CAll Us: +1 888-999-8231 Submit Ticket
How To Improve Product Search On Your Magento Store

How To Improve Product Search On Your Magento Store

Product search: you can’t live without it. At least, that’s until you start using cumbersome and awkward solutions that don’t deliver the right results. Choosing the right product search for your Magento store means finding an integration that allows for both easy customization and that delivers the results consumers are looking for. Magento’s default product search is a good start, but it’s certainly not the product querying mastermind you could be using.  

Bringing in the right solutions means being able to sell more and sell better. After all, visitors that use product search are 200% more likely to make a purchase than those who don’t. Maximizing revenue from this group is key to securing a potentially loyal group of return customers. These customers will then see you as an authority in the space. You just need to make sure their searches return the results they want.

Typically, consumers expect results that are on-par, if not above, those of Google. Google is particularly good at returning relevant results even when users search using muddled or imprecise queries. Magento’s default search isn’t nearly as powerful. While It works well for smaller catalogs – those with a few products and a handful of attributes – it falls down as store size and complexity grows. Losing the ability to deliver relevant results will almost immediately mean a loss of revenue and push you further from the store growth you’re looking for.

Here, we’re going to take a look at some of the ways you can use to get your product search back on track with Hostdedi. We believe that product search shouldn’t be complicated or an expensive addition, and to that end, we’ve put together a couple of changes you can make yourself in little to no time. 

 

Choose Search Attributes Wisely

You’re given the ability to add associated attributes when creating Magento products. These can be as simple as a product name, color or size, or as complex as long descriptions. Attributes are included as a way to narrow down relevant results when a user searches for products,. For product colors and sizes, this works incredibly well, allowing consumers access to faceted search features whereby they can filter large result sets down to a handful of relevant ones. However, attributes need to be selected carefully. When they aren’t, irrelevant products quickly start to seep into otherwise relevant results. 

Attributes should be chosen with care

Magento product attributes should be chosen with care.

Take attributes that include large amounts of text. The longer the text the most likely it is that longtail phrases are included. For example, let’s say you’re searching for a pair of headphones with the phrase “headphones with long extension cable” on an electronics store. Yes, the results will likely include relevant results. However, the inclusion of the phrase “extension cord” may lead to electric extension cords appearing in results as well. 

Accuracy and speed can be improved by limiting search to the most important attributes; those that contain the most relevant keywords. Attributes can be removed from search results in the Product Attributes page of the Stores menu.

 

Take Control of Search With Magento Search Terms

Store owners are able to control what happens when specific search terms are entered in the Magento search box. For example, it’s possible to direct users to a custom page on the store by adding and configuring a search term. This might be a content page, a category page, or a product page.

A fashion store owner might note that many shoppers search for “t-shirt”, and decide to build a dedicated landing page with a custom product selection, copy, and images. When a shopper enters the query, they’re directed to the custom page instead of the default search results. The search terms functionality gives store owners precise control over the search experience.

Search terms are also useful for handling synonyms and misspellings because each search term can be associated with a set of synonyms. If you notice that shoppers frequently misspell a product name, you can use search terms to ensure they find what they’re looking for.

Control over the search terms can mean better visibility and conversion rates

Control over the search terms can mean better visibility and conversion rates

You can configure custom search terms under Marketing -> SEO & Search -> Search Terms in the Admin sidebar.

 

Use ElasticSearch Instead

Since the release of Magento 2.3, all versions of Magento support ElasticSearch, an enterprise-grade search engine that is faster and more accurate than Magento’s built-in MySQL-based search. We previously compared Elasticsearch with other Magento product search alternatives and found that not only is it faster, but it also offers your development team more flexibility.

ElasticSearch provides a wide array of features that enhance the Magento search experience, including support for stop words and synonyms, fast indexing that doesn’t impact search or store performance, support for multiple languages, and more advanced product search options. ElasticSearch is easy to integrate with Magento; after a simple initial configuration, ElasticSearch will begin returning improved search results immediately.

At Hostdedi, our ElasticSearch cloud hosting makes it even easier to deploy a scalable ElasticSearch instance in seconds. ElasticSearch is fully supported on our Magento cloud hosting plans, and we’re happy to help clients to integrate their ElasticSearch instance with Magento.

The post How To Improve Product Search On Your Magento Store appeared first on Hostdedi Blog.

Source link

8 Common Hosting Problems (and How to Avoid Them)

8 Common Hosting Problems (and How to Avoid Them)

In our annual State of Hosting, we found that uptime remains the chief concern for most merchants. Uptime, though critical, is one of only many things that can go wrong with web hosting, and the measure of a solid web hosting provider often means more than 99% uptime. 

Within, we highlight how to resolve or prevent common web hosting errors like poor uptime, slow performance, and other key areas.

Slow Performance

Visitors have little patience for a slow site. Your product, customer service, and deals won’t matter much if it makes users wait. Over half of visitors leave a site when a page takes more than 3 seconds to load, and most of them will not return

A slow site may not always be the fault of your hosting provider, though a credible one will do everything they can, such as:

  • Providing optimized environments for your chosen application (Magento, WordPress, WooCommerce, Drupal, and so on)
  • Current technology, though unproven “bleeding edge” tech can be cause for concern
  • Provide scalable solutions that can temporarily or permanently meet the needs of your growing business

What to Do About It

If your site sputters, start with your hosting provider’s support team. Competent support teams will investigate the issue and resolve it if they can. If the cause is beyond their control—poorly written website code, an unpatched Magento installation, unexpected surges in your site traffic—they can help diagnose the problem and suggest options for resolving it.

Beyond contacting support, you can try:

  • Using a CDN service
  • Limiting your use of dynamic content in favor of static content, especially on your high-volume landing pages
  • Enlisting the services of a developer, or having conversations with your current one
  • Patching the platform running your site
  • Limiting your use of third-party extensions, and make sure the ones you keep are current
  • Simplifying your web design
  • Enabling caching on your content management system of choice, if available

Poor Security or PCI Compliance

secured safeWith security, you have enough to worry about on your end without wondering whether your hosting provider is holding up theirs. No security system can claim perfection, but consider any of the below to be hosting provider red flags:

  • Irregular or missing maintenance windows; though sometimes inconvenient, these represent a commitment to providing a secure and stable service
  • Inability to provide secure file transfer protocol (SFTP); FTP is generally considered unsecure
  • Failure to provide their AoC upon request (see below)
  • Support can’t answer your questions about SSL, a fundamental need of nearly every legitimate website
  • Unclear backup policy; while it’s best not to rely only on your hosting provider’s backups, every reputable provider will provide them
  • Outdated versions of PHP or MySQL; your provider should be using versions well outside end of life (EoL). 

What to Do About It

The best policy here is prevention. Don’t wait until your host fails at security to verify its effectiveness. Ask your hosting provider for their Attestation of Compliance (AoC), and consider any resistance to providing it to be a huge red flag. And always remember that as a merchant, you must do your part for PCI compliance even after rolling with a PCI compliant hosting provider.

Beyond the AoC, check the hosting provider’s website, followed by their reputation. If they provide a fair amount of original content about PCI and security, then they likely have some experts on their team. If the hosting provider specializes in a particular platform, ask other people using that platform about that provider. People that experience problems with web hosts are rarely shy about sharing their story.

Cost 

Although “high cost” is a common complaint, it’s usually more productive to think in terms of value. For example, unmanaged hosting is usually cheaper than managed hosting because the former offers little more than a power source, the network, and a secured facility. Support is usually not on the menu.

The end result is a low-cost hosting provider. This can suit the needs of some, but others would be wise to consider the value of well-managed hosting, even if it costs more in strict dollars. Managed hosting with a good provider means less maintenance, hands-free updates to server operating systems, and dedicated 24/7 support.

What to Do About It

If you feel your hosting provider doesn’t provide enough to justify their cost, it’s probably time to find another. Again, word-of-mouth and reputation go a long way here. Talk to others in your community—merchants using the same platform with similar needs—and ask them for suggestions. Go to a convention or two, spend some time on GitHub, or find a forum. Sure, it takes time, but it can save you downtime and headaches down the road.

