Home » Canvas Host blog » Company News

Topic: Company News

PCI Compliance – Common Issues and Troubleshooting

Regulated by the Payment Card Industry, PCI Compliance is a set of standards designed to help protect merchants against credit card fraud. The overall goal of PCI compliance is to limit fraud at all levels of the credit card transaction world. That said, achieving PCI compliance for your website can be tricky.

Any business that accepts credit or debit card payments is required by their merchant processor to pass a series of PCI compliance tests. Until the merchant has met compliance, they may face monthly financial penalties assessed by the merchant processor; The PCI compliance seal on the merchant’s website will appear broken or indicate they are not in compliance; And in some cases, they may have their merchant account revoked by the processor until such a time as compliance can be verified.

For a primer on PCI compliance, please see this page of our website:
http://www.canvashost.com/e-commerce/pci-dss-compliance.php

We’ve written the following article to address some of the ongoing steps to troubleshoot PCI compliance. Specifically, we want to explain some issues we frequently encounter in helping you reach compliance, and how we work to resolve them.

This article assumes the following:

  • You are the owner or manager of a website that needs to pass PCI compliance
  • You have access to the website hosting environment
  • You are authorized to access your company’s merchant account
  • You are authorized to access your merchant processor’s Approved Scanning Vendor (ASV) interface, where all of the PCI tests and results are compiled

In this article, we’ll go over the general workflow of achieving PCI compliance, including the Self-Assessment Questionnaire (SAQ) and setting up for your first PCI scan through an Approved Scanning Vendor (ASV); We’ll touch on possible issues, like challenging false-positives assessed by your ASV, and Risk Mitigation and Migration plans; And we’ll address specific steps Canvas Host takes to ultimately guide you to reaching PCI compliance.

1. Workflow

At the time you signed up for your merchant account, you should have received instructions to access the online portal for the ASV that partnered with your merchant processor.

The first step is to log into that portal and take a look around. Most interfaces will provide an overview of your merchant account, and report on your account’s current PCI Compliance, which typically is presented in two categories. You will need to go through both sets of steps as part of the overall compliance process. They are:

1a. The Self Assessment Questionnaire (SAQ)

You are required to complete the SAQ each year and answer hundreds of questions pertaining to how you physically conduct business, process and store credit card information about your customers, and what steps you take to ensure the security of your entire business.

If this is the first time you have logged into your account, the SAQ will be displayed as “incomplete” or “not passing compliance”. Clicking on the “start” or “begin report” button should start the online form. You should prepare for upwards of one hour, perhaps two hours, if this is your first time. On subsequent reports, you will find it faster to go over and refine previous reports, noting aspects of your operations that have changed, as well as being able to skip over details that have not changed.

Once you have gone through the SAQ, there may be follow-up questions provided by the interface that ask you to clarify or rectify incomplete or unacceptable answers. Once you have met all of the requirements of the SAQ, the interface will indicate that you have passed the SAQ. It is important to be as accurate as possible on all answers, to both ensure your company is operating safely, as well as to mitigate any liability that might arise from having provided untruthful information.

1b. PCI Compliance Scan

This is the hardest part. Every quarter (three months). you are required to permit the ASV vendor to scan your website and hosting service and to analyze them both for vulnerabilities, and generate a report that will either come back as “pass” or “fail”. After each scan, the results will be tallied into a printable/downloadable report, typically in PDF format, for review by you and potentially, your website host as well.

If this is your first time logging in, you will need to set up the ASV interface to scan your website, noting the domain name, and possibly the IP address associated with your hosting account. Once set up, the scan will be scheduled to start, and you will be notified of the scan’s findings.

If this is not your first time logging in, or you have recently changed website hosting providers and the old reports are still noted in the ASV interface, please be sure to check the configuration of the ASV, to ensure they will be scanning the correct IP address and/or website host! In the past, we have had customers notify us of failed scans; Upon reviewing the reports, we determined the failure was due to the ASV scanning the old hosting provider and not Canvas Host.

