| |
Posted by Allen Allison
Although the PCI DSS has been published and enforced for several years, there are still several organizations scrambling to deliver online credit card purchases in a PCI compliant, or even certified, environment. Here are three important steps to becoming a PCI compliant online merchant:
1. Choose the right hosting provider; PCI Compliance is not a checkbox. Many hosting providers offer PCI compliant environments and others offer a PCI certifiable hosting environment. What is the difference? A PCI compliant deployment implies that, as the application, the networking devices and the operating systems are deployed in a manner consistent with the requirements of the PCI DSS. For example, the firewall is deployed with NAT enabled, with filtering for RFC 1918 addresses, and with an explicit deny any any (among other requirements). The common confusion is that this strategy does not provide a PCI certifiable environment. Other managed hosting providers have painstakingly built PCI Certification solution sets that deliver any or all of the pieces necessary to achieve compliance to all 12 DSS requirements and their sub-requirements. If you are looking to provide online credit card sales, you must determine what you want from your ISP and hosting provider.
2. Application development is as important to a PCI certifiable environment as is the security infrastructure. Many organizations fail to see the importance of following industry-recognized guidelines for secure application development. It is because of this lack of familiarity with the security guidelines for coding, that the PCI Security Standards Council released the DSS Requirement 6.6, “Ensure that all web-facing applications are protected against known attacks by either of the following methods: 1) Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security; or 2) Installing an application-layer firewall in front of web-facing applications. Requirement 6.6 was enforceable as of June 30, 2008. The PCI Security Standards Council recommends developing applications to the standards of Open Web Application Security Project (www.owasp.org).
3. Develop the right strategy for handling cardholder data. Many online merchants believe that it is important to retain credit card information after the original transaction; however, by doing so, you must introduce controls and technology that are in line with the requirements of the PCI Security Standards Council for retaining cardholder data. Adding these solutions, policies, and procedures can be expensive and difficult to maintain. For example, all storage of cardholder data must be encrypted, access secured, and key management must be maintained in a secure manner. Furthermore, by deciding to retain cardholder information, you are opening your organization to potential risk that may have other legal ramification beyond PCI such as state legislation regarding consumer data breach and notification (e.g., California Security Breach Information Act – formerly, SB 1386). If there is no need to retain the cardholder data beyond the original transaction, it would behoove you to destroy that information upon completion of the transaction; there may be a significant reduction in cost and reduced liability. While there is much more that goes into providing an online PCI Compliant environment than can be covered here, these are decisions that must be made before you are able to turn up an online merchant store and begin accepting credit cards.
Allen Allison is the Vice President, Managed Services at NaviSIte, Inc. Allison is a Cisco Certified Internetwork Expert (CCIE #6358), Certified Information Systems Security Professional (CISSP), and Cisco Certified Security Professional (CCSP). Allison has been the lead architect in developing and delivering PCI Certified on-line environments and has led numerous security and compliance assessments, formerly as part of a PCI QSA organization.
Posted by NaviSite
You might have heard a lot about ‘Green IT’ already, but it is surely not a passing fad. Especially with environmental issues flashing on the radar screen of organizations of all sizes and industries around the globe, it has become a reality today. The question is: how many of us are going beyond the talk and actually treading this green path?
Before we answer this, let’s understand what is Green IT. Simply speaking, it is all about getting innovative in using your IT resources and strategies optimally to make the world cleaner and energy-efficient. It is about taking IT decisions that reduce environmental impacts such as pollution, carbon emissions, e-waste, and the unsustainable use of energy resources. With escalating energy and carbon costs, global climate changes, and stringent environmental and fiscal regulations, organizations across industries are actively seeking ways to reduce their carbon footprint – be it switching over to alternative energy, redesigning their buildings, creating more eco-friendly products, or altering their internal business processes. And IT has a pivotal role in helping them achieve their ‘low carbon’ objectives for greater environmental and business sustainability.
IT organizations have responded to the environmental needs with multiple ‘greenovations’ - such as creating a green data center design to achieve cooling, processor data storage, and energy efficiency, using virtualization technologies, adopting eco-friendly hardware, going carbon-neutral, and urging others to ‘think green’. According to a recent Gartner research, by 2009, more than one-third of IT organizations will have one or more environmental criteria in their top six buying criteria for IT-related goods and services. The ‘green’ approach further extends to proactively creating IT tools and services needed to drive the eco-efficiency of enterprises – be it enabling remote collaboration using technologies such as videoconferencing and telepresence, tracking energy consumption and emission levels, enabling recycling, or creating eco-friendly processes to meet their business objectives.