Slow Support

When it comes to web hosting, troubleshooting is essential and expected. It is perfectly reasonable to expend your hosting provider to respect your time, and to respond to any service disruption to your service with urgency. Even if an outage is beyond the control of your hosting provider, they should be willing to communicate and sympathize with your situation throughout.

Ideally, the more ways to reach support, the better. 24/7 support is pretty much the standard for modern managed web hosting, with reasonable allowances for shopping-season ramp-ups. 

What to Do About It

Assuming a slow response isn’t an outlier, express you dissatisfaction with a member of support leadership. Even when you have justifiable cause to be upset, keeping your temper in check while expressing your irritation often yields more desirable results. Humans act more efficiently when treated well and support teams are no exception. 

Hostdedi support team

However, if they’re grossly incompetent, then it’s time to shop around using the same method described in the above “Cost” section.

Unclear Limitations

When it comes to hosting, nobody likes surprises. This applies to uptime, bandwidth, storage, scalability, and many other facets of your service. Reputable web hosts will be up front with how they distribute resources and bill for their services, and provide additional details when asked. 

That said, take the time to read the provider’s Service Level Agreement, which tends to provide reasonable legal wiggle room in the event of unavoidable disruptions to your service. The presence of an SLA is not in-and-of-itself a red flag—nearly every hosting provider has one—but taking the time to read it can give you a better understanding of what to expect.

What to Do About It

Prevention does a lot. Do your homework on your hosting provider and ask their sales or support teams plenty of questions. If they break a promise or guarantee, hold them to it!

Site outages and downtime

Downtime costs you money. Most web hosts recognize this, and adopt proactive measures to minimize downtime as much as they can. “One hundred percent” uptime is strictly impossible, as even the most conscientious web host must perform occasional maintenance, failing upstream providers, and other issues beyond their direct control.

You should know about every planned maintenance window capable of affecting your service well in advance. The rare hiccup to your service is inevitable; the real tell is how your hosting provider reacts to it. 

What to Do About It

The more times you answer “no” to these questions after any given outage, the more you should consider heading for another host.

  • Are disruptions and outages a rare event for this provider?
  • Are they reasonably transparent? 
  • Did they apologize (even if not directly their fault)?
  • Did they respond to you in a reasonably prompt manner?
  • If they proposed a timeline, did they honor it?
  • Did they avoid accusing you of “breaking something”?
  • Did they resolve your issue, or at least guide you toward a solution?
  • If it was an extended outage, did they compensate you somehow?
  • If they required action on your part, did they provide clear instructions?

Poor Scalability

Ideally, your web host will make it relatively easy for your service to grow with your business. One of the major selling points of cloud services is quick-and-painless scalability. Cloud technology makes it easier to allocate extra resources to your service on-demand, as well as provides a cleaner, migration-free path to permanently upgrading (or downgrading) your service.

If you’re married to a non-cloud solution and need to migrate, your hosting provider should be discussing options with you before pushing for migration. Respectable hosting providers look for ways to improve your service before upselling. If migration is necessary, they are transparent about the process, listening to your needs, and keeping you informed every step of the way. 

What to Do About It

Cloud hosting is the answer in most cases. Yes, it tends to cost a little more than non-cloud hosting, but in exchange you receive flexibility. Your site will respond better to sudden, unforseen surges in traffic and be easier to move when your business outgrows your website.

Inadequate Tech Stack 

tech stackA stack is a bundle of software designed to run a server. They range in complexity and purpose, and not so long ago a Linux/Apache/MySQL/PHP (LAMP) stack was considered adequate for hosting purposes. As modern web applications have risen to prominence and in complexity, this is no longer the case.

In 2019, stacks also serve to accelerate performance for the web applications running on those same servers. At Hostdedi, our cloud web application draws on 20 years of experience to build a stack with components that work together to provide enough resources for modern web applications. While established players like Apache and PHP play undeniable roles, we’ve expanded it with several other technologies, most notably Nginx, Varnish, and for Magento, ElasticSearch.

Nginx

Nginx is a full-featured, high-performance web server that excels at serving static content. In our cloud stack, it also handles Transport Layer Security (TLS) decryption necessary for HTTPS connections, and does so much more efficiently than other possible alternatives, like the web server itself. 

Varnish

When properly configured, Varnish takes over caching requests normally handled by Apache and Nginx, and so provides fast delivery of static and dynamic content.

ElasticSearch (Magento only)

ElasticSearch is a search engine that allows customers to quickly find one product among thousands. Available as part of our Magento cloud service, Elasticsearch is fast and scalable for both structured and unstructured data, with support for 34 languages.

What to Do About It

Before drawing any conclusions about a hosting provider’s tech stack, engage with their support or sales team to explore their other offerings. Be wary of any effort that doesn’t ask specific questions about your goals or business. Ethical hosting providers will work with you to identify and fulfill your needs, as opposed to just offering a knee-jerk upgrade.

Each content management system had different needs. What works best for Magento often isn’t ideal for WordPress, and so on. Experienced web hosts know the “what” and “how” of these optimizations more than players new to the game. If your store uses Magento 2, ask your provider how long they’ve been hosting Magento 2 sites, and what they can offer you that other hosts can’t.

 

Need help finding a web hosting solution that works for you? Contact our sales team between 9 a.m.– 5 p.m. eastern time, Monday to Friday.

Source link

How to Get Ready for MagentoLive Europe 2019

How to Get Ready for MagentoLive Europe 2019

MagentoLive Europe comes arrives in only a few weeks, bringing Magento merchants and innovators from around the globe to Amsterdam, arguably the biggest ecommerce hub on the continent. 

What and When is MagentoLive?

The Magento community hosts various global events designed to connect and educate developers, merchants, and ecommerce influencers. The largest of these is Imagine, amsterdam at nightenvisioned as the definitive global gathering of the Magento community. MagentoLive serves as a complement to that event, in essence a more “localized” version of Imagine.

The short version is almost anyone involved with Magento—in any capacity—will benefit from attending. Adobe, who purchased Magento last year, will have a significant presence with four Keynote and over two dozen Breakout Session speakers (out of 8 and 48 total, respectively). Add to this sessions from Magento Masters, Google, and other big players from the ecommerce space, and it’s impossible not to leave with new knowledge and inspiration.

MagentoLive Europe 2019 takes place between October 22–23 at the RAI Exhibition and Conference Center in Amsterdam, Netherlands. Magento expects over 2000 commerce professionals to attend—here’s how to get the most out of the event.

3 Reasons to Get Excited About MagentoLive Europe 2019

Get excited! It’ll make it easier to find time to plan ahead, and you’ll get significantly more return on your investment.

1.  Session Variety

Whether you’re a Magento fanatic, developer, merchant, or even just considering adopting it for your storefront, there’s something for everyone at MagentoLive Amsterdam. Session topics include hands-on labs, marketing strategies, product reviews, technical solutions, and countless other options. Most sessions last an hour or less, but they can overlap. 

You can get started prioritizing your favorites by viewing the MagentoLive agenda. Note that some events, hands-on labs and certifications, require registration in advance.

2.  Networking Opportunities

Keep an eye on social media, starting with #MLEU, #nexcesslive, and feeds of your other favorites. Put names to faces in an environment where every vendor is putting their best foot forward to earn your business!

Not sure about how to handle Magento 1 end-of-life in June 2020? Read our blog post, Magento 1 vs Magento 2: Should You Stay or Should You Go.

If you’re a developer, consider arriving a day early to take part in Contribution Day. See the Session Highlights section below for more information

3. Adobe’s Roadmap for Magento

Adobe’s 2018 acquisition made waves in the Magento community. Although they’ve integrated the platform into their Experience Cloud, they’ve also declared their intent to roadmap sticky noterespect and utilize Magento open source community in this effort. 