2. Reviewing the PCI scan

Scans of your website and hosting environment can take several hours to complete. The scans target two components of your online business:

2a. Your website and application code

During the scan, the ASV may test random URLs of your website, specifically looking for website forms, such as account logins, or fields requesting credit card information or other personal information (noted by the field name in the actual HTML code).

The scan will also attempt to determine the application you are running, such as WordPress/WooCommerce, Magento, or ZenCart (some of the many popular cart applications); Their versions (which is important, as code releases and minor revision patches are regularly issued to correct code vulnerabilities); And whether your application contains known bugs, such as cross-site scripting vulnerabilities, Javascript- or CSS- based bugs, or other technologies that may all present a risk to the website being hackable.

2b. Your website’s hosting environment

The ASV will also attempt to scan details of your website hosting provider — in this case, Canvas Host and the server we use to host your website — to determine if the server itself meets certain security criteria, or if it contains known vulnerabilities or similar “problems” that need to be fixed, in order to pass compliance.

Examples of things tested for include:

  • The version of operating system and related technologies, such as CentOS and WHM
  • Encryption and security technologies, such as SSH, SSL, and SFTP versions
  • Server-level login interfaces and if they force https:// or permit http://
  • Insecure technologies that should not be permitted, such as FTP
  • Open ports that may be subject to hack

This portion of the scan is sometimes the trickiest, and for you can also be the most frustrating part, as it pertains to things completely outside of your control.

For Canvas Host, it can provide the greatest set of challenges, as every ASV operates a different set of criteria by which a server will be judged to be PCI compliant or not. The greatest quandary is in regards to suspected vulnerabilities or errors that actually do not exist, but which have turned up as a result of the ASV not being able to fully scan our servers, and whether the ASV will accept the answers and evidence we provide back to them in the course of trying to meet their criteria. This brings us to the next section.

3. Troubleshooting and resolving PCI scan failures

Whenever a PCI scan comes back with a “fail”, we ask you to open a ticket and provide us with a copy of the report to our Support system, at https://support.canvashost.com.

Our team will review the scan report and provide assistance in understanding the points of failure. For any points of failure due to code or website issues, our team will inform you that those are things you will need to fix. For any issues pertaining to the server in question, we will review the issue to determine if it is a new requirement that we need to act upon, or if it is something we’ve already fixed but which could not be determined because of limitations by the ASV.

3a. False positives

The most common situation we see in failure reports are deemed “false positives”, which are in fact not a threat but stem from the ASV not being able to dig deep enough into the server to figure that out for themselves. This is actually a good thing, because quite frankly, no outside service should ever have the right to scan or potentially hack into one of our servers. But, we recognize the irony of ASV’s intrusive nature in the grand scheme of PCI compliance, and so it is a game we woefully play.

Whenever an issue is deemed a false positive, Canvas Host will submit to the ASV, through the provided interface, necessary documentation about the purported issue, whether it is a back-patched version of SSH that the ASV feels is outdated but in fact is running the very latest version and therefore is secure; Or, if it is in regards to an outlandish request for the server’s primary IP address or even the website’s static IP that should not be referenced with the domain’s SSL — all of which generate a SSL mis-match. In any case, when it comes to a false positive, we want you to know we will do whatever we can to help bring to light that it is in fact not an issue and for which the ASV should grant an exception.

3b. Outdated TLS, and Risk Mitigation and Migration Plans

This part, honestly, makes us chuckle. While TLS 1.0, which is accepted as an older, yet secure and compliant technology, was due for an upgrade, the Payment Card Industry jumped the gun about two years ago, and began informing ASVs of a mandatory upgrade to TLS 1.2 for all website hosting providers. The problem is that at the time, most operating systems and their web browsers only worked with TLS 1.0.

This created a very problematic scenario. On the one hand, ASVs began failing all PCI merchants and blaming the web hosts for not supporting TLS 1.2. Those hosts that did upgrade to TLS 1.2 immediately found that certain Apple OS versions didn’t support it, nor did outdated versions of Microsoft Internet Explorer. So while the hosting environment was now PCI compliance, few visitors to the merchant’s website could access the website!

