[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
To put it bluntly (and to top-post at the same time!):You cannot run a website on a shared hosting environment and be PCI compliant. It's just not possible.
If you want to be compliant, then you will have to move to a dedicated server so you have complete control over the system and can adhere to the sections with DSS that relate to configuration management, systems access auditing and the other relevant areas.
Trust me, if you've got customers that need to be PCI compliant, look at supplying dedicated servers as well as shared hosting if you don't already. If you can find a shared hosting provider that claims that their hosting platform is PCI compliant (and I mean the platform, NOT the company's internal systems) then please let me know as I'd love to talk to them about how they did it!
Kind regards, Matt Quoting Gordon Henderson <gordon+dcglug@xxxxxxxxxx>:
Any webby hostys here put their sites through this whole PCI testing thing? My of my clients just did without mentioning it to me, then are jumping up and down because it unsurprisingly failed... However, while I can push all the buttons to make the testing house happy (well most of them - they're whinging about some "possible" SQL injections that the client's own code is responsible for), I feel that they're missing a few vital things - the site is on a shared server and although it has it's own IP address (ssl site), there are dozens of other sites there too - so having an open FTP server scores 3 points - sure, I could block it for their own IP address, but it still leaves it open on the 'base' server and all other sites. Same for other trivial things like POP and so on. One annoying thing it failed on was not having a virus checker - they sent EICARs to postmaster@it and expected it to fail - well, it won't as it doesn't have a virus checker, it's a Linux host (which they correctly identified!) And interestingly, reading the documentation the client sent me, it seems that they (the testing house) wanted me to remove all firewalling and allow full access from the testing houses IP range before they started the test!) So it seems to me that this whole PCI testing thing is really a pile of junk, and people are paying good money for a 'scan' which really isn't showing anything significant at all... Or even if it pases, then the server itself is still not "secure" as it's hosting other sites, etc. So where can I sign up to be a PCI testing house??? Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html
-- Matthew Macdonald-Wallace matthew@xxxxxxxxxxxxxxxxxxxxx http://www.truthisfreedom.org.uk/ -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html