Judging by the volume of Adobe presenters at MagentoLive Europe 2019, the company appears intent on showing, rather than just telling, how they plan to proceed. President Paul Robson is only one of several members prominent keynote speakers from Adobe, and it’s fair to say they’re expecting your questions about what lies ahead.

Session Highlights

Your mileage may vary according to your role and needs, but here’s some highlights of the wall-to-wall events at MagentoLiveEurope 2019. The variety caters to tech-savvy developers, commerce-focused merchants, and everything in between.Space is limited for some events, so register early whenever possible!

Contribution Day

Monday, October 21, 9 a.m.–5 p.m.

Technically, this is pre-game as it starts a day before the official MagentoLive Amsterdam festivities. Contribution Day allows you to rub shoulders with talented members of the community, where you can learn about how to submit contributions or find solutions to your most pressing challenges. The event spans 7 hours, though day-long attendance is not required. Unwind afterward by closing with their cocktail hour.

Early Adopters of Progressive Web Apps

Tuesday, October 22, 9–10 a.m.Magento PWA logo

New to the ecommerce landscape in 2015, progressive web apps (PWAs) are now an industry standard. PWA Studio is a collection of tools designed to make the most of the technology on the Magento 2 platform. It’s a relatively pain-free way to learn from other people’s mistakes. Both presents are Adobe representatives: James Zetlan, Sr. MTS Architect and Eric Erway, Sr. Manager, Product Management.

How to Digitally Transform and Scale a Traditional B2B Business

Tuesday, October 22, 1:30–2:15 p.m.

The need to scale is usually a welcome symptom of success, yet still capable of causing headaches and sleepless nights for unprepared stores. Featuring the founder of Juzo, a medical compression manufacturer, and the Founder/CEO of Techdivision Gmbh, their developer, learn about how they addressed the challenge of configuring 50,000 product variants for their Magento store in less than 6 months.

Hands-On Labs: Get to Know Adobe Target and Adobe Analytics

Tuesday, October 22, 1:30–3 p.m. (arrive 15 minutes early)

As Magento is now part of the Adobe Experience Cloud, why not learn more about two other tools already optimized to work with this platform? Like all hands-on labs at these events, you’ll get your hands dirty with firsthand experience creating reports, dashboards, and analytics.

Migrating from Magento 1 to Magento 2: Strategic Planning for Business Leaders

Tuesday, October 22, 9–10 a.m.

Magento 1 end of life is just around the corner (June 2020). Whether you’ve settled on Magento 1 or not, this session will guide your strategy away from common mistakes and into the clearer waters of realistic timelines. Presented by the tandem of Ray Bogman, Adobe Sr. Business Solutions Architect, and Jos Pieters, Jac Hansen Ecommerce Manager & Product Owner.

Winning Loyalty on the Shipping Battleground 

Tuesday, October 22, 2:30–3:15 p.m.

Remember the days of “Please allow 6 to 8 weeks for shipping?” Neither does anyone else. After quality, customer care, and shipping are the Big Three of sustainable growth. This session highlights the latest innovations from three presenters: Matthew Waslet, Adobe Product Marketing Manager; Aynsley Peet, Cox & Cox Head of Ecommerce; Leedert van Delft, DHL VP Global Sales & Digital Marketing.

Magento Product Roadmap 

Tuesday, October 22, 3:45–4:30 p.m.

Want to know what the future holds for Magento and Adobe Experience Cloud? This is the place. Four Directors of Product Management from Adobe give you the scoop on Magento Commerce, Order Management, Business Intelligence, and Cloud.

Hands-on Labs: Getting Started with PWA Studio

Wednesday, October 23, 9–10:30 a.m. (arrive 15 minutes early)

Another hands-on lab, where attendees will set up Venia PWA on Magento 2, use Graph QL, and work with PWA Studio. Hosted by Adobe Sr MTS Architect James Zetlan.

Commerce Obsessed: How to Map a B2C Customer Journey

Wednesday, October 23, 10–10:45 a.m.

For consumers, the “cost” of your product also extends to the time involved paying for it. The more efficient and dare-we-say fun you can make your store experience, the more customers will tend to spend. Expect to learn about trends, but also to see real-world examples of customer journey experiences. Led by Ryan Green, Adobe Senior Manager of Strategy.commerce logos

Expanding the User Experience: Site Reviews

Wednesday, October 23, 10–10:45 a.m.

Let the Magento UX experts review your store and provide constructive feedback on how to increase customer satisfaction. Almost any store has room for improvement. The emphasis is on “actionable advice,” so you stand to benefit as long as you  check your ego at the door. 

Secure Commerce with Magento

Wednesday, October 23, 10–10:45 a.m

Magento’s popularity makes it a prime target for bad actors. The good news is that Magento is well aware and working hard to stay ahead of the game. Topics include PCI compliance, cloud security, and general best practices for keeping your store secure. Led by Adobe Senior Product Managers Yevhenii Pyltiai and Piotr Kaminski,.

DevExchange & Networking Event

Wednesday, October 23, 3:30–5:30 p.m.

A laid back session that serves as last call to share brains with fellow developers. Compare war stories. Learn from each other. Meet awesome people. Led by Sherrie Rohde, Magento Community manager for Adobe.

 

Source link

A Modern Web Application Stack From Hostdedi

A Modern Web Application Stack From Hostdedi

Modern web applications are large, complex, and resource-intensive. The methods of hosting these applications have changed drastically as as result. It is no longer ideal to simply host a modern web application on a Linux/Apache/MySQL/PHP (LAMP) stack, as doing so will severely limit the performance capabilities of modern web applications.  

A web application stack is a collection of software that works together to provide modern, secure, and fast application delivery. These modern application stacks go beyond a typical LAMP stack and include additional components such as Nginx and Varnish. Extensive tuning keeps these components working together for the best end user experience.

This article covers the different applications and technology that make up our Hostdedi Cloud web application stack, focusing specifically on application delivery.

Discover the Hostdedi Stack

 

Nginx 

Nginx is a full-featured, high-performance web server that we use as a reverse proxy within our web application stack. Favored by many websites, Nginx has been a popular replacement for the Apache Web Server because it excels at serving static content. 

With this in mind, we use Nginx together with Apache web server in our application stack. The use of Nginx in front of Apache as a reverse proxy allows each to focus on their respective strengths. 

Object Caching

Nginx includes a built-in cache called a micro cache. While a micro cache has many potential applications, we focus its caching on small static objects like images, CSS templates, JavaScript, and other small files. 

This benefits low-traffic and high-traffic sites, as cached objects prevent the need to retrieve the object from the web server with every request. Many modern CMSs can have well over 100 static objects per page load, all of which can be served by the Nginx micro cache. This removes significant load from the dynamic content web server, noticeably so during peak web traffic times.

TLS Termination

TLS terminators handle the decryption of HTTPS connections. Typically, the web server application handles TLS decryption, although this is often not ideal. Varnish and other caching proxies do not currently support HTTPS connections, and so require decryption of TLS connections before they reach your caching layer. Load-balanced solutions also require the TLS certificate to be installed on every application server when not using a TLS terminator. 

A solution to these limitations is to let Nginx handle TLS decryption. While alternatives such as Pound and HAProxy exist, Nginx handles it natively and can also provide load balancing if necessary, removing the need for additional load balancer services. 

Modern TLS Support

Transport Layer Security (TLS) is the successor to the older encryption protocol, Secure Sockets Layer (SSL). TLS provides the encryption for HTTPS connections, which is nearly a requirement for all modern websites. 

Current security standards (most notably, PCI DSS) have flagged older SSL and even some early TLS as inadequate, and only modern TLS ciphers make it possible to meet these evolving standards. 

Like SSL, TLS has several versions, the most recent being TLS 1.3. As a PCI-compliant hosting provider, we enable only secure ciphers according to the Mozilla Modern standards. 

HTTP/2 Support

Nginx fully supports the latest HTTP/2 protocol. HTTP/2 is a revision of the original HTTP 1.1 protocol released in 1999. It focuses on improved performance, perceived end-user latency, and use of a multiplex connection between web servers and browsers. HTTP/2 is currently supported by all major browsers and is enabled by default in Nginx on Hostdedi Cloud solutions.