If you had to choose failing PCI compliance, or hosting a broken website, which would you pick? And so, several of our customers made the decision to cancel their merchant account, firing the ASV as well, and switch to PayPal for checkout purposes, which is handled over at PayPal.com and not the merchant’s website. In essence, the process negated not only the need for PCI compliance, but also the customer’s need for PCI hosting with us. It was a dark day for all.

At Canvas Host, we were faced with an inordinate task, of informing both our merchant customers, as well as fighting an impossible task upstream with various ASVs, many of whom disputed our findings, or who simply didn’t care. As soon as enough egg had landed on the Payment Card Industry’s face, a magic solution appeared: The Risk Mitigation and Migration Plan!

What is it? A templated, form letter that web hosts fill out, addressing concerns about TLS 1.0, how its use is being mitigated, how the host is monitoring for new vulnerabilities, how the host is ensuring that new threats are not being permitted into the environment, and when the host will migrate away from TLS 1.0? All of this can be summarized with the following statement: Through server and firewall technologies, and an actively researched hosting environment supported by a team that knows what it is doing and gives a damn. We don’t phrase it exactly that way, but hopefully you get the point.

There is indeed a deadline for when Risk Mitigation and Migration Plans will no longer be supported: June 30, 2018. Though it is recommended that hosts not wait this long, some large software companies have stated it will still be some time before their OS actively supports TLS 1.1 and 1.2, and lest we cut off our customer’s customers (who use those platforms) from accessing our network, we are going to wait a while before pushing through this upgrade.

Here is what a sample Risk Mitigation and Migration Plan looks like. When responding to certain ASV failures, the following document should suffice for the June 30, 2018 exception.

Risk Mitigation and Migration Plan
Prepared by Canvas Host

1. Where are SSL/TLS 1.0 currently used in your environment? (Description(s) of where and how you are currently using SSL and/or early versions of TLS.

All SSL connections currently use TLS1.0 but also support TLS 1.1 and TLS 1.2. At present, certain operating systems, website browsers, and/or email applications are limited to supporting TLS 1.0. Until such a time as greater adoption of more recent TLS versions occurs, we will continue supporting TLS 1.0. We understand the deadline for this has been extended by the PCI industry to June 30, 2018.

2. How are you mitigating risks with SSL/TLS 1.0? (Description(s) of the level of risk with SSL/TLS 1.0 in your environment and the additional security controls you have put in place to mitigate these risks.)

We monitor traffic and server activity constantly. Any type of suspicious traffic or activity is handled immediately.

3. How are you monitoring for new vulnerabilities associated with SSL/TLS 1.0? (Description(s) of the processes you are employing to monitor for new vulnerabilities associated with SSL/TLS 1.0.)

We monitor and update software daily. We check back patches implemented inside of our software and validate that they are not vulnerable.

4. How are you ensuring that SSL/TLS 1.0 are not introduced into your cardholder data environment? (Meaning, how can you verify that new or upgraded systems connected to your cardholder data environment don’t contain SSL/TLS 1.0?) (Description(s) of changes you are making in your processes to make sure that SSL/TLS 1.0 are not introduced into new environments.)

Cardholder data and all customer data are the responsibility of each customer we host. At present, our environment does support SSL/TLS 1.0, 1.1, and 1.2. Some browsers and devices, as previously noted, do not currently support TLS versions 1.1 and 1.2.

To the best of our abilities, the environment supports the latest/most secure SSL/TLS versions.

5. When will your migration plan from SSL/TLS1.0 be completed? (completion must be no later than June 30, 2018.)

For best practice, we plan to migrate fully away from SSL/TLS 1.0 before the PCI deadline of June 30, 2018, just as soon as we are confident that adequate support for TLS 1.1 and 1.2 have been rolled out to our customers’ platforms, devices, and applications.

3d. Worst case scenario? Fire the ASV

Unfortunately, Canvas Host has given this recommendation to several customers over the past year, whose ASVs refused to listen to us, and refused to accept the very Risk Mitigation and Migration Plan set forth by the Payment Card Industry! In these situations, there literally was and is nothing you, the customer, nor us, the web host, can do. In certain situations, terminating your working relationship with the ASV is in fact called for.

