team, alternatively email us at