Nginx also has plans to support the new QUIC – HTTP/3 protocol, which we will also support as soon as it becomes available.

Content Compression

Data compression is not a new idea. If site data can be quickly compressed on the server and uncompressed in the browser, this reduces the size of transferred data, thereby saving time. 

Web servers and browsers have supported several compression algorithms such as gzip and deflate for years. While both of these have historically worked well for content delivery, a modern and more efficient option is available: Brotil.

Brotli is a data specification that uses a dictionary-based compression algorithm designed specifically for the transfer of text-based web application static files such as HTML and CSS. Due to its specialized role, it offers significant upgrades over other common web compression algorithms in both compression ratio and compression speed. All modern browsers and web servers now support Brotli including Nginx, which is enabled in our configuration.

Apache

Apache is an industry-standard open source web server that first saw the light of day in 1995. In 2012, the release of version 2.4 began the support of a significant feature set that continues to improve to this day. 

One of Apache’s strengths is the ability to deliver dynamic content at high concurrencies through various application interfaces like the FastCGI Process Manager (FPM). We utilize PHP-FPM for all PHP-based applications on our cloud application stack. Beyond fast dynamic application support, Apache 2.4 has several other notable features, as described below. 

The Event MPM

Apache 2.4 saw the release of the event multiprocessing module (MPM), which provided significant performance gains over previous prefork and worker MPMs of previous versions.  The event MPM makes Apache much more efficient with memory usage and increases thread handling for incoming connections in a manner similar to Nginx. Hostdedi Cloud plans use a carefully tuned event MPM configuration as part of our application stack.

Web Application Firewall

A web application firewall (WAF) is an essential security feature for any website. Their purpose is to provide an HTTP content filter for common vulnerabilities, including SQL injection, cross-site scripting, and request forgeries, among others. WAFs also provide protection for known application vulnerabilities and backdoors, protecting known remote shells and unpatched software from being exploited. 

Our application stack uses ModSecurity, an open source WAF for application protection. Having ModSecurity in place with Apache provides additional protection to web applications, and helps meet security and compliance requirements such as PCI DSS. 

Content Optimization

Created by Google, Mod_Pagespeed is an open source module designed to optimize content on the server and decrease site load times. This module performs a set of front-end optimizations to static content, including HTML, JavaScript, CSS, and images. These optimizations include static code inlining, combining, and minifying, which reduces the size of these files and the number of total requests. 

While front end optimizations are smart for site development, time constraints sometimes kick these to the wayside. In these cases, Mod_Pagespeed is invaluable. 

While Mod_Pagespeed is available for both Nginx and Apache, we have enabled it with Apache web server. This allows it to optimize the code as part of Apache, when it then can be cached optimally in the Nginx micro cache.

Application Compatibility

As mentioned earlier, any web application can be configured under Nginx or Apache, but the latter’s support of .htaccess sometimes makes Apache a more suitable candidate. Some CMSs use .htaccess configurations not fully supported by Nginx. While there are pros and cons to using .htaccess files as a whole, it is generally preferable to make them available, rather than force our clients to modify their site to Nginx standards. 

Varnish

Varnish is a caching HTTP accelerator that provides high-performance static and dynamic content delivery. When enabled and properly configured, content requests normally handled by Apache and Nginx are now handled by Varnish, which directly delivers cached assets from memory to users’ browsers. Dynamic sites with complex back ends that require considerable PHP interpretation (such as Magento) can benefit greatly from the use of Varnish.

One downside to Varnish is its complexity in implementation. Controlling which content is cached can be tricky, especially with dynamic content. Extra care must be taken when dealing with session-based eCommerce sites to keep shopping carts updating properly. Varnish handles these configurations using its Varnish Configuration Language (VCL). The VCL can be customized for websites, and some applications such as Magento 2 provide a base VCL file to get the application up and running.

Currently, Varnish only supports the HTTP protocol, not HTTPS. This requires the use of an SSL terminator in front of Varnish, which is handled by Nginx in our web application stack.

PHP – Software Collections

Our web application stack utilizes RedHat’s Software Collections (SCL) for application language support. SCL allows multiple languages and versions such as PHP, Ruby, and Node.js immediately available for any given site. SCL also makes it easy to switch language versions. As an example, our clients may set their PHP version for any given account to any version between 5.6 and 7.3 from their Client Portal. 

PHP Opcache

Opcache is a PHP-caching accelerator that increases performance by optimizing and storing precompiled script bytecode in shared memory. The integration of a properly tuned Opcache instance with PHP allows frequently used scripts to be read directly from memory, skipping the intensive compilation process. This has dramatically reduces load times for most applications. 

Opcache is included with modern versions of PHP and the latest release of 7.3, and has replaced older PHP script-caching methods such as eAccelerator and APC. To fully realize the benefits of Opcache, we have spent considerable time tuning the Opcache default variables within our application stack. This is frequently overlooked but nonetheless critical, as neglecting to tune the default Opcache configuration to the size of the hosted application can negate any performance gains.

CDN

While not a local part of our application stack, nearly any website will benefit from using a content delivery network (CDN). A CDN caches frequently used static content on servers around the globe, thus giving users’ browsers a local option for retrieving site content and reducing latency. We offer a CDN solution with our cloud solutions and strongly recommend its use.

 

Tying It All Together

Modern web applications are mammoth and have considerable system requirements for best performance. While it is possible to host an application on a simple Apache or Nginx instance, it sacrifices performance for convenience. Apache, Nginx, and Varnish have complementary strengths, and using them together grants the best results for performance and scalability. 

While our application stack is complex, it has been engineered with two decades of experience using these systems, and was tested and tuned for a variety of applications. It is also constantly evolving. As new technology and features becomes available for respective components of our application stack, we test these new elements before rolling them out.

The first of these considerations are the various headers used across the different services, each of which must be carefully managed. Nginx, Apace, and Varnish each provide default and custom headers for content control, cache control, and debugging information. Headers from external CDN or accelerator services can complicate this even further. Configuring headers properly ensures proper placement of caching and streamlines the flow of data through the stack. 

Logging also presents a challenge, both for debugging and compliance requirements. Each service in the stack generates a log, all of which must be stored in a secure remote location to facilitate tracking of each request and response through these various components.

Threading, connection limits, and resource utilization must also be taken into account. Any component in this application stack can be a bottleneck if not properly tuned.. Many of these configurations are outlined in our paper, The Definitive Guide to Magento 2 Optimization.

Source link

What Is a PCI DSS Audit?

What Is a PCI DSS Audit?

Officially known as an annual PCI DSS assessment, this annual audit is required for Level 1 merchants and recently breached merchants to maintain PCI compliance. These assessments can only be performed by a qualified security assessor (QSA). Read on to learn what you, the merchant, should expect from the audit and how to prepare for it.

Top Reasons to Become PCI DSS Compliant

PCI DSS refers to Payment Card Industry Data Security Standards, and it is required for any store that accepts credit cards as payment. This applies both to stores that process credit cards, and stores that limit themselves to transmitting card data to third party payment gateways like PayPal and others. 

The case for “why PCI compliance” is two-fold:

  1. The five major credit card companies on the PCI Council (Visa, MasterCard, American Express, Discover, JCB) say it is.
  2. PCI-compliant merchants are more effective at protecting their customers’ data than merchants that are non-compliant. 

Or, as a third argument for the merchants unmoved by the first two: PCI DSS helps prevent breaches, and breaches cause downtime and lost revenue. 

For a more detailed breakdown of PCI compliance, see How Hostdedi Helps Your Store Stay PCI Compliant.

PCI DSS Risks

Only 29 percent of companies remain compliant a year after their initial validation because they pass once, then drift into complacency. pci storefront

Auditing is a required component of compliance for larger merchants, and it may be tempting to wonder about the consequences for non-compliance. Some might resent what they perceive as the credit card’s stranglehold on ecommerce. Others might just “have better things to do with my time, like run my business.” 

