PCI-DSS Compliance

[turner2000]

Hello,

I'm looking to move our ecommerce site from an alternative host to an eUKhost semi-dedicated server. Under the payment card industry requirements we have to have quarterly scans run on our site and the server to ensure PCI-DSS compliance. Will this be ok on eUKhost servers?

Thanks,
Dave

[John]

Hello,

As long as you opt for a VPS/Semi-Dedicated/Dedicated, you will have no problem becoming PCI compliant.

Problems with PCI compliance come when someone opts for shared hosting. PCI Compliance often involves changing software versions, which isn't always possible on shared hosting.

[turner2000]

Thanks for the reply.

[John]

Hello,

You are welcome. If you provide the scan report to our technicians, they will perform the needed upgrades and changes.

[Ianb1961]

Hello,

You are welcome. If you provide the scan report to our technicians, they will perform the needed upgrades and changes.

I hate making posts like this for the first time in a public environment but I can't get private messging to work and am otherwise running out of steam here.

I need to move a very simple Frontpage authored site to a server capable of passing a Securitymetrics PCI DSS compliance scan.

On the basis of this thread I have taken a Windows/Plesk VPS contract. It failed the scan first time which is not surprising and I , as suggested here, sent the report to support for assistance with the necessary upgrades etc. Basically the upshot is that Securitymetrics won't pass the server without an upgrade to the PHP version and plesk won't work with the required version of PHP and support are saying that without Plesk limited support is available. I quote - "but you will then have to manually configure everything on your VPS as we don't provide too much support for a Plain VPS as compared to a Plesk VPS." While I have a basic level of technical ability I definitely don't want a server where I don't have "too much" support.

I may have bought completely the wrong thing. I may be a total absolute numpty and EUKHost might be deliriously happy if I simply disappear in a puff of smoke but all I really want is a very simple server to host a website and pass a scan. This thread suggests that EUK would make that easy and this has not been my experience. If anybody is listening at the other end of this I would really - really appreciate some help.

[John]

Hi,

I have used security metrics before and I have found their support to be cooperative. We might be able to put you an older version of Plesk on. Please let me know your ticket ID and I will check their current requirements.

Many of the changes SecurityMetrics require do seem to be fairly stupid, to most technicians anyway.

[Ianb1961]

Thank you for quick response - support ticket ID is #DFH-55278-445 I think - if that doesn't look like one then let me know.

I have no thoughts on Securitymetrics other than that they are the "preffered" choice of my card acquirer. Easy life choice I'm afraid. Frankly I use a hosted service for all my card sensitive data and the whole need for me to make the site compliant because of a single link appears insane but as in so many things in life I can either rage against the machine or pay up and move on. Finding a host who appears at all interested in helping small businesses to overcome the compliance hurdle has been a lot more difficult than it should be - strikes me there is a nice little market waiting for somebody to help it spend some money (but not too much - harrumph - moving on )

[John]

Thanks.

We have sent a ticket to the makers of Plesk asking for a solution. I will let you know when we hear something back.

[Ianb1961]

Thanks - I'll wait to hear more.

[turner2000]

I can only speak from my experience but eUKhost were true to their word, I sent the scan results to them and they corrected the problems so the PCI scan passed second time round. We're on a Linux semi-ded server with cPanel.

[John]

Hello,

Okay, we have a solution. Can you please update the ticket confirming that you have no data stored on the VPS? We will then recreate the VPS for you using a different version of Plesk.

[Ianb1961]

I have confirmed seperately - thank you for your attention - fingers crossed this end that this will resolve the issue.

Thanks

Ian

[sulissilks]

Hello,
I am looking to move my Actinic catalogue powered website (using Sage pay with BMS) to a host that passes PCI DSS scans by security metrics. First thing I have seen a thread in actinic community that indicates I should opt for linux. Second I have seen on this thread that VPS is the minimum to achieve this. so, my question,

If I choose Linux VPS to host my Actinic site is that going pass the scans after a bit of tweaking? Will it make any difference to scans if I choose Cpad or Plesk?

If anyone is using a similar setup and has any advice, would appreciate it

Thanks

Mark

[John]

Hello,

Yes, you should opt for Linux unless you need some features that are only available on Windows (ASP.net, for example).

Generally speaking, PCI Compliance should be easy to achieve on both Plesk and cPanel on Linux.

[Ianb1961]

I have confirmed seperately - thank you for your attention - fingers crossed this end that this will resolve the issue.

