Payment Card Industry (PCI) Data Security Standards

Sorry for bringing up this old thread. I have a customer or two that have failed their PCI compliance checks. I basically stated that it is not possible to get PCI compliant in shared hosting.

That being said, what options do we have with JH? Is Windows VPS or Linux semi-dedicated the only options? Or do we have to find another host capable of passing the tests?

A few of the items that failed were "anonymous FTP" and "responds to ICMP"..

Thanks,
-Ben
 
VPS is really only option and even that is hard having to disable a lot. no shared host is truly pci compliant unless they have a customized cart written that processes the cards off the web server in another environment, which is what a couple do. (that also means you have to change cart apps, product listing etc and fall into their formats and whims not what you/client have made)
 
Here is a response from the PCI scanning company:

"Most of the vulnerabilities on the scan results are common. With the anonymous ftp login we'll simply need a statement of liability along with evidence of no administrative access through the anonymous login. At that point we can manually lower this vulnerability. The issues with the SSL will need to be address. In order to be PCI compliant the server needs to not allow connections using SSL 2.0 or any SSL ciphers under 112 bit. This is generally an easy fix. Here are the Microsoft KB documents related to this vulnerability
http://support.microsoft.com/kb/245030 http://support.microsoft.com/kb/187498 .
The final vulnerability is that of the RDP (Remote Desktop Protocol). The RDP should always be authenticating at the transport layer. In other words the RDP should be set to always use TLS. "


Would any of these items be able to be addressed?
 
Here is a response from the PCI scanning company:

"Most of the vulnerabilities on the scan results are common. With the anonymous ftp login we'll simply need a statement of liability along with evidence of no administrative access through the anonymous login. At that point we can manually lower this vulnerability. The issues with the SSL will need to be address. In order to be PCI compliant the server needs to not allow connections using SSL 2.0 or any SSL ciphers under 112 bit. This is generally an easy fix. Here are the Microsoft KB documents related to this vulnerability
http://support.microsoft.com/kb/245030 http://support.microsoft.com/kb/187498 .
The final vulnerability is that of the RDP (Remote Desktop Protocol). The RDP should always be authenticating at the transport layer. In other words the RDP should be set to always use TLS. "


Would any of these items be able to be addressed?
No, we honestly aren't even going to try it would be a total lie and even if you pass the scan the servers are in no way pci compliant.

It is a huge liability for having them pass PCI scanning when in no way shape or form pci compliant.

PCI compliance is a major task, and it cannot be completed in a shared server setup without a complete overhaul of the way cart systems work which keeps the CC data separate from the other. At this point you might as well use a Paypal cart or something as it is basically the same. (saying the off shared server limited access cart systems that would be fully pci compliant)

it is not that hard to pass the scans, it is hard to REALLy be compliant.

We have some ideas on offering this split system type layout in the future but they are not in active development at this time.
 
No, we honestly aren't even going to try it would be a total lie and even if you pass the scan the servers are in no way pci compliant.

It is a huge liability for having them pass PCI scanning when in no way shape or form pci compliant.

PCI compliance is a major task, and it cannot be completed in a shared server setup without a complete overhaul of the way cart systems work which keeps the CC data separate from the other. At this point you might as well use a Paypal cart or something as it is basically the same. (saying the off shared server limited access cart systems that would be fully pci compliant)

it is not that hard to pass the scans, it is hard to REALLy be compliant.

We have some ideas on offering this split system type layout in the future but they are not in active development at this time.

After a very long conversation with Security Metrics, one of the agents of the PCI compliance standards group, they are basically saying these small changes would allow them to pass the customer as pci compliant.

Now I realize, and agree with, that it still doesn't appear to be truly pci compliant. However, the only ones on the hook is Security Metrics, the ones doing the scans.

These 4 items I mention above seem like very easy changes to make. And per the vendor, they would make this customer PCI compliant for their bank.

That being said, can we please consider making these changes?

Thanks,
-Ben
 
Back
Top