Some merchant processors support more than one ASV. Some do not. Unfortunately, if it is a situation where you are forced to use a specific ASV “or else”, then it may come to a point where we recommend you go the “or else” route. At the end of the day, we have nothing to gain by wasting your time by trying to do the ballet with an ASV that keeps stepping on everyone’s toes. In these situations, the ASV is not acting in your best interest, nor the spirit of why they even exist.

If it comes down to this worst case scenario, please know that Canvas Host is willing to try anything to help you pass compliance, and it is for that reason that we are recommending you work with a new merchant processor. We have an established relationship with an IonPOS, an excellent Authorize.net reseller that offers extremely competitive rates, and which dovetails with TrusteWave, a respected ASV that provides a friendly interface, and whose support staff approach PCI standards in a fair, manageable way.

4. Reaching PCI Compliance

After everything has been checked out, we will make the determination for you to ask the ASV to re-scan your website. If all goes as it should, the report will turn up a pass, in bold, green letters! Additionally, you will be able to place a nice seal on your website that attests to the domain passing compliance, with a datestamp and other verifiable information that is intended to build trust with your customers.

Remember, the SAQ has to be done each year, and you will receive a reminder when it is up for renewal. Also, your ASV will re-scan your website in another three months, and while we can all hope they will give you a pass for the items cleared as false positives or given exceptions through the Risk Mitigation and Migration Plan, we have seen just as many situations in which the ASV suffers abrupt memory loss and requires everyone to go through the process all over again.

If you detect a bit of sarcasm here, it’s because we know how important it is for you to remain compliant, and yet have been through countless hoops for various ASVs, some of whom in our honest opinion simply should not be in business to begin with. Ultimately, we are here to serve you and ensure you reach compliance.

5. In summary….

In the history of our company’s operations, rarely has Canvas Host’s environment passed a PCI scan on the first try, unless it’s the same ASV that recently scanned another customer’s website. In fact, having just met compliance with one ASV, we have grown accustomed to another ASV immediately taking issue with our environment as well. To some degree, ASVs are in the business to find errors — which is fine — but some do it to such a degree, as to undermine the purpose of PCI compliance and instead create a space that devolves into finger pointing.

The challenges of PCI compliance that face you as a merchant, and Canvas Host as your hosting provider, can be overcome through a spirit of cooperation between all parties. If ever you feel overwhelmed by the process, please don’t be alarmed. We’ve been there before, and we understand the steps we must take to help you get there.

While Canvas Host cannot guarantee an “easy” path to PCI compliance, what we can guarantee is our willingness to help you as best we can.


Introducing the High Desert Core – Secure cloud and hosting services

hdc-datacenter

FOR IMMEDIATE RELEASE

September 29, 2016

Bend, Oregon — Living in the Pacific Northwest, we’ve known about the Cascadia subduction zone for some time. It’s a set of tectonic plates located off the coast and which stretch from Vancouver Island to northern California.

Recent headlines have warned of the possibility our region will experience a major earthquake in future years. While we are confident in the security of our Portland data center, we nevertheless take these warnings seriously and have put a plan into action.

hdc-bend

To address these concerns, we’ve been working on a new data center build-out in the beautiful city of Bend, Oregon.

Located about 200 miles from Portland on the East side of the Cascade Range, and sitting atop 4,000 feet of solid basalt, the High Desert Core is safe from a Cascadia  subduction zone earthquake.

From this location, we’ll soon be offering a new line of services, including secure data backup, cloud hosting, and virtualized solutions for your high availability and scaled hosting needs.

And, there is the environmental angle on our new location. Cooling requires much less energy and electricity in the high desert. The facility also uses a closed water cooling system and is aligned with our sustainability goals.

hdc-racks2Located at the Cascade Divide data center, the High Desert Core benefits from critical infrastructure:

  • 26,000 square feet
  • Up to 22kW per rack
  • N+1 Power, Backup, and Cooling
  • Dry pipe pre-action fire Suppression with VESDA
  • CCTV surveillance, biometric and access card
  • Carrier Neutral
  • 24x7x365 Remote Hands

As a certified B Corporation and Oregon benefit company, we are committed to delivering the highest quality of services that are reliable, secure, and scalable.

hdc-sr-j-logo

The high desert environment is a living example of permanence and durability. We drew on its elements in creating the branding for the new business: Featuring a background silhouette of Smith Rock, the foreground circuitry represents an ancient juniper tree. Found throughout the Oregon high desert, some junipers are 1,600 years old!

