Parallels Plesk Panel

Transcription

1 Parallels Plesk Panel

2 Copyright Notice Parallels Holdings, Ltd. c/o Parallels International GmbH Vordergasse 59 CH-Schaffhausen Switzerland Phone: Fax: Copyright Parallels Holdings, Ltd. and its affiliates. All rights reserved. This product is protected by United States and international copyright laws. The product s underlying technology, patents, and trademarks are listed at Microsoft, Windows, Windows Server, Windows NT, Windows Vista, and MS-DOS are registered trademarks of Microsoft Corporation. Linux is a registered trademark of Linus Torvalds. Mac is a registered trademark of Apple, Inc. All other marks and names mentioned herein may be trademarks of their respective owners.

3 Contents Preface 4 Typographical Conventions... 4 Feedback... 5 Payment Systems Security 6 Introduction... 6 Why You Need to Be Concerned About This... 6 The PCI Data Security Standard... 7 Merchant and Requirements for Compliance 8 Plesk Customer & Business Manager PCI Security Practices 9 Securely implementing Plesk Customer & Business Manager 10 Sensitive Authentication Data Previous Versions Troubleshooting Protect Stored Cardholder Data Purge Stale Cardholder Data Securely Delete Cryptographic Material Secure Authentication Features Administrative and Privileged Access to the Application General Non-privileged Access to the Application PA DSS Requirement Protect Wireless Transmissions Wireless Technology Included in or with the Payment Application General Use of Wireless Technology Systems Connected to the Internet Secure Remote Software Updates Secure Remote Access to Payment Application Server and Database Server Two-Factor Authentication Secure Remote Access Requirements Encrypt Sensitive Traffic over Public Networks Encrypt all Non-console Administrative Access Appendix A: PCI-DSS Requirement 8 18

4 4 Preface Preface In this section: Typographical Conventions... 4 Feedback... 5 Typographical Conventions Before you start using this guide, it is important to understand the documentation conventions used in it. The following kinds of formatting in the text identify special information. Formatting convention Type of Information Example Special Bold Italics Monospace Items you must select, such as menu options, command buttons, or items in a list. Titles of chapters, sections, and subsections. Used to emphasize the importance of a point, to introduce a term or to designate a command line placeholder, which is to be replaced with a real name or value. The names of commands, files, and directories. Go to the System tab. Read the Basic Administration chapter. The system supports the so called wildcard character search. The license file is located in the ses directory.

5 Preface 5 Formatting convention Type of Information Example Preformatted On-screen computer # ls al /files output in your commandline sessions; source code total in XML, C++, or other programming languages. Preformatted Bold CAPITALS KEY+KEY What you type, contrasted with on-screen computer output. Names of keys on the keyboard. Key combinations for which the user must press and hold down one key and then press another. # cd /root/rpms/php SHIFT, CTRL, ALT CTRL+P, ALT+F4 Feedback If you have found an error in this guide, or if you have suggestions or ideas on how to improve this guide, please send your feedback using the online form at Please include in your report the guide's title, chapter and section titles, and the fragment of text in which you have found an error.

6 C H A P T E R 1 Payment Systems Security In this chapter: Introduction... 6 Why You Need to Be Concerned About This... 6 The PCI Data Security Standard... 7 Introduction In order to address the growing national and international concern for securing credit card information, Visa began to develop standards and announced the Cardholder Information Security Program (CISP) in April, These standards became required in June, 2001, for all entities that store, process or transmit Visa cardholder data. Since that time, other credit card companies have become involved, and a new group called the Payment Card Industry Security Standards Council was formed to standardize security requirements across the entire credit card industry. The result is a new security standard called Payment Card Industry Data Security Standard (PCI DSS or simply PCI) which is designed to ensure standardized compliance for multiple associations. This document is provided to guide users of Plesk Customer & Business Manager into becoming and remaining PCI compliant. Why You Need to Be Concerned About This Credit Card companies are requiring compliance with PCI standards for every entity that is involved in the storage, processing, or transmission of credit card information. Failure to comply can result in denial or revocation of your organization's ability to process credit cards. Furthermore, as these standards have become widely recognized, non-compliance places your organization at risk of legal and/or civil consequences if credit card information becomes compromised.