What’s the worst that could happen?

The short answer is non-compliant merchants can be fined, audited, breached, and suffer damage to their brand reputation. The longer answer is that PCI compliance is the beginning of security, not the end. It’s best to consider it as the “minimum acceptable standard” for securing your customers’ data.

How Much Does a PCI Audit Cost?

On average, a typical PCI audit for a smaller merchant costs about $15,000. This adds to other factors influencing PCI DSS certification cost, which usually relate to infrastructure and paying qualified personnel to apply and maintain best practices of data security. While this is not insignificant, the cost of ignoring compliance is far greater.

Beyond ethical concerns, failure to comply can result in:nexcess pci lock

  • Fines by credit card companies ranging between $5000—$100,000
  • Security breaches, which often involve downtime to resolve
  • Legal action by endangered customers and third parties
  • Damaged reputation and loss of consumer trust
  • Loss of revenue
  • Federal audits

How Does a PCI DSS Audit Work?

If you’re facing an upcoming audit, then you’re either a level 1 merchant with more than 6 million credit card transactions per year, or a merchant from lower PCI compliance levels (2–4) that suffered a recent data breach. Merchants on the lower PCI compliance levels (2The central goal of the audit find non-compliance, provide guidance on how to fix it, and verify you’ve addressed any and all issues. 

The first step is finding a Qualified Security Assessor (QSA) to perform the audit. Only QSAs are licensed to perform the audits, as these organizations are certified by the PCI council to understand their data security standards. 

The simplest way to find a QSA is by choosing one from the list on the PCI website. As with any service, it is usually wise to talk to a few, as not all are created equal. Never hire a company claiming to be a QSA if not present on the PCI list; these companies are either outsourcing your request, or planning to sell you other services. 

Once onsite, the auditor will assess multiple areas of your business. As you might expect, this includes your cardholder data environment (CDE), defined as any device, component, network, or application that stores, processes, or transmits cardholder data. It also includes your policies and procedures surrounding your use of these systems.

PCI Audit Requirements

  • Transparency and cooperation
  • Completed PCI audit checklist
  • Understanding of current PCI DSS
  • Your printed copy of your Report on Compliance (ROC) from the previous year
  • Evidence of quarterly scanning and penetration testing
  • Evidence of regular event log checks
  • Documentation on how you handle third party vulnerabilities

Remember: the role of the auditor is to prevent the compromise of cardholder data, not to punish your company. As long as you’re cooperative and vested, the auditor will explain where you need to improve and help you do it. To execute these changes efficiently, consider appointing a compliance leader within your organization. This individual takes responsibility for compliance efforts, but also should have the authority to compel change across your team.

9 Common PCI Mistakes Revealed by PCI Audits

nexcess data centerIf you care enough about PCI compliance to read this article, then you’re on the right track. Following are nine common mistakes for merchants undergoing audit, though your experience may vary according to your business needs and PCI compliance level. 

Hiring a PCI compliant hosting provider like Hostdedi will go a long way toward preventing these mistakes, but it’s not a magic bullet. Merchants must do their part as well, but most hosting providers can assist you in this task.

Reminder: CDE, or cardholder data environment, refers to any device, component, network, or application that stores, processes, or transmits cardholder data.

Unnecessary storage of credit card data 

As a general rule, you should take every reasonable step to avoid storing credit card data, and never store CVV numbers for any reason. Many merchants choose to store data to accelerate their customers’ checkout process without fully understanding the implications for compliance. Don’t be one of them.

Failure to separate the CDE network from rest the organization’s IT infrastructure

The key phrase to remember in PCI-compliance and access to cardholder data is “as-needed.” Make it your mantra. This applies more so to sub-networks within your organization. When applied to your network, it is known as “network segmentation,” though it usually applies to sub-networks within your organization. Sub-networks used for internal office communications should have no access—direct or indirect—to the sub-networks with access to the CDE.

Failure to restrict access to the CDE to only those employees that need it 

Once again, only employees needing access should have it. This refers both to physical access to areas housing devices within the CDE, but also permissions and passwords.

Insufficient training and security awareness

This extends to your team as well as yourself. If you employ a team, consider appointing someone as a Compliance Officer to take responsibility for training efforts, and give them enough authority to get the job done.

Weak password security policy

Passwords to any system within the CDE should be unique, complex, and never shared between employees. Password managers like LastPass, Zoho, 1Password, and many others are invaluable for safely generating and storing complex passwords. If your team isn’t using one, then it’s a red flag for your security practices. Two-factor authentication for any CDE system is likewise essential, whether Google Authenticator, Duo, or something similar.

Missing web application firewall (WAF) 

A web application firewall (WAF) identifies and interrupts malicious activity and exploits. Most merchants don’t use one in their infrastructure. You can pass a PCI assessment without, but it requires a code audit any time you make changes to your application (Magento, WordPress, and so on). Most hosting providers can provide a WAF solution, or you can use a cloud-based one, which will increase security and simplify PCI compliance.

Inadequate network activity logs 

A network log is a record of events, and is crucial for identifying and tracking the efforts of bad actors attempting to gain access. Again, if you’re a level 1 merchant that processes millions of credit card transactions per year, you’re an inviting target and likely have a network administrator in place. If you’re not a Level 1 merchant and you’re facing audit, then it means you were recently breached 

Missing or poorly configured firewalls and routers 

The security of a network firewall (not to be confused with web application firewall) or router is only as good as the person configuring it. Know your stuff or employ someone that does.

Unclear or outdated security incident response procedures 

Whether you use Magento, WooCommerce, or any other platform, you or your system administrator should take great pains to stay current on the latest vulnerabilities. Have a plan to respond to exploits when—not if, but when—they occur.

Don’t Wait for Your Audit to Get Started

As a final point, never forget that PCI compliance is an ongoing effort. Annual audits are only one component of compliance, but a proactive approach with upcoming changes to your CDE will often pay dividends. Engage your QSA about these changes well before they happen, as they can provide sage advice about maintaining compliance. 

 

For guidance with PCI compliance, contact our sales team between 9 a.m.–5 p.m. eastern time, Monday to Friday.  

Source link

ElasticSearch Makes Magento Search Faster and More Accurate

ElasticSearch Makes Magento Search Faster and More Accurate

Search is an essential feature of an ecommerce store. And for any store with more than a handful of products, it’s one of a handful of ways that customers can narrow product selection to a manageable number. So finding the right search engine for your store is vital. For Magento merchants and developers, that search engine is Elasticsearch. 

Despite the advantages of Elasticsearch, many Magento merchants still run their stores on obsolete and outdated search software. In fact, 42% of companies don’t try to optimize search as all.

Originally developed in 2010, Elasticsearch has grown to become one of the biggest players in search offerings. It has largely replaced rivals SOLR and Sphinx. For Magento sites, it’s now become the default search option, replacing MySQL which has been deprecated. 

How Elasticsearch Works for Ecommerce

Magento includes built-in search functionality that previously, by default,  used a MySQL database. MySQL and its variants are powerful, but they aren’t the ideal back-end for a search engine. We use search engines every day and we are accustomed to a sophisticated search interface that can turn our vague and often badly spelled queries into useful results.

MySQL isn’t well-optimized for that use case, which is why Magento previously would – on occasion – return less-than-useful search results.

ElasticSearch, on the other hand, is highly optimized for fast and accurate search. As a Java-based document store – what used to be called a NoSQL database – it’s engineered to store huge numbers of JSON documents and retrieve them according to criteria supplied by the user. 

Imagine wanting to find a specific set of headphones which have something to do with Master Class about them, but it’s not their name. You type it in and you’re given a large selection of products you really aren’t interested in.

Frustrated with Magento search experiences?

Customers frustrated with their Magento search experiences?

Don’t worry, Elasticsearch is here! ES allows for a merchant to specify different criteria the user may be searching for – beyond just the name. This may include the description, the manufacturer, the release date, and more. 

In short, it makes an ideal search engine back-end for ecommerce stores and many other types of website. It also makes the ecommerce search experience just that much better.  

