PCI compliance scans

[skunkbad]

As a web developer, I've got clients using an array of hosts. One of my clients is hosted at inmotion hosting. The client recently had his website/server scanned for PCI compliance, and he failed, primarily due to hosting environment issues that were beyond our control.

 

The main issues, which must be fixed before he can be deemed PCI compliant are:

 

1. Even though we don't use frontpage, apparently the version of mod_frontpage on the server is out of date, and has some sort of buffer overrun vulnerability.

 

2. The version of Apache on the server is 2.2.9, and in order to pass the PCI compliance scan, the version must be greater than or equal to 2.2.12.

 

I kind of feel that this PCI compliance is a scam. If as a website owner your site is not PCI compliant, your merchant account can charge you $20 a month (on top of the fees paid to involuntarily participate) for non-compliance. I can image that the fees collected could be in the many millions of dollars per month, and that the average person would not know what to do to correct their non-compliance, so they would just pay the monthly fee.

 

That said, I'm interested in whether MDD hosting has had customers who have mentioned issues regarding PCI compliance, and if anything ever needed to be done (or would be done in the future if such a need arised). This would only be an issue with shared / reseller / or semi-dedicated accounts where the OS is not under the customer's control. As a hosting company, does MDD hosting have to cooperate in PCI compliance on a different level?

 

I realize the benefit of trying to ensure security is top notch, but I can't help but feel that people with ecommerce sites would just be ripped off by their merchant services

[Michael D.]

PCI Compliance is a huge headache and there are a lot of rules and guidelines that even vary from location to location. Some states require you to be PCI compliant where others only require it if you do so much in transactions every month.

 

We do Quarterly Random PCI Compliance scans ourselves but the results wouldn't apply to our customers - if you feel that you need to be PCI Compliant then you are welcome to have a scan run on the server that your site is hosted on but the chances of getting a good level of PCI compliance is not that great on any shared hosting server - if you really need PCI Compliance I would suggest going with a dedicated server behind a hardware firewall, having a scan, and then fixing any "issues" that they happen to identify.

[Scott]

PCI Compliance is a huge headache and there are a lot of rules and guidelines that even vary from location to location. Some states require you to be PCI compliant where others only require it if you do so much in transactions every month.

 

We do Quarterly Random PCI Compliance scans ourselves but the results wouldn't apply to our customers - if you feel that you need to be PCI Compliant then you are welcome to have a scan run on the server that your site is hosted on but the chances of getting a good level of PCI compliance is not that great on any shared hosting server - if you really need PCI Compliance I would suggest going with a dedicated server behind a hardware firewall, having a scan, and then fixing any "issues" that they happen to identify.

 

I would think that a VPS plan would suffice for controlling your ability to pass a PCI scan as well, no?

[Michael D.]

I would think that a VPS plan would suffice for controlling your ability to pass a PCI scan as well, no?

I'm not 100% sure on how VPSs rate as far as PCI Compliance but I would think as long as you could lock the system down well enough with a firewall you are more likely to pass a compliance check than on a shared plan.