The High Desert Core is a culmination of our drive to innovate in an ethical and environmentally sustainable manner. We’re excited to have set up new operations in Bend, and will keep you informed as we continue developing our new services.

Please contact us at 800.574.4299 x1, or by email at sales@canvashost.com if you’d like to learn more about High Desert Core, or to schedule a tour of the Cascade Divide data center.

***


Join Canvas Host at the 2016 Beaverton Relay For Life

bubblesoccer

Are you ready to have fun and fight cancer at the same time? Join Canvas Host at this weekend’s Relay For Life of Beaverton, an event organized through the American Cancer Society.

Cancer never sleeps, so neither will we. For 18 hours, 20 teams and hundreds of volunteers will walk, jog, and run around a track as we raise awareness about cancer, and raise money for cancer research, and patient, survivor, and caregiver services.

When/Where:

July 22, 6:00pm to July 23, 12:00pm
Holy Trinity Catholic Church
13715 SW Walker Road
Beaverton, OR 97005

PLUS: We’re sponsoring bubble soccer. It’s safe, bouncy fun for all ages. Just $5 to play, and all proceeds go directly to our fundraising goal.

Please join us if you can! Together, we can help put a stop to cancer.

canvashost-relay


Our newest gTLD domains include .CLOUD, .PROMO. and .VOTE!

We’re thrilled to announce the latest gTLD domain options, now available for you to register!

.CLOUD – $24.95/year

The world of data storage and sharing was completely changed by the implementation of clouds. Now clouds are prevalent and ever-growing, meaning that .CLOUD is an important TLD because it is creating the namespace needed to house an expansive market. .CLOUD is perfect for storage hosting systems that specialize in music, photo, data, document, or web page sharing; for cloud reviewers and bloggers; or anyone who uses clouds on a daily basis either in business or privately.

.COURSES – $44.95/year

.COURSES is the online home for learning providers. Whether you’re a training provider, educational institution or supplier of educational materials, .COURSES is the quick, easy and memorable way to market your services online. .COURSES is the namespace for all those who enable others to learn.

.DATE – $34.95/year

Before the Internet, finding the perfect person meant looking in a local community of single people. Now people look all over the world, crossing cultural, political, and religious borders to find people they want to get to know. In order to facilitate online dating expansion in a safe and secure online network, .DATE provides a relevant and marketable TLD for all individuals, businesses, and organizations within the online dating community.

.DOWNLOAD – $34.95/year

Downloading has become a big part of how users obtain information, data, services, and software, but downloading comes with inherit risks, such as viruses, malware, and phishing. In an effort to reduce risks, .DOWNLOAD offers a relevant and easily identifiable namespace for the purpose of signifying safety to a user. .DOWNLOAD may be registered by any person, group, or organization, making this TLD an obtainable and flexible option for any type of download purpose.

.FAMILY – $24.95/year

Families provides support, love, safety, and social ties, and families aren’t just the people we grow with, but groups of friends, coworkers, and even others who share our passions. For every type of family, .FAMILY offers a creative, relevant, and flexible TLD option that may be registered by any individual, group, or business, for any reason. Use .FAMILY to create an online network to support the families you belong to, whether a corporate family, a charity family, or a family of loved ones and friends.

.EARTH – $24.95/year

Calling Earth “home” is one commonality every Internet user shares, and .EARTH can be used as a domain extension for any purpose meant to draw attention to the conservation, protection, or study of the planet. .EARTH is meant for advocates, designers, ecologists, biologists, architects, urban planners, bloggers, up-cycle specialists, DIY advocates, or any person or business interested in providing the means for other Internet users to live a greener, more sustainable lifestyle.

