New Toys September 25, 2007
Pukka World Headquarters just received some new toys. Inside these two huge (and heavy) boxes are about 75% of the computer hardware we’ve purchased to reach some of our strategic goals for MotorsportReg.com. In this picture are 10 servers and about 1000 gigabytes of storage. We’re picking up four storage arrays (another terabyte or so) and some spare parts later today that will complete our buildout.
What’s all this for you’re probably wondering? Don’t you already have four servers in a biometrically protected industry-standard colocation facility? Isn’t that enough for some little registration website?
Well, yes and no! 
The truth of the matter is that anyone who processes, stores or transmits credit card numbers needs to be compliant with the Payment Card Industry’s Data Security Standard (PCI DSS). This includes your organization if you process credit cards by phone, fax or Internet. Everyone, no exceptions.
PCI DSS is a collection of rigorous security best practices that require a high-level of security at all layers: physical, network and policy. Depending on your transaction volume, you may be required to self-assess or bring in an outside firm to audit your organization and submit the results to Visa, MasterCard and American Express. Failure to comply with these regulations can result in monthly fines and in the event of a security breach, fines as high as $500,000 plus $35 per compromised card can be levied against you.
Ouch.
Our new toys are to honor our two primary customer commitments: to protect your member data as though it were our own and to make sure your money is always safe. There’s no monkeying around on this.
So, here’s what we’re doing to increase the security of your data and improve the performance of our application for you and your members:
- Additional Firewalling – we already firewall at two levels today but we’ll be inserting a third layer and physically segmenting our network. Think of this like putting things in different rooms with locked doors. You can allow authorized entry with your key but you’d have to break into multiple rooms to get at everything.
- Separating Critical Services – Start-ups often use a single server for multiple services due to limited resources. For example, our mail server also handles a few non-critical web sites but if someone were to crack those sites, they could potentially screw with our mail! PCI DSS requires you to separate your services to one per server to lock down each server and reduce the damage in case of a breach. Those boxes of servers are just for that.
- Additional Physical Security – Our servers are already located in a dedicated, earthquake-resistant building with diesel-generator power backup and redundant network. It requires human identification at the front desk and a biometric fingerprint scan to enter the data center. Then it requires a key to enter the 15×15 caged enclosure where our servers, along with those of about 20 other companies are stored under the eye of a video camera. Pretty safe, wouldn’t you say? We’re going one better and moving our hardware into a private, locked cabinet and only we will have those keys.
- Encryption – You’ve heard those stories about the Government “losing” a laptop with top secret information on it? Not the way we want to see our name in the paper! We’re rolling out NSA-approved strong encryption to scramble sensitive data while it’s stored in our database and on disk. This is a key component of making sure our backups are as secure as the application itself.
- Two-Factor Authentication – Although remote access is already heavily restricted to our network, we’re going the extra mile and leveraging 2-Factor Authentication. To gain administrative access to a MotorsportReg.com server, we’ll need a username, password and special 6-digit password that changes every 60 seconds. This is the same level of protection that banking facilities rely on.
- Failover and Redundancy – with our current 4-server model, we can recover from most catastrophes in 12 hours or less. But you depend on MotorsportReg.com for your most critical services and reporting! That’s why we’re adding redundant systems and clustering to continue operating even if a server or two bites the dust. We’ll also roll out upgrades and perform most maintenance without taking the site offline. What’s this mean? Practically 100% uptime whether it’s 2PM Wednesday or 3AM Saturday morning (you know who you are).
So that’s the high-level overview. Unfortunately this means that I’m going to be in SysAdmin Hell as we upgrade everything but it will all be worth it. We do it so you don’t have to!
Question for you: does your club already process credit cards in your office? Have you ever written down a card number? You’re subject to PCI – are you compliant? Check with your team!
November 16th, 2007 at 11:57 am
[...] are some additional fees from Visa/Mastercard as well as overhead necessary to make this secure and reliable so we’ve added a slightly higher price point to [...]
December 12th, 2007 at 9:37 pm
[...] everyone is focusing on fun and family this holiday season, we’ve been hard at work bringing PCI DSS compliance to MotorsportReg.com. This weekend we’re finally ready to install 12 new servers for the next [...]
November 7th, 2011 at 2:52 pm
Some members in our club are uncomfortable with putting their VIN on MSR. Their fear is that your info will somehow become visible to someone like CARFAX and be added to a generally available report. What can we tell these guys to assuage their fears?
November 8th, 2011 at 11:31 am
Gregory – VIN is not a field that can be included on any public facing page. It’s only available to the member and to clubs with whom they participate. While they need to trust the organizers, providing it via MSR is no different than providing it on a paper form. Our privacy policy prohibits us from disclosing information to third parties which would include CARFAX. Only under a police warrant would we turn over any information.