Thanks

Ian

Unfortunately the version upgrade of Plesk has not resolved the issue as it still uses a version of PHP which fails Securitymetrics scanning. This appears ( communication from support might be reasonably prompt but is less than effusive) to now rely on Swsoft making changes to the plesk installation. This is the only thing outstanding as I have cleared off the other critical failures (SSL related) myself. I guess this remains a a watch this space.

[John]

Hello,

Martin, one of our senior windows technicians, has made some changes. Your VPS should now pass the test.

[Ianb1961]

Hello,

Martin, one of our senior windows technicians, has made some changes. Your VPS should now pass the test.

Afraid that the test is still failing - I have sent the test results to Martin.

[Ianb1961]

Whoopee - I have a passing result. Basically I made a change to a php.ini file such that the older version of PHP that plesk relies on does not get confused with the version of PHP that is running on the webserver - which support had already changed for me. I have sent the details of what I found to support in case it has any value to them in the future.

As this thread is in the public domain and comes up fairly high on a google search for PCI DSS compliant hosting, it seems only fair to ensure that it gives reasonable information about my experience in getting this far.

I hate the fact that I ended up having to bring a support issue into the public domain to get it resolved. I have managed application support desks in my previous life. That doesn't make me billy the wizz but it also means that I am at least vaguely competent at trying to get to a resolution. This is not my chosen way.

I had been looking for months for a hosting provider who appears willing to work with ordinary small business users to get PCI compliance resolved. EUKHost were the first (and to date only) place where I had seen - in this thread - evidence of that service. So I set up an account and ran a scan - got my fail report as expected and sent it to support.

The first response from support made it appear that they had not read past page 1 of the securitymetrics error report. Once I had pointed out the additional pages they made some changes to SSL settings as required but basically said that as to the rest - Plesk was set in stone and that PHP could not be upgraded.

Several queries as to whether Plesk was essential lead only to statements that without it support would be limited. I specifically chose EUKHost because it appeared to offer less limited support so I was unhappy about going down that route.

I had sent support the URL of this thread on two seperate occassions with absolutley no reaction from them to that information and very reluctantly came to the conclusion that I either needed to abort this process or make the unsavoury choice to get John involved on the basis that his statements on this thread had brought me here in the first place.

So I tried to PM John. Again maybe my error but the PM system wouldn't work and I therefore ended up making a public post much against my inclinations.

Since then the activity from support has been more directed and the communication has been at least a little bit clearer - although as is so often the case not great on wider explanation.

I have been able to resolve several of the issues myself with judicious use of google. I suspect that these would also have been resolved by support but I also suspect that the timescale would have been longer.

So all in all I am basically happy because I have the outcome, a passing test, that I was trying to get to. It has not been as painless as this thread initally suggested but neither has it been catastrophically painful. I strongly suspect that if John hadn't been dragged into it then I would have given up and asked for my money back rather than spend days back and forthing with support.

I am also intensely aware that I may have made some schoolboy error in the way that I went about achieving the required outcome and , for the sake of completeness and the information of others who will read this thread in the future, hope that somebody from EUKHost will take the time to post here anything that I should have done differently.

[John]

Hello,

Thanks for your well thought out and written post, it is appreciated.

I'm fairly well versed in PCI DSS Compliance, as I have had to pass it several times myself. However, on each of those occasions, it has been on Linux Hosting, and not Windows Plesk Hosting. Changing the PHP version in Linux Plesk is quite a straight forward thing to do. In Windows, it requires much more fiddling. We are lucky to have such an experienced technicians like Martin who can make it seem relatively straight forward.

PCI DSS Compliance is one of those funny little things that doesn't seem to make much sense to me. It regularly flags up theoretical vulnerabilities, even though they have not been proven, or have been shown to be possible only in very specific circumstances. However, if you set your Administrator password to something silly like "password", they would certify you PCI DSS Compliant. Kind of strange, don't you think?

However, I would agree with you on this occasion. It would have been nice if the initial person dealing with your issue would have shown a little more determination to solve the problem.

[Ianb1961]

In theory the password strength bit is covered in the questionnaire element of compliance but - yeah - PCI DSS is a backside covering and buck passing exercise but then so is about 50% of what I have to waste my time on as a business owner. As I have said elsewhere - rage against the machine or pay up and move on. Just wish i had a bit more time for rage.