Guide to Becoming PCI Compliant: A Historical Perspective and Introduction

By Adam Goslin on February 4, 2010

Online Tech brings you a new series on PCI Compliance by Adam Goslin, an experienced consultant that assists companies with achieving and maintaining PCI Compliance.  PCI compliance is important for all of our clients who hold and handle credit card information. The series will explain the six objectives of PCI DSS and how to maintain PCI compliance for your company. We hope that you find it useful and we welcome your feedback.

PCI DSS stands for the Payment Card Industry Data Security Standard, and is an organization founded in 2004 as a result of the combination of 5 different security programs in operation at the time by Visa, MasterCard, Discover, JCB and American Express.  The intent of this standard is to protect cardholder data (CHD) through an approach that covers every aspect of a technology based solution from policies through infrastructure and everything in between.

PCI DSS compliance attainment is a process that can be extremely daunting – but a process that is sure to yield improvements to the security position of everyone that ventures through the process. Navigating the waters of PCI DSS is a task best undertaken with the appropriate personnel and partnerships to assist in the journey.

One of these critical roles is an individual or company to assist with guiding your organization through the requirements of PCI DSS that has been there before, and has the capability to make recommendations based on their past experience.  This role is critical to making your way through PCI DSS, and frankly the difference between costing and saving your organization money.  The cost to an organization varies dramatically based upon several factors, with the most significant being resolving the PCI DSS requirements while doing so in a cost effective manner as there are literally a myriad of choices in the marketplace today.  Seaming these choices together into an integrated security solution while saving you money is the role that this individual or company performs.

Another critical role is an individual or company to assist with implementation of your secure production solution into an environment that meets or exceeds the standards for physical security of PCI DSS.

Online Tech delivers a managed hosting solution that provides your organization with such facilities, having already attained their SAS-70 certification, they have the staff on hand to assist your organization with establishing your secure production network in a facility that passes all elements of PCI certification.  Online Tech can provide experience and expertise to your team with architecting the solution, hardware acquisition, configuration of the equipment and required documentation – all critical elements of the PCI DSS solution.

Due to the sheer breadth of scope of a PCI DSS compliance endeavor, ultimately everyone in your organization will in some way, shape or form, be impacted by these efforts.  All of the compliance efforts by your team and partners culminate with the affirmation from a QSA (Qualified Security Assessor), whose job it is to assess organizations against the PCI DSS standards and are certified to do so via the PCI Security Standards Council.

Companies have their stance against the PCI DSS standard evaluated by the QSA, with open items remediated and reviewed, then can make their submission to the PCI Council for certification.  It is at this point that your company shifts from attaining PCI DSS compliance to maintaining PCI DSS compliance.

For my part, my name is Adam Goslin, your virtual MC for this tour through PCI DSS compliance.  Having consulted with several organizations on their trip through PCI DSS, and having been in the position of both having to obtain PCI DSS for an organization, and having been engaged as a consultant to other organizations looking to attain certification for themselves – it has been a unique experience that provides a keen level of insight into the difference between the art and science of PCI navigation.  My personal mission is to assist companies in enhancing their security stance ­– focusing in this case on attaining and maintaining their compliance with PCI DSS as there are many good choices on the market when making selections for PCI and just as many bad ones.

Look for the next post in this series in March that will provide an overview of the PCI DSS Control Objectives before we get into a detailed review of each objective.

Adam Goslin, PCI DSS Consultant
Adam has an IT career that spans more than 15 years, recently leading IT efforts for Edcor Data Services, then leading the IT and Infrastructure teams of Osiris Innovations Group as the Vice-President of IT, including leading the company through achieving PCI DSS Compliance, and presently providing PCI DSS consulting services to numerous companies looking to achieve or maintain their PCI DSS Compliance.

For more information about PCI compliance, you can email Adam at

  • Share/Bookmark
Add Comment

Posted in | Tagged , , , | Leave a response

Diagnose your Network Problems Quickly, Troubleshoot with Nmap

By Aaron Grumelot on February 1, 2010

Troubleshooting is often a long road filled with many turns that could lead you down the wrong path, further away from a resolution. It is quite frustrating to spend several hours on a single issue that in the end turns out to have a simpler solution that could have been discovered earlier if the proper tools had been utilized.

The support team at Online Tech is always searching for an effective tool to assist in troubleshooting the myriad of issues that we come upon on any given day. In my personal experience I have found that often networking issues can be the most frustrating because of the many points between you and your server.