7 Payment Systems Security 7 Compliance with PCI standards is necessary whether or not you use Plesk Customer & Business Manager to process transactions online. Even if you use a POS terminal or other method to process transactions, and simply retain information in Plesk Customer & Business Manager, you must be concerned about proper use of the program to maintain security and confidentiality of customer data. As of October 1, 2008, Credit Card Processors and Bank Card Acquirers must only accept level 3 and 4 merchants that are PCI DSS compliant or that utilize PA DSS compliant applications. Beginning October 1, 2009, all payment applications which are not PA DSS compliant will be de-certified. Beginning July 1, 2010, Credit Card Processors and Bank Card Acquirers must ensure that merchants and agents use only PA DSS compliant applications. The PCI Data Security Standard The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. To learn more about PCI, visit The standard must constantly evolve in order to remain viable in today's rapidly changing internet and computing environment. Thus, the PCI DSS will be reviewed at least every 24 months, and can be updated at any time. Plesk Customer & Business Manager version 7.0 available in Parallels Panel 10 has been certified as compliant under the Payment Application Data Security Standard (PA DSS) 1.2. The PA DSS is a separate security standard that applies to software vendors that develop applications for sale to merchants to process and/or store cardholder data. Just because Plesk Customer & Business Manager has been certified as PA DSS 1.2 compliant does not automatically make you, as a merchant, PCI compliant. It is an important and necessary step toward that goal. Payment applications validated per the PA DSS, when implemented in a PCI DSS-compliant manner, will minimize the potential for security breaches leading to compromises of sensitive cardholder data, and the damaging fraud resulting from these breaches, and speed you on your way to PCI compliance.

8 C H A P T E R 2 Merchant and Requirements for Compliance There are twelve basic requirements (organized in six areas) which a merchant must meet in order to become certified as PCI compliant. Each of these requirements, along with POS Vendor's recommendations, is noted in this document. However, you must familiarize yourself with the details of each requirement as set forth in the PCI Data Security Standard documentation. (Refer to Section 4 Resources for guidance on where to get more information.) The following table lists the twelve basic requirements. PCI Topic Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Basic Requirement Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Use and regularly update antivirus software. Develop and maintain secure systems and applications. Implement Strong Access Control Measures Restrict access to cardholder data by business need-toknow. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain an Information Security Policy Maintain a policy that addresses information security.

9 C H A P T E R 3 Plesk Customer & Business Manager PCI Security Practices Because it has been certified as compliant under the PA DSS 1.2 requirements, using Plesk Customer & Business Manager as a tool will support you in meeting some of your merchant requirements to become and remain PCI DSS compliant. However, it is important that you use the software as designed, and that you follow certain practices and procedures internally both when you install the software and as you enter transactions. Compliance with PCI standards is necessary and you must be concerned about proper use of the program to maintain security and confidentiality of customer data. Therefore, the following sections provide guidance on how to implement and maintain the Plesk Customer & Business Manager application per PA DSS requirements (as they relate to PCI) along with other general PCI security information.

10 C H A P T E R 4 Securely implementing Plesk Customer & Business Manager In this chapter: Sensitive Authentication Data Protect Stored Cardholder Data Secure Authentication Features PA DSS Requirement Protect Wireless Transmissions Systems Connected to the Internet Secure Remote Software Updates Secure Remote Access to Payment Application Server and Database Server.. 15 Encrypt Sensitive Traffic over Public Networks Encrypt all Non-console Administrative Access Sensitive Authentication Data Plesk Customer & Business Manager does not store full magnetic stripe, card validation code, or PIN block data. In this section: Previous Versions Troubleshooting... 11

11 Securely implementing Plesk Customer & Business Manager 11 Previous Versions Previous versions of Plesk Customer & Business Manager may have stored card data insecurely in database log tables. These tables should be cleared prior to meeting PCI compliance. The following tables should be cleared followed by use of shred to render that data unrecoverable via forensic methods: callback_log dbg_entries mbapi_log source_log_col system_queue_log After clearing these tables, stop the application, backup the database, move it to the non-internet-connected server, then use shred to remove the database files and any old backups. Troubleshooting Securely delete any sensitive authentication data (pre-authorization data) used for debugging or troubleshooting purposes from log files, debugging files, and other data sources received from customers, to ensure that magnetic stripe data, card validation codes or values, and PINs or PIN block data are not stored on software vendor systems. These data sources must be collected in limited amounts and only when necessary to resolve a problem, encrypted while stored, and deleted immediately after use. Collect sensitive authentication data only when needed to solve a specific problem. Store such data only in specific, known locations with limited access. Collect only the limited amount of data needed to solve a specific problem. Encrypt sensitive authentication data while stored. Securely delete such data immediately after use. Protect Stored Cardholder Data In this section: Purge Stale Cardholder Data Securely Delete Cryptographic Material... 12

