Payment Card Industry (PCI) Data Security Standards
- Thread starter zonefx
- Start date
I just received a response back via a ticket that suggested that all the PCI requirements could not be met on a shared server, and VPS was recommended for my windows installation.
This essentially means that no ecommerce applications which run on a JodoHost shared server can accept Visa or Mastercard transactions. I'm sure you're going to have to find a better solution to this problem. Either this or whoever responded to my support ticket did so too hastily.
Any assistance to this would be appreciated, as I don't really want to move to another hosting provider.
This essentially means that no ecommerce applications which run on a JodoHost shared server can accept Visa or Mastercard transactions. I'm sure you're going to have to find a better solution to this problem. Either this or whoever responded to my support ticket did so too hastily.
Any assistance to this would be appreciated, as I don't really want to move to another hosting provider.
in this case it depends on what they have checked, it may be as simple as frontpage extensions being enabled for the domain. We have passed a number of other scans for PCI.
The user can control a number of the "server" side issues that crop up.
Please give me a ticket ID to I can see and know what is happening.
The user can control a number of the "server" side issues that crop up.
Please give me a ticket ID to I can see and know what is happening.
Thanks Stephen, I really appreciate your help. JodoHost has always been very helpful, and has always found a solution. I was quite surprised that the response was that the "requirement couldn't be fulfilled".
The ticket number is DWY-64835-866. There is a PDF attachment on that ticket which is the failed results of that security scan.
Thanks again.
The ticket number is DWY-64835-866. There is a PDF attachment on that ticket which is the failed results of that security scan.
Thanks again.
I've just started getting the PCI thing going as well. I've got a ticket open: RS #COX-60232-555 and was told not to worry about the OpenSSL version being too old and vulnerable to attack.
This is the problem keeping my site from being compliant (well, this and the Frontpage problem that is):
The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b
As to the Frontpage issue, I disabled it and still got the error. So, I went into the Plan Configuration and deselected the "included" and "activated" boxes - hopefully that works.
Nope, I've disabled Frontpage and gone into the plan configuration and deselected the "included" and "activated" boxes and STILL - the PCI scan says there's a problem with the website
I've used SecurityMetrics - Simplify PCI DSS Merchant Compliance and Qualys, Inc. - On Demand Vulnerability Management and Policy Compliance companies to check the PCI status - and both companies say the website does not meet the necessary standards.
This is the problem keeping my site from being compliant (well, this and the Frontpage problem that is):
The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b
As to the Frontpage issue, I disabled it and still got the error. So, I went into the Plan Configuration and deselected the "included" and "activated" boxes - hopefully that works.
Nope, I've disabled Frontpage and gone into the plan configuration and deselected the "included" and "activated" boxes and STILL - the PCI scan says there's a problem with the website
I've used SecurityMetrics - Simplify PCI DSS Merchant Compliance and Qualys, Inc. - On Demand Vulnerability Management and Policy Compliance companies to check the PCI status - and both companies say the website does not meet the necessary standards.
Stephen,
I've got an open ticket on this one also, RS #RTW-37554-344
Just been told by support that they cannot comply. The issue is Win servers accepting connections with SSL2. This is an absolute requirement - I've fixed all the other issues, but we're still failing on this one item.
I've asked elsewhere, but are there newer Win servers that do not have SSL2 enabled that I could move to? I'm getting this PCI requirement more and more and at this stage it's a make or break. If I can't get this fixed I have to move some sites from my Jodo servers, and a couple of big clients I've got in development will have to go elsewhere also.
Just wondering what is specific to SSL 2 that makes it a requirement to keep it on the Win servers?
I've got an open ticket on this one also, RS #RTW-37554-344
Just been told by support that they cannot comply. The issue is Win servers accepting connections with SSL2. This is an absolute requirement - I've fixed all the other issues, but we're still failing on this one item.
I've asked elsewhere, but are there newer Win servers that do not have SSL2 enabled that I could move to? I'm getting this PCI requirement more and more and at this stage it's a make or break. If I can't get this fixed I have to move some sites from my Jodo servers, and a couple of big clients I've got in development will have to go elsewhere also.
Just wondering what is specific to SSL 2 that makes it a requirement to keep it on the Win servers?
Sailor,
I have been working almost 24 hours a day here recently, when they told me about this I said that it really cant be done right now. he problem in withdrawing a service is you end up with the other side of the spectrum, on clients that used to use them.
I will check win21/22 and see what the status of SSL2 is on them later this evening.
I have been working almost 24 hours a day here recently, when they told me about this I said that it really cant be done right now. he problem in withdrawing a service is you end up with the other side of the spectrum, on clients that used to use them.
I will check win21/22 and see what the status of SSL2 is on them later this evening.
I have been reading this thread with a lot of interest since I am thinking of moving customers to Jodohost from another Hsphere host....
The problem at the other host is that the Windows boxes allows SSL connections at less than 128 bit encryption.... This is a PCI fail for "ControlScan".
Anyone know if Jodohost Windows boxes will pass this? Thanks!
SRWEB
The problem at the other host is that the Windows boxes allows SSL connections at less than 128 bit encryption.... This is a PCI fail for "ControlScan".
Anyone know if Jodohost Windows boxes will pass this? Thanks!
SRWEB
Really it depends on the server we have changed some of them after such scans.
Recently we have been scanned and hit with supposedly having apache bugs on IIS servers, I am really wondering what that scan company is up to, seems bogus to me
Thanks Stephen,
Yes, this whole PCI issue seems like a whole new money maker created by the Credit Card industry.... That being said....Should I move customers to Jodohost, which Windows servers are recommended for passing PCI?
Thanks again,
SRWEB
I tried again several times this year, and even spoke with the scan people (SecurityMetrics) by phone. I agree with Stephen, this is a bit of a scam, in that it's required by the Visa/Mastercard people, but you have no choice on the scanning company. However, both Visa and SecurityMetrics are pretty inflexible about it - if you want to accept credit cards, you need to comply. I've had to move all client sites subject to these scans to another hosting company. I fixed all of the other security issues, but SecurityMetrics refuse to budge on the problem with accepting SSL 2 connections.