In an attempt to gain better visibility into these complex issues I have come across a very useful program that I would recommend to anyone that is attempting to troubleshoot their network, firewall, or a simple connectivity issue. Nmap is a small but powerful tool that is often used as a network troubleshooting device since it can detect open ports, the OS type and Version, the routes between you and your server, and many other things making it extremely flexible. Nmap was created by insecure.org and its sole developer Gordon “Fyodor” Lyon for multiple purposes such as security auditing, online host discovery, and network troubleshooting. According to the website Nmap was given the title “Security Product of the Year” by multiple technical journals as well as being featured in movies such as The Matrix Reloaded and Die Hard 4.

This piece of software is invaluable to me since it is very flexible in the function that it provides allowing a user to map out entire networks of hundreds of thousands of machines. It has a very simplistic interface that allows you to enter the host name, adjust the type of scan that you want (you can even specify which ports you want scanned), and with a simple click of the scan button it will begin mapping your destination. Nmap scans a server and provides me with easy to read diagrams as well as lists of ports, Server IP addresses, Operating systems, routers, firewalls, and many other things. Some of the greatest perks of this piece of software is that it is completely free and supported by a fanatical community of developers who are eager to help you resolve issues with the program. Alongside the development community is a plethora of comprehensive and easy to use documentation for the many features.

Nmap is an essential tool used in my troubleshooting process and I have enjoyed great success when using it. For more information on this networking tool please visit nmap.org.

  • Share/Bookmark
Add Comment

Posted in | Tagged , , , | Leave a response

Transparency in SaaS, IaaS, and all as-a-Service Companies

By Chris Rizzo on January 29, 2010

Recently, I was reading a great article by Joel York over at his SaaS Blog, Chaotic Flow. In his article, “SaaS Marketing Tips – The Truth Shall Set You Free“, he explains the critical difference in the sales process between selling traditional software and Software-as-a-Service: transparency or lack there of, on behalf of the software company.

Traditional software companies teach their sales employees “to avoid disclosing any more information than the minimum necessary to close the deal.” Because of the one-time payment structure of those deals, it creates a short-term focus on the deal and the relationship with your potential client. Where as with SaaS, one can “try before they buy” and depending on the contract length, walk at any time if the service is not up to their liking. This creates a long-term focus and transparency and trust between the two parties becomes more natural.

As Joel points out, Google Adwords is a great example:

“Ask yourself how much you spend right now on Google AdWords without ever having spoken to a sales rep. How does this compare to your own average selling price for online transactions?  Now, ask yourself why.  The answer is transparency, from company reputation to cost-per-click.”

While Joel focuses his discussion on the software industry, it is true for all products that can also be services. We see this with big ticket items like cars and houses as well as everyday purchases like music and books. The larger the purchase and commitment, the more risk involved and the less trusting the two competing parties become. Full transparency becomes the only logical play when dealing with Product-as-a-Service businesses.

Having studied game theory and negotiation in college, this makes perfect sense to me. Anyone familiar with the prisoner’s dilemma (a game similar to a negotiation process) knows when the game is only played once (like purchasing a good such as a car), both parties have the incentive to “defect” or lie (it is the rational strategy) but when the game is played multiple times for a amount of time unknown to both parties (like a subscription based service) the rational strategy is to “cooperate”. This repetition in “games” creates the incentive to take the leap of faith into a cooperative strategy. If I defect, the other party will defect for the remainder of the negotiations. If he defects, then so will I. One defection and there is no trust, and everyone is worse off for the rest of the series of games.

The as-a-Service model is built on this “repetition of games” trust and cooperation, that while I might gain in the short term if I hide the truth, in the long term, I will have lost a valuable relationship. This dedication to transparency is the one of the lesser talked about benefits of not only moving your business to an as-a-Service company but purchasing from these types of companies.

At Online Tech, we offer Infrastructure-as-a-Service, and we see and live this phenomenon every day. Although it may seem trite to say, one of our core values is “Win-Win or No Deal”. Right up front, we have a conversation with all of our prospects and try to understand their needs. If their needs don’t match what we offer, we let them know. There is no point for a as-a-Service company to sell something to a client they don’t need. That is not a Win-Win deal and the client will sooner, rather than later, figure out that they don’t need your service and move elsewhere. It creates unproductive work for both parties.

Transparency is key in our business and something we strongly believe is a key to our success.

Have you seen any as-a-Service companies succeed that are not built on transparency and trust?

  • Share/Bookmark
Add Comment

Posted in | Tagged , , , , , , | Leave a response

Live Chat is a Great Way to Learn how to Purchase Managed Dedicated Servers

By Mike Kroon on January 28, 2010

As the Business Development Manager I’ve enjoyed educating people from around the world about how to purchase Managed Dedicated servers through our live chat service through WhosOn. The reason I enjoy using this service is that we are just having a chat about a client’s company and their needs. These chats can be fast and to the point, or at times, a little more comprehensive. What I like to do is learn about their company and where they want to grow it to. So before going into pricing I like to gather requirements.