And when combined with Magento, ElasticSearch’s built-in functionality augments ecommerce search with a host of useful improvements.

 

Extremely Fast Search

ElasticSearch is much faster than Magento’s default search, especially when searching through large product catalogs. It can run searches over millions of products without breaking a sweat, and it’s a rare ecommerce store that approaches that number of products.

The speed at which ElasticSearch returns results can be used for features such as continuously updating results: as the user types their query, the search results update immediately because ElasticSearch searches faster than users can type.

 

More Accurate Results

Shoppers don’t want to have to carefully craft search queries. They want to enter a vaguely appropriate query and have the search engine to figure out what they mean. ElasticSearch is packed with features that help match queries to relevant results, even when the queries aren’t especially well-formed.

Among the features is fuzzy searching, which matches products similar to the query but not exactly the same with a technique called the Damerau-Levenshtein distance formula. Fuzzy searching helps stores to surface and rank the right products from their catalog even when the shopper mistypes or searches for a related product that isn’t in the catalog.

 

Easy to Use

Given the complexity of what ElasticSearch does, you might expect that it would be difficult to use. In fact, it couldn’t be easier. Once you hook ElasticSearch up to Magento, search is immediately improved without any complicated configuration. ElasticSearch ships with sensible indexing defaults and can begin returning better results in no time at all.

 

Improves UX

The average user spends just 8 seconds looking at a search results page. That’s 8 seconds to provide them with the right answers – in this case, products. Miss that time frame and you’re at risk of them looking somewhere else. After all, would you stay in a store if the attendant kept trying to sell you something you didn’t want?

It’s for this reason that product search is so vital. And with that browsing time only decreasing, the benefits of Elasticsearch give merchants less to worry about. 

Elasticsearch improves Magento UX by combining all of the features mentioned above. Faster speed means customers are able to find products faster. More accurate results mean they’re able to find the right products. And ease of use means merchants are able to enable it without too much extra work. 

 

Get Started with Elasticsearch for Magento the Easy Way

With Hostdedi ElasticSearch cloud hosting, Magento retailers can deploy a scalable and secure ElasticSearch instance in minutes. 

We’re happy to help Magento hosting customers to integrate their ElasticSearch instance with Magento. Get in touch today to learn more about Magento and ElasticSearch.

Source link

Is the End Near for EV SSL Certificates?

Is the End Near for EV SSL Certificates?

Google, Firefox, and Apple certainly think so. Extended Validation (EV) SSLs are effectively being put out to pasture. Upcoming changes to Chrome and Firefox will soon remove the EV badge from their browsers, citing concerns with its diminished reputation for protecting consumers. 

Standard vs. EV SSL certificates

If you’re already familiar with SSL certificates and the difference between Standard and Extended Validation (EV) varieties, skip ahead to the Why Are Browsers Burying EV SSL Certificates? section. 

SSL certificates are digital certificates that authenticate the identity of a website and allow for secure transmission of credit card data, login credentials, and other sensitive information. Though many types are available, standard SSL certificates provide the padlock icon in most browsers, help make your site PCI-compliant, and are a good choice for most merchants. 

Gray SSL Padlock

In most browsers, sites without SSL certification receive the “Not Secure” label, and anyone clicking on it will read a dire warning. 

Not Secure SSL warning

Furthermore, most browsers also will warn the user before entering any credit card information. Even if they don’t notice the lock, it’s almost impossible to miss the alert upon checkout. This tends to have a chilling effect on most users’ buying experience.

SSL warning

EV SSL certificates attempt to enhance this authentication with a more rigorous (and expensive) validation process. The end result is the addition of the merchant’s established legal identity just to the left of the web address.

In theory, this provides an additional visual cue for consumers, which makes them feel safer and more likely to spend their money on the site. In practice, most consumers don’t notice the absence of a site’s “legal identity,” meaning the EV SSL certificate provide little value to anyone other than the organization selling it.

Why Are Browsers Burying EV SSL Certificates?

In cyber security circles, criticism of EV SSL is not new. The stated goals for EV SSL are 1) to make it harder for phishing scams to fake their online identity, and 2) make consumers feel more safe. Their argument is that EV SSLs are only marginally effective at #1, and utterly ineffective at #2. 

The core failing in the “legal identity” tactic against phishing scams is the relative fluidity of those legal identities. The phrase itself is a misnomer, one that falsely invokes images of face-to-face authentication and triple-checked claims. As demonstrated by one industry professional, the methods of identity verification vary by state, with many ranging between “woefully inadequate” and “cursory.” A determined bad actor would have little trouble registering “Identity Verified” or some other devious “legal identity” to dupe unsuspecting consumers into feeling secure.

However, such efforts would likely be wasted, because the same experts claim most users simply fail to notice the presence or absence of the legal identity. Apple has alread removed the visual cue from Safari and Mojave  for this very reason. Recently, Chrome and Firefox announced their intent to follow suit, with the former stating: 

Users do not appear to make choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.

For Chrome, this takes effect on September 10. The change comes to Firefox on October 22. The legal identifier will still be available, but buried in the interface and only accessible to the determined clicks of a knowledgeable user. 

Despite the exaggerated claims of organizations eager to sell EV certificates, most users are content to see the padlock and not see any warnings at checkout, both of which are provided by other, less expensive SSL certificates.  

 

If you have questions about which SSL certificate is right for you, contact our sales team for assistance.

The post Is the End Near for EV SSL Certificates? appeared first on Hostdedi Blog.

Source link

How Hostdedi Helps Your Store Stay PCI Compliant

How Hostdedi Helps Your Store Stay PCI Compliant

Having a PCI compliant store requires the sustained efforts of both yourself and your hosting provider. Although there are no shortcuts, choosing a credible web hosting provider is an effective place to start. Even so, most PCI requirements can only be met by you, the merchant. Read on to learn more about the dividing line between host and merchant, and why it can be worthwhile to go beyond PCI for your customers.

 

What Is PCI?

nexcess locked safeIn ecommerce, PCI is shorthand for Payment Card Industry Data Security Standards (PCI DSS). Created in 2004, PCI DSS aim to help protect consumers and prevent credit card fraud. It is required for any organization that receives, processes, or stores credit card data of any of the five members of the PCI Security Council: VISA, MasterCard, American Express, Discover, and JCB.

The list of requirements is extensive, to put it mildly. The requirements span six categories, and each category is divided into several hundred specific requirements. Some fall exclusively under the domain of either merchants or hosting providers, while some extend to both. PCI compliance is also not a one-time requirement, as the Security Council makes periodic adjustments to address new threats to consumers.

Compliance is not a “one-and-done” event. It requires daily, weekly, monthly, and annual tasks to maintain compliance. There are 12 general requirements divided among six categories. For illustrative purposes, we’ve listed these same categories, but also included more specific requirements from within PCI DSS. 

6 Key Categories for PCI Compliance

Build and maintain a secure network. Install and maintain a firewall. Use unique, high-security passwords with special care to replace default passwords.

Protect cardholder data. Whenever possible, do not store cardholder data. If there is a business need to store cardholder data, then you must protect this data. Encrypt any data passed across public networks, including data passed between your shopping cart, your Web-hosting provider, and your customers.

Maintain a vulnerability management program. Use antivirus software and keep it up to date. Develop and maintain secure operating systems and payment applications. Ensure your antivirus software applications are compliant with your chosen card companies.

Implement strong access control measures. Access to cardholder data, both electronic and physical, should be on a need-to-know basis. Ensure those people with electronic access have a unique ID and password. Do not allow people to share login credentials. Educate yourself and your employees on data security, and specifically the PCI Data Security Standard (DSS).

Regularly monitor and test networks. Track and monitor all access to networks and cardholder data. Maintain a regular testing schedule for security systems and processes, including: firewalls, patches, web servers, email servers, and antivirus.

Maintain an information security policy. Establish a clear and thorough organizational data security policy. Disseminate and update this policy regularly.