.GROUP – $24.95/year

There are many different types of groups, across all economic, public, and private sectors, and the .GROUP domain extension offers a unique moniker for all of them. Whether a volunteer, counseling, sports, business, charity, support, therapy, sewing, book, or cooking group, .GROUP can be used to personalize a domain name, gain visibility, and ease promotion with a built-in keyword. Use .GROUP to design a more memorable domain name.

.LOAN – $34.95/year

Loans help individuals all over the world go to college, buy cars and homes, persevere tough economic times, or even invest in new products or businesses. In order to create a go-to hub for loans online, .LOAN creates a viable, relevant, and targeted namespace for loan services, organizations that help consumers consolidate loans or choose loaning options responsibly, and review forums for consumers to discuss the best loan groups and practices, making this TLD as dynamic as loans themselves.

.LOVE – $34.95/year

.LOVE is in the air, and it’s also a TLD meant to help Internet users share their feelings online. .LOVE can be used for any purpose, whether as an addition to a current website to feature favorite products and services, or as a blog site, for writing about favorite hobbies or events. It can even be used as an e-commerce extension for businesses that focus on love-related products and services such as dating sites, floral arrangements, gift baskets, greeting and e-cards, and more.

.OOO – $34.95/year

The .OOO domain is a gTLD that can be used for all purposes. .OOO is a unique domain that is easier to type, offers a range of domain name options and is suitable for everyone ranging from individuals to businesses. .OOO is easy to remember, search engine friendly and hence, we believe that it is a natural choice for anyone who wants to own a domain name.

.PROMO – $24.95/year

Promotion an important tool for any successful business, and creating a smart promotion plan starts marketing the offer. With .PROMO, businesses have a relevant and targeting domain namespace to utilize in launching promotions. .PROMO can be used by businesses looking to establish new pages for promos by providing a TLD that signifies the content of the site, so when customers see yourbrand.PROMO, or yourcompany.PROMO, they know to click through for special offers.

.STORE – $74.95/year

When none of the industry-specific TLDS seem to fit a business, .STORE is the perfect solution. Presented as a broadly-defined retail market TLD, .STORE can be used by any business that is looking to expand an online presence with a more identifiable domain extension. Aside from business owners, .STORE can also be used by storage companies, data storage software developers, and bloggers who review different shopping outlets or alert other shoppers to promotions and sales.

.STYLE – $34.95/year

Style isn’t just being fashionable – every business, person, and group has a personal style, and whether an Internet user is looking for interior styling tips, how to write in a specific style, how to style hair for a special occasion, or how to use a specific musical style when recording, .STYLE provides a relevant and recognizable signpost during the search. .STYLE allows any individual, group, or business that follows trends, gives style advice, or defines style, to connect with their target demographic easier.

.VIP – $34.95/year

All business owners know that making someone feel important is one of the main keys to customer retention and conversion rates. Adding a .VIP page to a current webpage, offering exclusive deals and information, can show current customers how much they are appreciated while enticing new customers to become VIPs. .VIP is also perfect for companies that specialize in VIP service, such as limousine companies, nightclubs, concert venues, restaurants, tour guides, and more.

.THEATER – $49.95/year

.THEATRE introduces a new online experience for the theatre industry, providing a secure and reliable namespace for the members, performers, and businesses associated with the ballet, opera, live theatre, musicals, and other performing arts. .THEATRE can be used by any troupe, company, theatre, arts region, or business that provides services for the theatre industry. .THEATRE can also be used by reviewers, publications, and bloggers who write about theatre and its developments.

.VIN – $59.95/year

Online wine sales increased 38 percent in 2010, marking one of the first years wine successfully made the transition to e-commerce. Now, the online wine industry is quickly expanding as more and more consumers find value in purchasing good wine at bulk cost. .VIN is the perfect TLD for the wine industry because it creates a recognizable and relevant namespace for better networking and marketing for distributors, vineyards, wine shops, and bloggers focusing on advice and reviews.

.VOTE – $89.95/year

Voting isn’t just a means to elect government officials or decide which laws go into effect. Businesses, entertainment outlets, magazines, and other groups use polls, votes, and surveys to hook into their customer base, establish trends and patterns, and gauge their market. .VOTE provides a recognizable TLD that enables voters and pollsters by providing a domain namespace specific to the purpose of voting. .VOTE can be registered by any entity for any purpose, making it both functional and accessible.

