Payment Card Industry (PCI) Data Security Standards

Discussion in 'H-Sphere Reseller Hosting' started by zonefx, Feb 21, 2006.

  1. zonefx

    zonefx Guppy

    Does anyone know where Jodo stand with regard to Payment Card Industry (PCI) Data Security Standards and how resellers are covered
  2. bakalek

    bakalek Perch

    i really want to hear about this one too.
    As it turns out its becoming a big issue in the ecommerce world.

    Does Jodohost comply with PCI requirements ?

    thanks !
  3. Stephen

    Stephen US Operations Staff Member

    we have answered surveys for clients doing PCI forms and such, most of the questions revolve around how you as the client store the data more than what the server is, as most of the security is on the operators methods not the server.
  4. WebGuy

    WebGuy Perch

    I just received a response back via a ticket that suggested that all the PCI requirements could not be met on a shared server, and VPS was recommended for my windows installation.

    This essentially means that no ecommerce applications which run on a JodoHost shared server can accept Visa or Mastercard transactions. I'm sure you're going to have to find a better solution to this problem. Either this or whoever responded to my support ticket did so too hastily.

    Any assistance to this would be appreciated, as I don't really want to move to another hosting provider.
  5. Stephen

    Stephen US Operations Staff Member


    We answer these quite regularly, as I said before most of the time it is based around what the user uses as a method.
  6. WebGuy

    WebGuy Perch

    Well according to the payment processor, the user passed the user specific security tests, but the web host failed. Is there not anything we can do about this?
  7. Stephen

    Stephen US Operations Staff Member

    in this case it depends on what they have checked, it may be as simple as frontpage extensions being enabled for the domain. We have passed a number of other scans for PCI.
    The user can control a number of the "server" side issues that crop up.

    Please give me a ticket ID to I can see and know what is happening.
  8. WebGuy

    WebGuy Perch

    Is there some way for support the assist us with this then rather than just saying it can't be done on a shared server?
  9. Stephen

    Stephen US Operations Staff Member

    There may or may not be, I'd be the one to help but need to have ticket ID to know the case. Each case varies in such situations.
  10. WebGuy

    WebGuy Perch

    Thanks Stephen, I really appreciate your help. JodoHost has always been very helpful, and has always found a solution. I was quite surprised that the response was that the "requirement couldn't be fulfilled".

    The ticket number is DWY-64835-866. There is a PDF attachment on that ticket which is the failed results of that security scan.

    Thanks again.
  11. Stephen

    Stephen US Operations Staff Member

    ok, I have gone through it, only one that is an issue is not an issue at all, as it is a custom version of rsync.

    We really need that port to be open, but I will see what we can do here.
  12. Rokatesh

    Rokatesh Perch

    I've just started getting the PCI thing going as well. I've got a ticket open: RS #COX-60232-555 and was told not to worry about the OpenSSL version being too old and vulnerable to attack.

    This is the problem keeping my site from being compliant (well, this and the Frontpage problem that is):

    The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b

    As to the Frontpage issue, I disabled it and still got the error. So, I went into the Plan Configuration and deselected the "included" and "activated" boxes - hopefully that works.

    Nope, I've disabled Frontpage and gone into the plan configuration and deselected the "included" and "activated" boxes and STILL - the PCI scan says there's a problem with the website

    I've used SecurityMetrics - Simplify PCI DSS Merchant Compliance and Qualys, Inc. - On Demand Vulnerability Management and Policy Compliance companies to check the PCI status - and both companies say the website does not meet the necessary standards.
  13. Rokatesh

    Rokatesh Perch

    Hmmm - don't know what specifically changed? But I went and rescanned the website and poof - it passed.
  14. Sailor

    Sailor Perch

    I've got an open ticket on this one also, RS #RTW-37554-344
    Just been told by support that they cannot comply. The issue is Win servers accepting connections with SSL2. This is an absolute requirement - I've fixed all the other issues, but we're still failing on this one item.

    I've asked elsewhere, but are there newer Win servers that do not have SSL2 enabled that I could move to? I'm getting this PCI requirement more and more and at this stage it's a make or break. If I can't get this fixed I have to move some sites from my Jodo servers, and a couple of big clients I've got in development will have to go elsewhere also.

    Just wondering what is specific to SSL 2 that makes it a requirement to keep it on the Win servers?
  15. Stephen

    Stephen US Operations Staff Member


    I have been working almost 24 hours a day here recently, when they told me about this I said that it really cant be done right now. he problem in withdrawing a service is you end up with the other side of the spectrum, on clients that used to use them.
    I will check win21/22 and see what the status of SSL2 is on them later this evening.
  16. srweb

    srweb Guppy

    I have been reading this thread with a lot of interest since I am thinking of moving customers to Jodohost from another Hsphere host....

    The problem at the other host is that the Windows boxes allows SSL connections at less than 128 bit encryption.... This is a PCI fail for "ControlScan".

    Anyone know if Jodohost Windows boxes will pass this? Thanks!

  17. Stephen

    Stephen US Operations Staff Member

    Really it depends on the server we have changed some of them after such scans.

    Recently we have been scanned and hit with supposedly having apache bugs on IIS servers, I am really wondering what that scan company is up to, seems bogus to me :)
  18. srweb

    srweb Guppy

    Thanks Stephen,

    Yes, this whole PCI issue seems like a whole new money maker created by the Credit Card industry.... That being said....Should I move customers to Jodohost, which Windows servers are recommended for passing PCI?

    Thanks again,

  19. Stephen

    Stephen US Operations Staff Member

    Well if needed, we could disable it on any server, you can't pick which ones it goes to it would go to currently on for signup server.
  20. Sailor

    Sailor Perch

    I tried again several times this year, and even spoke with the scan people (SecurityMetrics) by phone. I agree with Stephen, this is a bit of a scam, in that it's required by the Visa/Mastercard people, but you have no choice on the scanning company. However, both Visa and SecurityMetrics are pretty inflexible about it - if you want to accept credit cards, you need to comply. I've had to move all client sites subject to these scans to another hosting company. I fixed all of the other security issues, but SecurityMetrics refuse to budge on the problem with accepting SSL 2 connections.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services