PCI compliance

[turtlepirate]

Since your shared servers are not PCI compliant according to your TOS then will I be able to achieve compliance with a virtual server?

[svetlana.p]

Dear Customer,

Unfortunately PCI compliance is possible to run on dedicated servers only.

[redbear]

Dear Customer,

Unfortunately PCI compliance is possible to run on dedicated servers only.

This is just wrong.

[Wayne R.]

This is just wrong.

Unfortunately, the changes that even a generic PCI scan from one of the 3rd party scanners out there will require would affect many other scripts on the server that you're on.
PCI compliance is more than just the server that you're hosted on meeting a set of rules, and even then, PCI compliance is best achieved in a dedicated environment.

[redbear]

Would that be the case with VPS too?

[Wayne R.]

I'd have to discuss this with the technical team a bit further to say a firm yes or no.
Are you looking to just pass a scan that says you're compliant from a hosting standpoint... As in the services that ControlScan, Comodo, etc provide? As mentioned, there are many other aspects to actually being PCI compliant than just meeting requirements one of the available scans.

Much of the PCI scan focuses on the software that you're using in your environment, as well as open ports. So PHP, Apache, FTP, and various specific scripts would be confined to your own VPS of course so that would not be an issue with meeting this "compliance". Anything kernel related would affect the entire VPS as you're not running your own kernel with our VPS solution.

Probably more information than you were looking for since I gather you just wanted a yes or a no. I'll talk to the tech team, but my answer is that sure you can pass one of those scans that your specific IP/hosting environment is PCI compliant. But be aware that true compliance flows up to us and our upstream providers... as well as down to how you handle your orders, store client data, etc.

[redbear]

It might not be as hard as you think Wayne, even on a shared host. I have my site sitting on Venus right now, and my PCI scan only reveals two issues. One is SSLv2 being used. There's no need for SSLv2, so it can be disabled in the virtual or server context. One of your tech support people told me to disable it in my .htaccess file. He should know better than that. Any SSLProtocol directive in that context will break the site.

The other is that they've recently discovered something in PHP versions prior to 5.2.8 and apparently Venus has version 5 prior to that, and causes a failure in the scan. This is another issue that is very easily fixed, and should be kept up to date all the time anyway. It is these two issues that are keeping my site from being PCI compliant. All the other issues have either been addressed or waived. These scans are being done by my merchant account provider via Elavon/Trustwave.

[Matt R.]

We're actually working with Comodo to offer PCI compliance scanning for all customers as well as a PCI complaint hosting base for our customers.

[redbear]

We're actually working with Comodo to offer PCI compliance scanning for all customers as well as a PCI complaint hosting base for our customers.

That would be a huge selling point. As I said, your shared hosting is almost there now, according to Elavon/Trustwave.

Matt, I sent you a pm earlier. I needed to know more about the vps service and didn't want to clog up the forum. Can you please email me? flatpicks at gmail dot com.

Thanks.

[Wayne R.]

It might not be as hard as you think Wayne, even on a shared host. I have my site sitting on Venus right now, and my PCI scan only reveals two issues. One is SSLv2 being used. There's no need for SSLv2, so it can be disabled in the virtual or server context. One of your tech support people told me to disable it in my .htaccess file. He should know better than that. Any SSLProtocol directive in that context will break the site.

The other is that they've recently discovered something in PHP versions prior to 5.2.8 and apparently Venus has version 5 prior to that, and causes a failure in the scan. This is another issue that is very easily fixed, and should be kept up to date all the time anyway. It is these two issues that are keeping my site from being PCI compliant. All the other issues have either been addressed or waived. These scans are being done by my merchant account provider via Elavon/Trustwave.

It's not "hard" by any means. I've worked closely with ControlScan specifically in the past and have dealt with many, many PCI scans.
What is difficult however is:
- Reviewing the changes that would be needed, and do they affect other clients on the server? If so, determine if the specific upgrade (for example) would also affect other software. As you said, in most cases the PCI scan simply wants software up to date.
- Justifying all of the false positives that will come up in the scan. For some reason many (and yes I'm generalizing here) of the PCI scans only look for specific builds of software and do not take into account backporting such as with RedHat.

Also, there are bound to be some software that the PCI scan will recommend an update which may or may not be the best choice 'at that point in time' for the server as a whole. My personal view on that is that it annoys me. I know they put time and effort into their scans, but it often seems they are so hung up on running the latest and greatest... and as we know, sometimes that's not always the better solution.

Anyways, hope I didn't get too far off topic, just adding a few more thoughts to this