PCI DSS Compliance

[John]

Hello,

Just a quick post on PCI DSS Compliance, as it comes up quite often lately.

Is eUKhost Ltd PCI DSS Compliant? Technically no, as we don't store card details on our own systems. They are stored externally with providers who are PCI DSS Compliant.

What does this mean? Not a great deal, as there is a massive misunderstanding of what PCI DSS Compliance means. Firstly, you can't issue PCI DSS Compliance to a company. It has to be done on a per server basis. In short, if a hosting company is PCI DSS compliant, that means nothing at all to your OWN compliance.

On shared hosting we don't guarantee PCI Compliance. Your scans will likely fail. That doesn't mean the servers aren't secure, it just means they don't follow what PCI Compliance classes as secure. To be honest if we secured our servers just to PCI Compliance they would be hacked daily in a shared environment. Secondly, I do believe that the self assessment questionnaire likes you to state you aren't in a shared environment.

As we are talking about the questionnaire, I should add something. The eUKhost network configuration complies to PCI DSS standards, so you can go ahead and certify those.

A VPS or Dedicated Server is the only way for a customer to become PCI Compliant with us. This essentially means that you are enrolling to become PCI DSS Compliant yourself and you can then forward your scan results onto us for us to make the required changes.

Just because a scan passes once is no guarantee for future results. The nature of PCI Compliance means the requirement changes pretty much each day. An up to date secure version of cPanel will often fail PCI Compliance, for example. We will need to make changes to your server each time. As long as this is done within a few days there won't be a negative impact from your providers.

Another thing to take into account is the fact that most enterprise servers are running some form of Redhat. Redhat has a backporting policy which you can read more about at https://access.redhat.com/security/u...g/?sc_cid=3093

Today PCI Compliance companies are still not taking back porting into account in any scans. This is because all they are doing is checking a version number and aren't even considering the idea of back ports. They also seem intent on ignoring the practices of the biggest linux server provider in the World, which is just downright odd. I can understand why they have the problem though, as a PCI Compliance scan doesn't actually check for vulnerabilities. It just references database of potential ones based around version numbers and doesn't take anything else into account. It's total garbage. However, I have heard that some are accepting back porting as a reason now if you do all the work for them and tell them wheen it was fixed.

That basically sums it up. I'm personally not a big fan of PCI Compliance as I actually class it to be a scam. The whole idea of some generic scan which can decide if your environment is secure or not is a somewhat laughable concept. However, I do understand that it is a forced requirement for many people, so we will help wherever we can.

[Techfi7]

Dear John,

I have to say thank you for providing such useful information on PCI DSS Compliance! As I read the information and come across some very useful points about it.

I was looking for this all over " On shared hosting we don't guarantee PCI Compliance. Your scans will likely fail. That doesn't mean the servers aren't secure, it just means they don't follow what PCI Compliance classes as secure. To be honest if we secured our servers just to PCI Compliance they would be hacked daily in a shared environment. Secondly, I do believe that the self assessment questionnaire likes you to state you aren't in a shared environment."

I thank you once again for the outstanding information and your efforts.

Cheers