12 12 Securely implementing Plesk Customer & Business Manager Purge Stale Cardholder Data Cardholder data exceeding the customer defined retention period must be purged (see PCI DSS Requirement 3.1). To purge old cardholder data, delete the Billling Account for customers that are no longer paying for services. This data must be deleted upon customer-initiated cancelation of services or after the automated suspend system has canceled a subscription. Securely Delete Cryptographic Material To re-encrypt data with a new encryption key and remove old cryptographic material, open the Encryptions Settings screen on found under System > System Configuration. Enter a new LEK PIN and click Submit Changes. This will force the system to generate a new key and encrypt all cardholder data with the new key rendering the old key useless. Secure Authentication Features In this section: Administrative and Privileged Access to the Application General Non-privileged Access to the Application Administrative and Privileged Access to the Application The use of unique user IDs for all users with access to sensitive cardholder data is required for PCI compliance. This requirement applies to administrative access to the application as well as server access to the application server or the database server. Default server accounts must be secured or disabled. A password for the root database account must be set and restricted to local access only. This account should not be granted access to the billing database. Any default user account on these servers must also be secured, even if not being used. The system will enforce user's password rules as outlined below in Appendix A. Some of these settings can be strengthened for application access on the System Configuration screen Authentication and Password Management. These settings cannot be disabled. Doing so will result in non-compliance.

13 Securely implementing Plesk Customer & Business Manager 13 General Non-privileged Access to the Application Access to PCs, servers, and databases with payment applications must require a unique user ID and secure authentication. PCI Data Security Standard Requirements 8.1 and 8.2. Hosting company employees can be given accounts with a specific list of privileges based on that employees role within your company. These users should not be given access to customer billing accounts if such access is not needed for the employee to fulfill their duties for the hosting company. These privileges can be grouped by creating additional administrator groups from the System Configuration > Administrator screen. Customers will automatically be granted a unique login when they sign up for service. These accounts are limited to the client interface with restricted access to their data only. PA DSS Requirement Log payment application activity: payment application must implement an automated audit trail to track and monitor access. Audit log data can be viewed from the System Configuration > Security Settings > Audit Log. No changes can be made to what is logged by the administrator. Protect Wireless Transmissions In this section: Wireless Technology Included in or with the Payment Application General Use of Wireless Technology... 14

14 14 Securely implementing Plesk Customer & Business Manager Wireless Technology Included in or with the Payment Application Plesk Customer & Business Manager does not utilize wireless technology. Per PCI DSS Requirement you must install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. General Use of Wireless Technology If wireless technology is (or can be) used to store, process, or transmit cardholder data (for example, point-of-sale transactions, line-busting ), or if a wireless local area network (LAN) is connected to or part of the cardholder data environment (for example, not clearly separated by a firewall), the PCI DSS requirements and testing procedures for wireless environments apply and must be performed as well (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Before wireless technology is implemented, a company should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology only for non-sensitive data transmission. Wireless environments must be implemented and maintained per the following PCI DSS Requirements: PCI DSS 1.2.3: Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. PCI DSS 2.1.1: For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. PCI DSS 4.1.1: Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE i) to implement strong encryption for authentication and transmission. For new wireless implementations, it is prohibited to implement WEP after March 31, For current wireless implementations, it is prohibited to use WEP after June 30, 2010.

