ASV scans PCI DSS certification

Foreword

Some payment service providers require PCI DSS certification, for which ASV (Approved Scanning Vendor) scans are an essential and important component in order to be able to carry them out successfully. To ensure that you achieve the best possible results with these scans, we describe in this article some options for securing your server.

Update server

To avoid security vulnerabilities that can be caused by outdated applications or an outdated operating system, we recommend that you regularly update the installed and used applications and the operating system of your server.

**Managed Server

As part of our server support, we carry out automatic minor updates of the operating system and applications in accordance with our Update policy for managed servers.

Unmanaged Server

In the Unmanaged support level, all automatic and security patches must be carried out by you. Please note that we do not have access to your server at this support level.

Access restrictions through firewall rules

It is often unavoidable to use server services that enable a connection to the server.

Examples of this are connections via SSH, FTP(S) / SFTP or access to the Plesk Control Panel.

Here, however, it is not usually necessary to allow a connection from any IP address. A simple way to restrict these connections is to use your server's cloud firewall, as no changes to the actual server configuration are required and unwanted connections can be effectively rejected in advance.

The following is a general example of a firewall rule set, which provides basic protection:

• General requests, e.g. for visitors to your website, to the server should only be permitted on port '80' (HTTP) and port '443' (HTTPS).

• SSH or FTP(S)/SFTP access should only be permitted from certain IP addresses. To determine your public IP address, you can use our IP tool. You can access this via the following URL:

  https://ip.creoline.com/\n

• To ensure that access to your control panel, e.g. Plesk, remains possible, access should be restricted to certain IP addresses that are actually used. Port 8443 must be enabled for Plesk by default. \n
• All other incoming connections are blocked

To avoid unwanted restrictions, you should perform or have a check performed in advance to determine which services and connection options are actually used and required, as it may be necessary to enable additional ports depending on the application.

A common and widely used example of this would be data transfer via FTP(S).

You can find a corresponding overview of our server solutions at the following URL:

https://help.creoline.com/de/en/doc/ports-der-server-dienste-u9HOvJv0M1

Avoid standard access data

Some applications use standard access data to provide an access option for the initial setup after an installation. Depending on the application, access cannot be restricted via your server's firewall, or only to a limited extent. An example of this would be the Shopware administration, as this is accessed via a specific URL and therefore port '80' (HTTP) and port '443' (HTTPS) and these ports are generally not restricted to allow visitors to access your website.

For this reason, the default access data should always be changed after provisioning / installation to avoid unwanted access and the associated risks.

Order ASV scan

The ASV scan can be ordered directly through our partner usd AG. You can order the ASV scan directly via the usd PCI platform.

More information about usd AG:

• Website - usd AG
• Contact us
• Prices for ASV scans
• Registration - usd AG PCI Platform