E Street Web Design and Hosting Payment Card Industry (PCI) Data Security Standard (DSS) Statement
Printer friendly version
Article # 663
Where E Street is the host and sole designers of web enabled solutions for E-Commerce and secure customer transaction interfaces requiring Payment Card Industry (PCI) Data Security Standard (DSS) compliance, E Street assures the following standards are met within the E Street network:
- Merchant E-Commerce customer card data and sensitive personal information interfaces are developed only on SSL encrypted technology utilizing minimum 256bit 2048-bit RSA encryption.
- Cardholder data is not saved unencrypted on the web server. Data is not stored prior to encryption in any database or temporary file and there is no persistent cache or session data associated with secure transactions.
- When stored in a database or transmitted electronically, customers card data and sensitive personal information is transmitted only via industry standard minimum 256bit 2048-bit RSA encrypted SSL connections and methods.
- Temporary storage of encrypted data is restricted to locations accessible only to secure hardware isolated server components.
- Web servers are hosted in a locked private location with controlled physical access and are firewall protected against unauthorized access. Servers are patched undergo periodic hardening, core Email servers are anti-virus updated on a continual basis, firewall policies are audited and all intrusion detection is logged. For more info on E Street Data Center see: kb.estreet.com/article.lasso?article=745
- Authorized network access to merchant accounts is limited to secure connections and by authorized administrative users with separate high security updatable passwords.
- E Street maintains a local and network security policy with regular audits to assure the security of physical plant, server components, user accounts and account data.
For merchants submitting SAQ’s for PCI DSS compliance
....as it relates to the Data Center security in Requirements section 9.1-9.4 the following applies for E Street facility "sensitive areas":
9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment? YES
9.1.1(a) Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas? YES
9.1.1(b) Is data collected from video cameras reviewed and correlated with other entries? YES
9.1.1(c) Is data from video cameras stored for at least three months, unless otherwise restricted by law? YES
9.1.2 Is physical access to publicly accessible network jacks restricted? YES
9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted? YES
9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible? YES
9.3 Are all visitors handled as follows:
9.3.1 Authorized before entering areas where cardholder data is processed or maintained? YES
9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees? YES
9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration? NO (but badges/tokens expire and can be rescinded as needed)
9.4(a) Is a visitor log in use to maintain a physical audit trail of visitor activity? YES
9.4(b) Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log? YES
9.4(c) Is visitor log retained for a minimum of three months, unless otherwise restricted by law? YES
Article # 663
Category: Web Hosting