We at NaviSite are keeping pace with the green momentum through multiple initiatives. We are a part of The Green Grid – the global consortium of leading IT companies dedicated to raising energy efficiency in data centers and business computing ecosystems. Our data centers use the equipment and proprietary monitoring software that cuts the energy consumption needed for cooling by more than 20% over conventional methods. We use virtualization and cooling technologies to offer a more energy-efficient, green environment to customers.
While going green has an attached cost, it is believed the long-term dividend you reap is worth much more than the spend. In today’s downturn economy, are the enterprises willing to pay this premium for ‘Green IT’?
Posted by NaviSite
Colocation and datacenter services are becoming an increasingly compelling solution for organizations in the leaner economic scenario. Recently, NaviSite launched a new enterprise class data center facility in Woking, UK to meet the rising colocation demand and has already won a contract worth over USD 10 million for providing colocation services through this facility to a leading online European gaming operator. This facility could be expanded up to 70,000 sq feet of datacenter space.
The demand for premium data center and scalable network capacity in the European market is the main catalyst for NaviSite’s expansion plans in the UK colocation market. Gartner research says that some UK colocation providers are experiencing annual increases in demand of 30% or more. Gartner further estimates that in high-demand areas like London, if significant new data center space is not brought on-stream, there will be no free space left by the end of the decade. In fact, this rising demand and limited supply is what is allowing providers to continue to increase pricing. The UK colocation pricing is the highest in Western Europe and would continue to rise at rates higher than inflation for the next couple of years.
The obvious question here is: what is triggering this rising demand for colocation and data center services in the UK market?
While the traditional benefits of colocation – like reduced costs and premium, energy-efficient infrastructure facilities with multiple carriers, better redundancy, improved power and cooling standards, 24×7 monitoring, and enhanced security – remain an attraction for organizations to reach out to the colocation providers, there is an underlying reason why colocation is healthy and growing.
The emergence of internet-driven business models are a key factor behind the push in colocation demand. Today, rising number of UK retailers are focusing on e-commerce opportunities to maximize sales, engage customers, and strengthen their brand. According to Brand Republic, the UK’s leading online business portal, the online shopping sales in the UK exceeded GBP 4 billion a month for the first time in July 2007 – witnessing an annual increase of 36%. Furthermore on current trends it’s predicted that by 2009, 15% of all shopping in the UK will be done on the internet. In the coming years, surging numbers of consumers will continue to go shopping online for everything from eco-friendly white goods to purely digital content to luxury products. Recent Nielsen Media Research stated that 97% of UK people with internet access already shop online. So, organizations want to cash in every tryst of the users with the net, which is now more accessible – be it at home, at workplace, or even while traveling.
This tremendous growth in e-commerce coupled with rising popularity and easy access of internet tools brings along with it the related demand for server space, secure environments and an increased bandwidth demand to support the increasing traffic comprising customers, partners, suppliers or any other key constituents of a business. This is more valid for small and mid-sized companies with large internet traffic volume who need a server environment that is always up and running with minimal outages and yet cannot afford in-house facilities.
So in this world of e-opportunities, the colocation space continues to thrive. And NaviSite continues to lead and redefine this space with its managed data center solutions that are flexible, reliable, and robust - be it utility computing platforms, secure back-up services, on-demand storage, virtual servers, network security solutions, and cloud computing.
Posted by Gina Murphy
Full Service Solution brings Wedding Collection Online
 We are seeing a trend where clients are looking for a provider to come up with application development plans to enhance the features and functionality of their existing applications. In addition, we are seeing an uptick of clients that are creating additional sites for their products/solutions either with an ecommerce platform or enterprise wide content management system that can readily integrate with all of their back end and third party systems. Read more…
Posted by NaviSite Quarterly
Virtualization, Web 2.0 and SOA Services Become One
By Denis Martin, Executive Vice President and Chief Technology Officer
Today, new technologies are defining the performance parameters with improved growth and pace. While many business models globally strive for the perfect combination of reliability and flexibility, most of them struggle to come up with a complete suite of IT infrastructure on their own. All this can be accomplished without sacrificing anything in terms of core business solutions performance, revenue, and reliability with NaviSite’s Upcoming Next Gen Application Platform.