PCI non-compliance can result in fines ranging between $5000—$100,000 per month, depending on the size of the offending organization, its severity, and other factors. Non-compliance can also result in legal action, security breaches, and lost revenue.

PCI Requirements for Hosting Providers 

nexcess monitoringIt is virtually impossible for the typical merchant to be PCI compliant without enlisting the services of a compliant hosting provider. Merchants that host their own websites must meet hosting provider requirements in addition to meeting those for merchants. Such a model works for massive enterprises like Amazon and WalMart, but few others. 

Following are some of the highlights of our systems and policies that uphold our status as a PCI compliant hosting provider. The term “cardholder data environment” refers to any system that stores, processes, or transmits credit card data as well as any system that has access to cardholder data environment itself.

We maintain a web application firewall (WAF), which monitors all connections between the cardholder data environment and other networks. ModSec prohibits public access to sensitive areas, identifies untrusted connections, and hides IP addresses and routing information from unauthorized parties. 

We apply industry-accepted configuration standards for all system components that address all known security vulnerabilities. This extends to our internal and external network, our operating systems, and hardware required to host web services.

We apply cryptography and security protocols that encrypt and protect cardholder data even when transmitted across public networks. SSL certificates and other trusted security keys are unilaterally enforced. Only modern TLS ciphers are permitted.

We restrict physical access to our data center with 24-hour security policies and a team trained to implement them. This includes, but is not limited to:

  • Video surveillance with 90-day footage history
  • Secured entry with at least two-factor authentication (PIN, access card) in most areas, and three-factor authentication (PIN, access card, thumbprint) in areas housing the cardholder data environment
  • Visible identification on all team members
  • Visitor policy that prevents unauthorized public access; authorized external individuals have access only to required areas and are escorted at all times 
  • Team members are given access to the cardholder data environment only if their role requires it
  • Restricted access to network jacks, wireless access points, gateways, networks, and other lines of communication

We track and monitor access to network resources and cardholder data, though it falls to clients to maintain logs and monitor logins for their own applications (Magento, WordPress, and so on).  

We regularly test our security systems and processes, and perform internal penetration testing at regular intervals as well as after any significant infrastructure upgrade. 

PCI Requirements for Merchants

Secure store with HostdediProperly implemented, PCI compliance helps merchants adhere to commonly accepted best practices of data security. Hosting with a PCI compliant provider is a solid first step, but becoming compliant still requires action on your part.

If your store accepts credit cards as payment, it must be PCI compliant whether you store that data or not. Choosing a PCI Compliant web host is only the first step. Most credible web hosts can provide merchants with materials outlining their respective responsibilities upon request, but ultimately it is on merchants to understand and meet these requirements. 

Regrettably, there is no “one size fits all” checklist. Your specific responsibilities will vary according to your merchant level (1–4, with 1 being the highest), which is generally determined by the number of credit card transactions your store processes annually. 

The general process for most merchants is:

  1. Identify, understand, and implement the appropriate PCI DSS requirements. 
  2. Complete a Self Assessment Questionnaire (SAQ). The SAQ is a checklist outlining the requirements. Depending on your level, some or all of them will apply to you. Level 1 merchants have the most requirements; level 4, the least.
    Resist the temptation to simply “check every box” in the SAQ. Doing so endangers your customers and exposes your business to liability. The PCI stands to lose money from breaches, and in response may investigate your SAQ and AOC.
  3. Submit to a quarterly scan by an Approved Scanning Vendor (ASV), an independent, qualified authority that performs external vulnerability scans on your systems. 
  4. Complete the Attestation of Compliance (AOC), a document asserting that you are both eligible to perform and have in fact performed the SAQ to the best of your ability.
  5. If classified as a level 1 merchant, you must take additional steps, including an on-site assessment. 

If climbing the considerable hurdle of PCI compliance doesn’t appeal to you, you’re not alone. Your hosting provider can answer questions related to overlapping responsibility, and third party Qualified Security Assessors (QSAs) can help businesses run the PCI gauntlet (for a price). 

Even businesses offering only PayPal, Auth.net, and other payment services as payment options must be PCI compliant because those businesses must still transmit credit card data.

One universal component is the need to confirm that all of your service providers are PCI compliant. This includes your hosting provider, but also extends to payment processors, payment gateways, POS providers, and any other entities that touch your customers’ cardholder data. 

Some PCI Essentials for Merchants

  • Maintain PCI compliance. Compliance requires ongoing awareness and daily application. Tasks range between daily and annual, but all are recurring.
  • Don’t just check “Yes” to every question in the SAQ. Due diligence protects your business and your customers.
  • Know your code, or use a developer that does. Implement best practices of deployment using staging and dev sites without exception.
  • Establish a secure password policy. Use complex, unique passwords and never allow your staff to share login credentials or use default passwords.
  • Enable two-factor authentication for all of your internal users, and consider providing it as an option for customers logging in to your site.
  • Use a web application firewall (WAF). At Hostdedi, we provide one for all clients and it’s enabled by default.
  • Don’t just take your hosting provider’s word for it. Confirm they’re PCI Compliant and competent by asking for (and getting) their Attestation of Compliance (AOC).
  • Keep your applications and extensions current to the latest stable release, and actively monitor for new threats and versions.

Beyond PCI

If PCI compliance were enough, breaches of high-profile organizations would be far less common. Compliant should not mean complacent.

In reality, PCI compliance is “Cardholder Data Security 101.” It is the minimum acceptable standard and a reasonable introduction, but PCI is far from infallible. Credit card companies require compliance. Merchants adhering to PCI standards will be more effective at protecting consumers than businesses that just pay them lip service, but PCI compliance is only the first step. 

The very nature of PCI — a large, curated document updated only periodically — makes it vulnerable. Standards deemed sufficient in the “current” version are often exposed as inadequate. It can take months or even years for PCI to “catch up,” and bad actors are well aware of its limitations.

The best protection is knowledge. At Hostdedi, we have team members that specialize in web security who stay well-versed in the newest threats, breaches, and countermeasures. Many merchants may be reluctant to enlist the services of a security expert. At the very least, we recommend subscribing to security notifications for your ecommerce application and following at least one credible web security news source. Both sources react much faster than the PCI, and following them will help you “spot the smoke” before it becomes a fire. 

We’re on the List!

Don’t forget, we’re “On the List” of PCI compliant providers officially recognized by the Visa Global Registry. That means we’ve shown a continued commitment to reviewing and improving our security policies to match and exceed PCI compliance requirements. If you’re looking for a PCI compliant provider, hosting with Hostdedi means you’re hosting with an approved and recognized provider. Learn more about the PCI compliant hosting with Hostdedi. 

For guidance with PCI compliance, contact our sales team between 9 a.m.–5 p.m. eastern time, Monday to Friday.  

Source link

How Hostdedi Helps Your Store Stay PCI-Compliant

How Hostdedi Helps Your Store Stay PCI-Compliant

Having a PCI-compliant store requires the sustained efforts of both yourself and your hosting provider. Although there are no shortcuts, choosing a credible web hosting provider is an effective place to start. Even so, most PCI requirements can only be met by you, the merchant. Read on to learn more about the dividing line between host and merchant, and why it can be worthwhile to go beyond PCI for your customers.

 

What Is PCI?

nexcess locked safeIn ecommerce, PCI is shorthand for Payment Card Industry Data Security Standards (PCI DSS). Created in 2004, PCI DSS aim to help protect consumers and prevent credit card fraud. It is required for any organization that receives, processes, or stores credit card data of any of the five members of the PCI Security Council: VISA, MasterCard, American Express, Discover, and JCB.

The list of requirements is extensive, to put it mildly. The requirements span six categories, and each category is divided into several hundred specific requirements. Some fall exclusively under the domain of either merchants or hosting providers, while some extend to both. PCI compliance is also not a one-time requirement, as the Security Council makes periodic adjustments to address new threats to consumers.

Compliance is not a “one-and-done” event. It requires daily, weekly, monthly, and annual tasks to maintain compliance. There are 12 general requirements divided among six categories. For illustrative purposes, we’ve listed these same categories, but also included more specific requirements from within PCI DSS. 

