What goes into protecting your credit card information on the web?

*  This post was originally posted on November 28, 2014, and has been updated for accuracy. 

Purchases happen with the click of a button, a swipe of a finger, or simply, no human interaction at all. Whether it’s our monthly subscription to Netflix, the plane tickets that just went on flash sale, or the book that we purchased with Prime shipping, our request for immediacy and automation has placed our credit card information all over the web. Though scary in context, the Payment Card Industry Security Standards Council has developed a set of data security standards that merchants storing credit card information on servers need to abide by. Luckily, for hosting providers using cPanel servers, we’ve already loaded you with the equipment to better ensure your information is secure, your customer’s information is protected, and your customer’s customers have secure transactions on the web.

What is PCI Compliance?
Established by the major credit card providers, Visa, MasterCard, Discover, and JCB International, the Payment Card Industry Security Standards Council was launched as an independent body in 2006 to focus and advise on the rapidly evolving landscape of the payment transaction process. What resulted was an organic set of criteria, with twelve major tenets, called the Payment Card Industry Data Security Standards (PCI DSS).

The Big 12

  1. Install/Maintain firewall configuration that will protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords or any other security parameter
    • Many switches/routers (i.e. wireless)/applications have a default admin account, that uses a default password. Remove them if possible, or at least change the password to something very complex
  3. Protect stored cardholder data
    • Disable direct root logins. A simple configuration file that is in a publicly accessible directory can still cause issues, even if the permissions on the directory forbid direct access. Storing the data in a database is an added level of security, especially if encrypted and hashed.
  4. Encrypt transmission of cardholder data across open, public networks
    • Keep the cardholder data being sent across networks to a minimum and encrypt with the highest possible strength
  5. Use and regularly update antivirus software
    • The antivirus database needs to be up-to-date to ensure any threats created/surfaced after last manual update can be caught.
  6. Develop/Maintain secure systems and applications
  7. Restrict access to cardholder data
    • Machines holding card info should be available on the private network only and a two-factor authentication or higher security level should be required for access.
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track/Monitor all access to network resources and cardholder data
    • Audit access logs frequently.
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security
    • Create a system of internal policies to ensure the proper, regimented handled of secured information.

While cPanel isn’t PCI compliant right out of the box, turning on SSL Cipher along with a few other features, and keeping your software up to date should have you ready to accept and administer transaction on your cPanel server.

To find out more about PCI, check out these slides from the cPanel Conference Session PCI Talk, or contact session author Ryan Sherer for more info.


The web hosting industry's most reliable management solution since 1997. With our first-class support and rich feature set, it's easy to see why our customers and partners make cPanel & WHM their hosting platform of choice. For more information, visit cPanel.net.

One response to “What goes into protecting your credit card information on the web?”

  1. The PCI requirements are great but it’s just as important to make sure all user’s scripts are kept up to date since that is one of the most common areas where exploits come through. This often goes missed because people don’t realize that scripts that were secure years ago may no longer be secure anymore and need to be updated on a regular basis.

Leave a Reply