[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, 18 Mar 2010, Matthew Macdonald-Wallace wrote:
To put it bluntly (and to top-post at the same time!):You cannot run a website on a shared hosting environment and be PCI compliant. It's just not possible.
Well, I was under that impression too, and have queried it with them, however...
If you want to be compliant, then you will have to move to a dedicated server so you have complete control over the system and can adhere to the sections with DSS that relate to configuration management, systems access auditing and the other relevant areas.
I don't actually care about being compliant, but my client appears to be. (It's actually a client of a client if you see what I mean - my client is the web design co, and it's one of their clients who has an online shop) They're using HSBC as the back-end payment processor and it's the HSBC that wants to see that the server is compliant - aparently the shop part of the site takes the credit card numbers in, passes them onto the HSBC to get yes/no and carries on ...The shop isn't actually storing CC numbers (although I guess they're stored somewhere in-transit)
Trust me, if you've got customers that need to be PCI compliant, look at supplying dedicated servers as well as shared hosting if you don't already.
I'd love to, but knowing what the margins are here, it'll cripple the business. Bit of a lose-lose situation here...
If you can find a shared hosting provider that claims that their hosting platform is PCI compliant (and I mean the platform, NOT the company's internal systems) then please let me know as I'd love to talk to them about how they did it!
Well, I can easilly make this website pass their tests (3 lines of iptables and some apache tweaks) and unless they explicitly ask the question "is it on a shared server" they'll never know.
I'll let you know the outcome :) Gordon
Kind regards, Matt Quoting Gordon Henderson <gordon+dcglug@xxxxxxxxxx>:Any webby hostys here put their sites through this whole PCI testing thing? My of my clients just did without mentioning it to me, then are jumping up and down because it unsurprisingly failed... However, while I can push all the buttons to make the testing house happy (well most of them - they're whinging about some "possible" SQL injections that the client's own code is responsible for), I feel that they're missing a few vital things - the site is on a shared server and although it has it's own IP address (ssl site), there are dozens of other sites there too - so having an open FTP server scores 3 points - sure, I could block it for their own IP address, but it still leaves it open on the 'base' server and all other sites. Same for other trivial things like POP and so on. One annoying thing it failed on was not having a virus checker - they sent EICARs to postmaster@it and expected it to fail - well, it won't as it doesn't have a virus checker, it's a Linux host (which they correctly identified!) And interestingly, reading the documentation the client sent me, it seems that they (the testing house) wanted me to remove all firewalling and allow full access from the testing houses IP range before they started the test!) So it seems to me that this whole PCI testing thing is really a pile of junk, and people are paying good money for a 'scan' which really isn't showing anything significant at all... Or even if it pases, then the server itself is still not "secure" as it's hosting other sites, etc. So where can I sign up to be a PCI testing house??? Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html-- Matthew Macdonald-Wallace matthew@xxxxxxxxxxxxxxxxxxxxx http://www.truthisfreedom.org.uk/ -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html