Video Library

← cPanel Videos

As eCommerce continues to increase in popularity, the ability to comply with server management standards becomes more important. These standards are set by the industry that oversees debit and credit card transactions.

This webinar introduces PCI compliance to hosting providers who use cPanel software. A webinar this significant might be the wisest 30-minutes you spend this year. The cPanel team explains compliance in plain language and how it affects you.

Topics of discussion include:

  • What is PCI compliance?
  • What is needed to comply?
  • How to receive free PCI compliance scanning

Embed

  • Anonymous

    How can cPanel say they are compliant if the WHM and cPanel logins do not support 2 factor authentication? I am looking for a way to justify this problem but can’t seem to find the answer.

    • http://cPanel.net David Grega

      If you experience a specific issue during a PCI DSS Compliance audit or scan, please feel welcome to submit a support ticket so we can take appropriate action.Speaking more in terms of providing general information: I believe you are referring to Requirement 8.3 of PCI DSS which addresses multi-factor authentication but specifically mentions that this is only necessary with remote access to the server.  

      If you are administering a cPanel&WHM locally from within the same data center, you can use the source IP checking functionality to effectively lock out all remote IPs from accounts they should not have access to (e.g. root)..

      If you are administering a cPanel&WHM server remotely, the same source IP checking functionality can be used as a means of multi-factor authentication.  This is the same technology deployed by many members of the PCI for their customers to authenticate into their credit card/banking accounts.  

      Source IP Checking can be enabled via WHM by clicking on “Configure Security Policies” in WHM’s Security Section then checking the checkbox for “Limit logins to verified IP Addresses” then clicking “save.”  

      If you have ever used a website to login to check the balance on your Visa or Mastercard, what happens as a result of enabling this feature may look familiar.  Users are prompted to enter security questions, which they can provide answers to so they can login in the event the Source IP Check fails.  When users pass the Source IP Check upon login, everything works as normal.  When users fail the Source IP Check, they are prompted to answer the questions they supplied.

      While this is playfully referred to as “Poor Man’s Two-Factor Authentication” it is effective for security.  However, with the implementation of the Pluggable Authentication Layer, one can support multi-factor authentication for their preferred multi-factor method by building an appropriate plugin.  You can read more about this at: http://forums.cpanel.net/f145/whm-pam-ldap-radius-authentication-pluggable-authentication-154665.html

      It is also important that anyone reading this also harden their operating system appropriately against unauthorized remote access.  For example, CentOS.org has a guide for hardening SSH for CentOS users at: http://wiki.centos.org/HowTos/Network/SecuringSSH

  • glowhost

    How can cPanel say they are compliant if the WHM and cPanel logins do not support 2 factor authentication? I am looking for a way to justify this problem but can’t seem to find the answer.