15 Securely implementing Plesk Customer & Business Manager 15 Systems Connected to the Internet PA DSS 9.0: Cardholder data must never be stored on a server connected to the Internet. The default installation creates the database and all of the required settings on the Plesk server. A separate server needs to be used as a dedicated database server. The steps required to move the database are as follows: 1. Move the billing database to the new server. 2. Define the database server connection information on the Plesk server with the following command: /usr/share/plesk-billing/billing-db --set --host=remote_host --name=remote_name - -user=remote_db_user --password=remote_password Important: After installation of Plesk Business Manager, a separate database server must be used as a database server. This server should only allow connections from the Plesk server and not allow direct connections from the Internet. Secure Remote Software Updates Reference: PA DSS 10.0: Facilitate secure remote software updates. Updates to Plesk Customer & Business Manager are initiated by the administrator from within Plesk. Updates are not automatically pulled down. The administrator initiates an update and the Plesk server pulls down code updates. PCI Data Security Standard Requirements 1 and Secure Remote Access to Payment Application Server and Database Server In this section: Two-Factor Authentication Secure Remote Access Requirements... 16

16 16 Securely implementing Plesk Customer & Business Manager Two-Factor Authentication Two-factor authentication is defined as something you have (for example, smartcard or token) and something you know (for example, PIN or biometric). These two factors must be presented in conjunction with one another to authenticate to a network or system. PCI DSS Requirement 8.3: Incorporate two-factor authentication for remote access (networklevel access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Secure Remote Access Requirements Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer). Allow connections only from specific (known) IP/MAC addresses. Use strong authentication and complex passwords for logins, according to PCI DSS Requirements 8.1, 8.3, and (see Appendix A for details on PCI DSS Requirement 8). Enable encrypted data transmission according to PCI DSS Requirement 4.1. PCI DSS Requirement 4.1: Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are: The Internet, Wireless technologies, Global System for Mobile communications (GSM), and General Packet Radio Service (GPRS). Enable account lockout after a certain number of failed login attempts according to PCI DSS Requirement (see Appendix A of this document for details on PCI DSS Requirement 8). Configure the system so a remote user must establish a Virtual Private Network ( VPN ) connection via a firewall before access is allowed. Enable the logging function. Restrict access to customer passwords to authorized reseller/integrator personnel. Establish customer passwords according to PCI DSS Requirements 8.1, 8.2, 8.4, and 8.5 (see Appendix A for detailed PCI DSS Requirements).

17 Securely implementing Plesk Customer & Business Manager 17 Encrypt Sensitive Traffic over Public Networks Plesk Customer & Business Manager never sends unencrypted PANs by end-user messaging technologies (for example, , instant messaging, chat). Sensitive cardholder data is only ever transmitted over secure socket transmission to the merchant processors. Encrypt all Non-console Administrative Access Plesk Customer & Business Manager is only accessible via SSL browser connections. This must not be reconfigured on the server.

18 C H A P T E R 5 Appendix A: PCI-DSS Requirement 8 Assign a Unique ID to each Person with Computer Access. PCI DSS 8.1: Assign all users a unique ID before allowing them to access system components or cardholder data. PCI DSS 8.2: In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Password or passphrase. Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys). PCI DSS 8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. PCI DSS 8.4: Render all passwords unreadable during transmission and storage on all system components using strong cryptography (defined in PCI DSS Glossary of Terms, Abbreviations and Acronyms). PCI DSS 8.5: Ensure proper user authentication and password management for nonconsumer users and administrators on all system components as follows: PCI DSS 8.5.1: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. PCI DSS 8.5.2: Verify user identity before performing password resets PCI DSS 8.5.3: Set first-time passwords to a unique value for each user and change immediately after first use PCI DSS 8.5.4: Immediately revoke access for any terminated users PCI DSS 8.5.5: Remove/disable inactive user accounts at least every 90 days. PCI DSS 8.5.6: Enable accounts used by vendors for remote maintenance only during the time period needed PCI DSS 8.5.7: Communicate password procedures and policies to all users who have access to cardholder data PCI DSS 8.5.8: Do not use group, shared, or generic accounts and passwords PCI DSS 8.5.9: Change user passwords at least every 90-days PCI DSS : Require a minimum password length of at least seven characters PCI DSS : Use passwords containing both numeric and alpha characters PCI DSS : Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

19 Appendix A: PCI-DSS Requirement 8 19 PCI DSS : Limit repeated access attempts by locking out the user ID after not more than six attempts. PCI DSS : Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. PCI DSS : If a session has been idle for more than 15 minutes, require the user to re-enter the password to reactivate the terminal. PCI DSS : Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.