Here are 5 questions I like to ask:

1. Do you have your own servers or are you looking for managed dedicated servers?
2. How many processors do you need?
3. How much RAM would you like?
4. How much disk space do you need for today and will that be suitable for future growth?
5. Do you need any backup? On-site or off-site?

These questions can help me develop a solution for you and also alert you to things that maybe you didn’t think of at the time, such as what OS are you going to be using, do you need point to point VPN or remote VPN.

These are items that can affect the price and delivery of the server to you.

Please stop by and have a chat at www.onlinetech.com.

  • Share/Bookmark
Add Comment

Posted in , | Tagged , , | Leave a response

How To Get Your Support Ticket Resolved Quicker

By Aaron Grumelot on January 26, 2010

Often the support team finds ourselves in the midst of a chaotic work day – the support line has been ringing for what seems like every second, while new tickets arrive fresh to our fingertips. Though we find much delight assisting clients to troubleshoot and conquer the seemingly impossible tasks, we often find it difficult to begin this process without the correct information.

In order to decrease the resolution time of your ticket, increase the effectiveness of the troubleshooting process, and alleviate a little stress from our day-to-day job there are several things you can provide us with when opening a new ticket with Online Tech.

Things to Remember When Creating a New Support Ticket:

  1. The first thing you must remember when creating a new ticket with Online Tech is to provide us with your complete contact information such as your name, company name, email address and phone number.
  2. We also ask that you provide us with the names of the server experiencing issues and if this is not available then the IP address of the troubled machine can be sufficient.
  3. Next we ask that you gather as much information as possible about the nature of the issue you are experiencing as well as the severity of the aforementioned problem.
  4. Finally you can help decrease your resolution time immensely by providing us with additional information related to your issue such as trace route to the troubled server in the case of a networking issue or log files from the troubled machine.

Armed with this information we can provide you with the best support possible and faster resolution times even when faced with the most difficult issues.

  • Share/Bookmark
Add Comment

Posted in | Tagged , | Leave a response

Server Too Busy? Proactive Monitoring Tools Are Vital

By Mike Flaherty on January 22, 2010

I was reading an article by Penny Crosman in the “Wall Street & Technology Reports” January 2009 edition about monitoring servers in a remote data center and it provoked a few thoughts on the importance of monitoring of servers remotely.

The article discusses the need for in-depth monitoring tools, monitoring dashboards, and skilled engineers capable of managing thousands of servers with millions of data points. Without the proper tools in place for monitoring servers, you may be lulled into a false sense of security about the health of your servers and the applications your customers depend on. You need proactive monitoring tools in place, in order to know the server is crashing – before it’s too late.

Think about it – how do customers feel in 2010 when they can’t access data?

Don’t you hate when you need to access a website and you receive a “Server Too Busy” or other server/application error messages? It often happens when you need access to a website and you have limited time to grab the information and get your job done.

It’s so frustrating! It’s bad enough when you squeeze in time to pay bills on the weekend online at home and can’t access a banks’ website. Just think about what paying customers feel like when they can’t access critical data that is absolutely necessary to complete their job.

The cause of the error is usually one of the following:

1) too many users trying to access underpowered server hardware
2) server application error
3) client browser, software, or end-user hardware error
4) insufficient Internet capacity or bandwidth at the hosting location
5) server or network security breach

Making sure all of these issues are resolved can be very difficult. There’s tons of pressure on IT managers to keep costs low and provide excellent server uptime, especially in the post-2009 economy. A good IT architecture (think VMware, great hosting infrastructure, capable staff, solid applications) is a fantastic place to start.

Into 2010 now, keeping the servers running (regardless of where you host your servers – in-house, colocation, or in a managed dedicated server environment) requires the right tool set to manage the infrastructure. Do you grab some open source server and network monitoring code, learn how to use it, deploy it, configure the probes and monitoring thresholds, and hope it works? Or do you beg for capital to purchase enterprise monitoring tools and support, and the corresponding training sessions?

This can be a hard question to answer. Either way, you’re making a sacrifice.

We try to make it easy for our clients to get enterprise level monitoring tools and support without sacrificing too much. Our monitoring service, called OTMonitor is included with all of our dedicated servers, and for a low monthly fee, our colocation clients can add our proactive monitoring service as well.