.WINE – $59.95/year

There are over 27,000 winemakers in France alone. In the States, Oregon is home to almost 600 wineries. But despite the success of the wine industry, wine is more than just a market—it’s a culture. As an extension of that culture, .WINE provides a TLD meant to act as a virtual hub for the wine world, and is perfect for winemakers, vineyards, tasters, enthusiasts, collectors, reviewers, bloggers, magazines, glass makers, and connoisseurs alike.


Canvas Host Opposes the Trans-Pacific Partnership (TPP)

flush-the-tpp

Have you heard of the Trans-Pacific Partnership? If not, don’t feel bad — that’s a big part of the problem with it.

The Trans-Pacific Partnership (TPP) is a trade agreement between twelve Pacific Rim countries and which has received very little public awareness, and for good reason: If the general public knew much about TPP, there’s simply no way it would have gotten as far as it has.

For several years, the United States government, along with other countries, has fleshed out a 30-chapter trade agreement spanning almost 6,000-pages that claims to “enhance innovation and productivity”, “reduce poverty”, “promote transparency”, and “enhance labor and environmental protections.” However, the details point to business that would look nothing like those claims.

The extent of the TPP’s impacts are bewildering and dangerous; They grant greater power to corporations at the expense of private citizens’ rights and freedoms.

Why are we taking a stand on it?

Though some Internet service providers and web hosts have actively supported the TPP, Canvas Host opposes it for a simple reason.

In an age when the world needs transparency in business and triple-bottom-line accountability (people, planet, and profit), profit-only business has no place.

The TPP puts at risk Internet users’ freedoms and privacy; It is anything but fair, equitable, and accountable trade; And, it has no place in a world where increasingly, triple-bottom-line (people, planet, profit) thinking is needed over profit-only business.

Specific to the online world, which we tend to care quite a lot about, the TPP outlines intellectual property and copyright laws that shift the balance of protections away from public interest and private users, and place them in the hands of copyright holders, compelling draconian punishments even in the face of legitimate, legal, fair-use claims.

Worse, the provisions press Internet service providers to work with corporations to determine if users’ activities are infringing on corporations’ copyrights, at the expense of user privacy. It’s not too far removed from the way China’s “Great Firewall” continuously polices its citizens against accessing information the government deems unfit for consumption.

Where is legislation at right now?

While the United States government has in various ways both opposed and approved of this legislation, the ultimate outcome has sadly been approved at all levels, including the President, House of Representatives, and Senate, under a “Fast Track” provision of the 1974 Trade Act. The TPP was signed on February 4, 2016 by all twelve member countries.

The only thing remaining is for Congress to vote on the final bill this summer, or later this year.

What can you do about it?

With an upcoming Congressional vote on the final bill surrounding the TPP coming soon, there’s still time to act. Community engagement is a powerful way to get messages through to your elected representatives. The Trans-Pacific Partnership hasn’t been fully enacted.  We encourage you to get involved in stopping the TPP, by contacting your local Representatives and Senators:

Find Your Representative
http://www.house.gov/representatives/find/

Contact Your Senator
http://www.senate.gov/senators/contact/

Additionally, MoveOn.org has an active petition that is nearing its 50,000-signature goal:
http://petitions.moveon.org/sign/stop-the-trans-pacific

As an example of what you can post, here’s what I submitted today:

tpp-moveon

Where can I go to learn more about TPP?

Citizen.org’s TPP Analysis and Summary
http://www.citizen.org/documents/analysis-tpp-text-november-2015.pdf

Wikipedia’s page about the TPP:
https://en.wikipedia.org/wiki/Trans-Pacific_Partnership#U.S._Trade_Representative.27s_summary

Flush the TPP!
http://www.flushthetpp.org/

Flush the TPP Facebook page
https://www.facebook.com/FlushTheTpp

Fair, equitable, and just business are things we and all B Corporations fight for. If you have additional information to share with us about developments surrounding the trade agreement, feel free to contact us, at sales [at] canvashost [dot] com.