Managed application services have evolved significantly and the macro-trends have been clearly emerging. Outsourcing mission critical enterprise applications has become mainstream and Software as a Service (SaaS) is proliferating. Now in particular, there is continuously growing pressure on enterprises and SaaS providers to integrate outsourced and on-premise systems with those of their partners and clients. This is especially true for companies that view technology as a strategic component of their growth. Read more…
Posted by NaviSite Quarterly
NaviSite Announces Strong UK Growth and Significant UK Data Centre Expansion
By Sean McAvan, Managing Director, NaviSite Europe
In another significant step demonstrating continued organic growth, NaviSite has announced two data centre expansion plans. These will provide NaviSite with an opportunity to sustain global leadership and to accommodate strong demand and increasing sales in the European marketplace.
In April 2008, a third UK facility will be brought online at Global Switch2 in London’s docklands. This facility is designed to capitalize on soaring demand for NaviSite’s managed services, as both of the current facilities (central London and Watford) are now full. There is a solid pipeline of orders for this new facility and two significant clients (a UK government agency and a high-street retailer) will be installed there as soon as the data centre comes alive. Read more…
Posted by NaviSite Quarterly
Disaster Recovery Plans and SAS 70 Compliance
By Chance Veasey, Senior Director, Application Hosting Services
NaviSite demonstrates its commitment to operational controls, IT governance, and best practices with both a SAS70 Type II audit program and a yearly disaster recovery test. These practices are woven within the fabric of our daily operations and are a part of our integrated approach to best practices.
Many organizations are struggling to find a holistic approach to IT governance and best practices. IT organizations are looking at standards like ITIL, ISO, Val-IT, CobiT, and the CMM - and asking, “upon which standard do I focus?” Meanwhile, some organizations are betting that the SEC’s last guidance on Sarbanes-Oxley Section 404, published in May of 2007, will lead to reform and relieve some of the IT governance requirements. Within this quagmire of mature and emerging standards, some organizations are hesitating to act as they evaluate the overlap of requirements and hold out hope for SarbOx reform. Other organizations are directing their efforts to reach a specific goal specified by one standards body. Read more…
Posted by NaviSite Quarterly
By Sophia McKeown, Product Manager- Application Development
The PCI standard was developed by credit card companies to better protect the privacy of customers, payment card data, and merchant data. Merchants who accept credit cards as payment are subject to these standards; yet meeting these requirements can be challenging.
When we talk about PCI compliance, organizations are often misled by five common myths about becoming compliant with the Data Security Standard (DSS) as outlined by the Payment Card Industry (PCI). Here, we break some of these common myths related to the PCI DSS.
Myth 1: Varying degrees of compliance are required.
The most common misconception is that there are varying degrees of compliance required, depending upon a merchant’s particular level which is determined by their annual number of transactions. The reality is quite the opposite. Read more…
Posted by NaviSite Quarterly
Announcing the NaviSite Account Management Program
By Pete Castello, Vice President, Client Services
At NaviSite, we are always listening to and responding to changing customer needs - so we can exceed their expectations. Our newly launched Account Management program is aimed at improving the customer experience and offering our customers the best-fit technology solutions that meet their specific business needs and enhance their IT efficiencies.
 Over the last several years, NaviSite has established a large number of new customer relationships. At the same time we have been very active in acquiring and developing a much broader range of hosting and application management capabilities. These two facts, coupled with the increasing demand pressures in the managed hosting space, have led us to believe the time is right for changing the way we approach and manage our customer relationships. So on February 1, 2008, NaviSite announced its most substantial investment in the customer experience to date with the launch of our New Account Management program. Read more…
Posted by NaviSite Quarterly
NaviView: The reliable monitoring platform for your IT infrastructure
By Adrian Rand, Vice President Operations
Companies today are investing more time, money, and effort into maintaining their IT infrastructure – to ensure that it effectively supports their business. In order to better manage return on this investment and get efficient service levels, many organizations are turning to IT outsourcing. At the same time, however, companies are concerned about giving up control and losing visibility into how their systems are managed and how they are performing. NaviView, NaviSite’s monitoring platform, gives you a complete view into what is happening at all levels of your IT infrastructure – whether it is managed by NaviSite or by your own IT team.
With NaviView, you can proactively monitor and assess the availability, responsiveness, performance, and state of key IT components, including network devices, security devices, servers, applications, and databases – ensuring the infrastructure critical to business remains highly available and accessible to you. Read more…
|
|