6 Key Categories for PCI Compliance

Build and maintain a secure network. Install and maintain a firewall. Use unique, high-security passwords with special care to replace default passwords.

Protect cardholder data. Whenever possible, do not store cardholder data. If there is a business need to store cardholder data, then you must protect this data. Encrypt any data passed across public networks, including data passed between your shopping cart, your Web-hosting provider, and your customers.

Maintain a vulnerability management program. Use antivirus software and keep it up to date. Develop and maintain secure operating systems and payment applications. Ensure your antivirus software applications are compliant with your chosen card companies.

Implement strong access control measures. Access to cardholder data, both electronic and physical, should be on a need-to-know basis. Ensure those people with electronic access have a unique ID and password. Do not allow people to share login credentials. Educate yourself and your employees on data security, and specifically the PCI Data Security Standard (DSS).

Regularly monitor and test networks. Track and monitor all access to networks and cardholder data. Maintain a regular testing schedule for security systems and processes, including: firewalls, patches, web servers, email servers, and antivirus.

Maintain an information security policy. Establish a clear and thorough organizational data security policy. Disseminate and update this policy regularly.

PCI non-compliance can result in fines ranging between $5000—$100,000 per month, depending on the size of the offending organization, its severity, and other factors. Non-compliance can also result in legal action, security breaches, and lost revenue.

PCI Requirements for Hosting Providers 

nexcess monitoringIt is virtually impossible for the typical merchant to be PCI compliant without enlisting the services of a compliant hosting provider. Merchants that host their own websites must meet hosting provider requirements in addition to meeting those for merchants. Such a model works for massive enterprises like Amazon and WalMart, but few others. 

Following are some of the highlights of our systems and policies that uphold our status as a PCI-compliant hosting provider. The term “cardholder data environment” refers to any system that stores, processes, or transmits credit card data as well as any system that has access to cardholder data environment itself.

We maintain a web application firewall (WAF), which monitors all connections between the cardholder data environment and other networks. ModSec prohibits public access to sensitive areas, identifies untrusted connections, and hides IP addresses and routing information from unauthorized parties. 

We apply industry-accepted configuration standards for all system components that address all known security vulnerabilities. This extends to our internal and external network, our operating systems, and hardware required to host web services.

We apply cryptography and security protocols that encrypt and protect cardholder data even when transmitted across public networks. SSL certificates and other trusted security keys are unilaterally enforced. Only modern TLS ciphers are permitted.

We restrict physical access to our data center with 24-hour security policies and a team trained to implement them. This includes, but is not limited to:

  • Video surveillance with 90-day footage history
  • Secured entry with at least two-factor authentication (PIN, access card) in most areas, and three-factor authentication (PIN, access card, thumbprint) in areas housing the cardholder data environment
  • Visible identification on all team members
  • Visitor policy that prevents unauthorized public access; authorized external individuals have access only to required areas and are escorted at all times 
  • Team members are given access to the cardholder data environment only if their role requires it
  • Restricted access to network jacks, wireless access points, gateways, networks, and other lines of communication

We track and monitor access to network resources and cardholder data, though it falls to clients to maintain logs and monitor logins for their own applications (Magento, WordPress, and so on).  

We regularly test our security systems and processes, and perform internal penetration testing at regular intervals as well as after any significant infrastructure upgrade. 

PCI Requirements for Merchants

Secure store with HostdediProperly implemented, PCI compliance helps merchants adhere to commonly accepted best practices of data security. Hosting with a PCI-compliant provider is a solid first step, but becoming compliant still requires action on your partt.

If your store accepts credit cards as payment, it must be PCI-compliant whether you store that data or not. Choosing a PCI-compliant web host is only the first step. Most credible web hosts can provide merchants with materials outlining their respective responsibilities upon request, but ultimately it is on merchants to understand and meet these requirements. 

Regrettably, there is no “one size fits all” checklist. Your specific responsibilities will vary according to your merchant level (1–4, with 1 being the highest), which is generally determined by the number of credit card transactions your store processes annually. 

The general process for most merchants is:

  1. Identify, understand, and implement the appropriate PCI DSS requirements. 
  2. Complete a Self Assessment Questionnaire (SAQ). The SAQ is a checklist outlining the requirements. Depending on your level, some or all of them will apply to you. Level 1 merchants have the most requirements; level 4, the least.
    Resist the temptation to simply “check every box” in the SAQ. Doing so endangers your customers and exposes your business to liability. The PCI stands to lose money from breaches, and in response may investigate your SAQ and AOC.
  3. Submit to a quarterly scan by an Approved Scanning Vendor (ASV), an independent, qualified authority that performs external vulnerability scans on your systems. 
  4. Complete the Attestation of Compliance (AOC), a document asserting that you are both eligible to perform and have in fact performed the SAQ to the best of your ability.
  5. If classified as a level 1 merchant, you must take additional steps, including an on-site assessment. 

If climbing the considerable hurdle of PCI compliance doesn’t appeal to you, you’re not alone. Your hosting provider can answer questions related to overlapping responsibility, and third party Qualified Security Assessors (QSAs) can help businesses run the PCI gauntlet (for a price). 

Even businesses offering only PayPal, Auth.net, and other payment services as payment options must be PCI-compliant because those businesses must still transmit credit card data.

One universal component is the need to confirm that all of your service providers are PCI-compliant. This includes your hosting provider, but also extends to payment processors, payment gateways, POS providers, and any other entities that touch your customers’ cardholder data. 

Some PCI Essentials for Merchants

  • Maintain PCI compliance. Compliance requires ongoing awareness and daily application. Tasks range between daily and annual, but all are recurring.
  • Don’t just check “Yes” to every question in the SAQ. Due diligence protects your business and your customers.
  • Know your code, or use a developer that does. Implement best practices of deployment using staging and dev sites without exception.
  • Establish a secure password policy. Use complex, unique passwords and never allow your staff to share login credentials or use default passwords.
  • Enable two-factor authentication for all of your internal users, and consider providing it as an option for customers logging in to your site.
  • Use a web application firewall (WAF). At Hostdedi, we provide one for all clients and it’s enabled by default.
  • Don’t just take your hosting provider’s word for it. Confirm they’re PCI-compliant and competent by asking for (and getting) their Attestation of Compliance (AOC).
  • Keep your applications and extensions current to the latest stable release, and actively monitor for new threats and versions.

Beyond PCI

If PCI compliance were enough, breaches of high-profile organizations would be far less common. Compliant should not mean complacent.

In reality, PCI compliance is “Cardholder Data Security 101.” It is the minimum acceptable standard and a reasonable introduction, but PCI is far from infallible. Credit card companies require compliance. Merchants adhering to PCI standards will be more effective at protecting consumers than businesses that just pay them lip service, but PCI compliance is only the first step. 

The very nature of PCI — a large, curated document updated only periodically — makes it vulnerable. Standards deemed sufficient in the “current” version are often exposed as inadequate. It can take months or even years for PCI to “catch up,” and bad actors are well aware of its limitations.

The best protection is knowledge. At Hostdedi, we have team members that specialize in web security who stay well-versed in the newest threats, breaches, and countermeasures. Many merchants may be reluctant to enlist the services of a security expert. At the very least, we recommend subscribing to security notifications for your ecommerce application and following at least one credible web security news source. Both sources react much faster than the PCI, and following them will help you “spot the smoke” before it becomes a fire. 

We’re on the List!

Don’t forget, we’re “On the List” of PCI compliant providers officially recognized by the Visa Global Registry. That means we’ve shown a continued commitment to reviewing and improving our security policies to match and exceed PCI compliance requirements. If you’re looking for a PCI compliant provider, hosting with Hostdedi means you’re hosting with an approved and recognized provider. Learn more about the PCI compliant hosting with Hostdedi. 

For guidance with PCI compliance, contact our sales team between 9 a.m.–5 p.m. eastern time, Monday to Friday.  

Source link