D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] PCI Compliance anyone?

 

On Thu, 18 Mar 2010, Matthew Macdonald-Wallace wrote:

To be frank, it's a complete PITA... :(

You're right.

Client has now sent me a 74 page document outlining it all, and it looks like I can't just pass-the-buck back to the client because as the "hosting provider", I need to certify that my systems are PCI compliant with all the relevant measures in-place, and put that in writing.

And yes, virtual servers may be allowed - either using virtualization, or containers, but apache virtual hosts probably wouldn't pass due to a requirement of having a separate UID for each instance. (pg. 60; A.1.1 and A.1.2.b) Even using virtualization or containers, each virtual host would need to have it's own UID and GID in-case the filesystems ever got mixed.

And it doesn't address that big old shared *sql database engine, although under a virtual hosting situation you'd be running multiple instances anyway.

And then I google and find someone offering PCI compliant hosting in the UK starting at £1.59 a month - so there's no way that's a dedicated server, so they must be using some sort of virtualization - or lying.

And what I can't understand is how a bank can "fine" a customer - what I guess they really mean is that you sign a contract that allows the bank to send you invoices at any time they like for any amount they like, or they shut you down. Wow. No-wonder everyone hates the banks.

Ah well - back to the client & see what they say tomorrow!

Gordon
-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html