To achieve compliance with the DSS, you must ensure that your server environment is properly designed. Among the requirements, you must not store cardholder data on a server that is publicly accessible. It will be necessary to segment your network and use a proper firewall configuration to prevent unauthorized access to your servers. A suitable network configuration is demonstrated in the figure below.
You must not store cardholder data on a server accessible from the Internet in order to remain compliant with the DSS. For example, you should not have your database and web server on the same machine.
Traffic between the DMZ and the trusted internal network is allowed when required for business reasons. You must still use a firewall to filter and regulate this traffic, limit it only to the required protocols and prevent any unnecessary communication. Internet traffic should not be permitted to the internal trusted network.
You should also disable all unnecessary services and protocols on your servers to reduce the possible attack surface. Possible examples may include services like SMTP or FTP, and protocols like NetBIOS.
The hardware and software requirements for AbleCommerce 7.0 are as follows:
1 GB for development environment
2 GB or higher for live environment
Microsoft Windows 2000, 2003, or 2009 Server
50 MB minimum, more depending on storage needs
Microsoft SQL Server 2000, 2005, or 2008
(Express versions of SQL Server are supported.)
The most recent service packs and security fixes must be applied for the operating system and database. For additional details about recommended minimum system requirements refer to the AbleCommerce online help documentation at this URL:
Follow the standard procedure for deployment of the application files to the web server. When you reach the web based installation you will be asked to provide your database connection information.
In a PCI DSS compliant installation, you cannot choose to use the supplied SQL Server 2005 database. That option uses a local user instance of SQL Express, which violates the best practices for database storage. Instead you must have Microsoft SQL Server installed on a separate server that is not accessible from the internet.
The screen shown in Figure 2 above is used if your database is set up to accept SQL Logins. You can use this form to provide the SQL username and password for connecting to the database. You should NOT use the “sa” super user account.
You may also use Windows authentication (recommended) to connect to the database. To do this, select to specify the connection string:
For Windows authentication the connection string should take the format of:
When using this method to connect, you must be sure that the user identity of the ASP.NET process has been given permissions to access the database.
When you submit the page AbleCommerce will verify a connection can be established to your database. If not, you will remain at the installation screen with an error message that identifies the problem. This provides some measure of protection from supplying invalid credentials.
When you proceed to the second page of the web based installation, you are asked to provide the admin email (username) and initial password:
For the “Admin Email” field, pick an email address that will be created as the super user for the application. This user will have complete access to the application, including encryption keys and audit logs.
At this stage, there is no password policy in force. It is your responsibility to choose a strong initial password for the super user. At a minimum it should be 7 characters long and use a mix of upper and lower alphabetic and numeric characters.
Once you submit the second step of web based installation, application deployment is complete and you can move on to post-deployment configuration.