Semi-Dedicated Server - PCI Compliance

[drifter]

Hi there,
I currently have a Semi-Dedicated server. We are applying for a credit card merchant account and our potential credit card company has asked a question about PCI Compliance.

Their question was,
"We will require details of your PCI compliance for the web hosting environment. As you are a small business I would expect that these services are outsourced, so in that case we would need evidence that the hosting company is PCI compliant."


Is there any general eukhost document/statement that I can point them to in relation to PCI compliance?

And, are there any other guidelines that I would need to look at to make sure my semi-dedicated server is compliant?


Many thanks in advance for any advice you can give.

[eUK-Ralf]

Hi,

You need to contact your PCI Compliance Scanning Vendor and ask them for prerequisite, required before scheduling a scan.
So, we will make the required changes on your server.

Is there any general eukhost document/statement that I can point them to in relation to PCI compliance?

You can find document for PCI compliance Here

[bedotnet]

Ralf is PCI-DSS Compliance avaliable on the Semi-dedicated servers? If so is it also avaliable on the VPS?... from the PCI-DSS page, it looks like the services is based on the dedicated server which is what i originally throught was a requirement.

Rob.

[Rock]

Ralf is PCI-DSS Compliance avaliable on the Semi-dedicated servers? If so is it also avaliable on the VPS?... from the PCI-DSS page, it looks like the services is based on the dedicated server which is what i originally throught was a requirement.

Rob.

Hi Rob,

Yes, PCI-DSS can be made available on a VPS too. You can find more info here : http://www.eukhost.com/forums/f11/pc...mpliance-7882/

[bedotnet]

Nice cheers rock!

I thought PCI - was going to be a pain, that makes it seem relatively straight forward.

[Rock]

Nice cheers rock!

I thought PCI - was going to be a pain, that makes it seem relatively straight forward.

You're welcome

[drifter]

Hi again,
First I'd like to say thanks to the support folks at eukhost. I have been working through the various issues that came out of my PCI scan. Some of them I could resolve myself, some I needed specific support help for. Support were very helpful and experienced, and applied updates quickly and without fuss. Thank you!

When I get through the full list of PCI issues I hope to add to this thread, or perhaps create a new one, detailing all the steps I had to take, for the benefit of others.

There are a couple of issues from the scan that I could use some guidance on - hence the public post.


Using SSL 2.0 has been highlighted as a potential security risk, in particular, it was in relation to port 8443 for the Plesk control panel. They recommend disabling SSL 2.0 and making sure the server just uses SSL 3.0 or TLS.

I have done some reading around this issue, and although this is simple on Linux servers, Windows servers seem to have more of a problem. I can see how to make a registry change to disable IIS from using SSL 2.0 But a lot of people are saying that Plesk doesn't function correctly, or doesn't function at all, without SSL 2.0 on Windows servers.

Has anyone else had to disable SSL 2.0 on a Windows server? And did Plesk work OK after you did this?


There was another security problem relating to security ciphers used by Plesk, but we can come back to that if there's a solution/workaround to the SSL 2.0 issue.


Many thanks in advance.