Monitoring your server is not the cure-all for “Server Too Busy” problems, but it can go a long way in helping to limit those problems and help you avoid downtime.

  • Share/Bookmark
Add Comment

Posted in , | Tagged , , | Leave a response

How to Setup a Proper Firewall Rule Set

By Ryan Gunther on January 21, 2010

Here is Online Tech’s quick tips on how to setup a proper firewall rule set:

  1. Limit your server management ports (RDP: 3389 and SSH: 22) to your office subnet or a VPN connection.  The first and easiest way for someone to hack your server is for them to be able to RDP or SSH to your server and start bashing usernames and passwords.  If you limit RDP or SSH just to your office they won’t even have a chance to try to login to your server.
  2. Secure all database connections to specific IPs that NEED to connect.  Another way for people to gain access to your equipment is if they can access your DB servers.  They can steal your information, alter it or even delete it.  Make sure any SQL, MySQL, or other DB servers can only be reached by IP Addresses you trust.
  3. Review your firewall rules to make sure you don’t have a port open that you used to use but now you no longer use it.  Also check who can connect through certain ports, maybe you had a contractor helping with website development and should remove his ip range to your server after his work is done.
  4. Try to limit rules that allow anyone to access a port.  Certain ports like Http, Https have to be open for all, but maybe only certain clients should have FTP or SFTP access.
  5. If in doubt, you can always ask. If you explain to your provider what you are trying to accomplish, who needs to be able to access certain ports and they might be able to help design your firewall rule set with you.
  • Share/Bookmark
Add Comment

Posted in | Tagged , , | Leave a response

All Roads Lead to Data Center Consolidation and Using IaaS

By Bill Ryan on January 16, 2010

One of the big takeaways from the cloud computing hype over the last year is that everyone wants to do more with less. Keeping your IT infrastructure in-house no longer makes sense from a cost perspective. The cloud computing media coverage certainly has emphasized this.

One of the main advantages of Infrastructure-as-a-Service (IaaS) companies, like Online Tech, is that they are enabling a wide variety of companies to run their businesses without the capital expenditures that go along with traditional IT departments. A lot of the newer Software-as-a-Service (SaaS) companies, who are more agile and under a tighter budget, are already taking advantage of these services.

The question has now changed from, “Will we outsource our data center?” to “When and how are be going to take advantage of these new cost-savings IaaS managed services?

We at Online Tech, think that the transition will further progress once these once-hesitant businesses become more and more educated about what IaaS companies can offer and how to get the most out of these new business relationships. This will only take time as they see their competitors continue to make the shift to IaaS and experience the time and cost savings.

  • Share/Bookmark
Add Comment

Posted in , | Tagged , , , | Leave a response

Perspective on Barron’s “The Sky’s the Limit” Cover Story on Cloud Computing

By Don Trojan on January 15, 2010

In the January 4th issue of Barron’s, there was a very interesting article on cloud computing called “The Sky’s the Limit.” The article boldly states that “cloud computing will be as revolutionary as the Internet itself.”

This was a great article.

It is called Cloud computing for a reason. Cloud computing is the ability for many “certified” people to access a computing resource anywhere, anytime. The only requirement is that they have secure access to the Internet.

It is not called “sky computing”, if that was the case anyone anywhere could access the data and all the data would be shared. Maybe Sky computing will have its day, today it’s “The Cloud”.

Working in the Business Intelligence field for the past seven years I have seen the growth of virtual machines (VM). With VMs growth corporate users were willing to give up control of what CPU or server their data was running and on. By doing so they gained the ability to quickly request additional computing services without the two+ month wait for a new server to be ordered and be upgraded from corporate IT.

To me this was the beginning of “The Cloud” and with it the acceptance of the corporate user to trust the management of their servers to a trusted partner. The next stage in corporate computing has begun, “The Cloud”.

  • Share/Bookmark
Add Comment

Posted in | Tagged , , , | Leave a response

Online Tech Customers Happy with Upgrade to Better Data Center

By Ritu Parr on January 13, 2010

Magic Coast, a long-time customer of Online Tech, is happy with their upgrade to our Avis Farms data center in Ann Arbor. Magic Coast provides live and on-demand video streaming technology backed by full production services.

“We have been a customer of Online Technologies since first moving our headquarters to Ann Arbor, MI in 2006.”  Said Bill Dunning, CEO of Magic Coast.  “Online Tech has been a solid partner for us and we’re happy to continue the relationship as we grow.”

To read more about Magic Coast’s experience, visit the Magic Coast Blog.

  • Share/Bookmark
Add Comment

Posted in , , | Tagged , , , | Leave a response

Next »