PCI compliance on shared server?
Recently, while still working on my WPP implementation, I've started worrying about meeting the PCI compliance requirements. I sent a quick note to my hosting company, who responded:
"Because these are shared servers they will never be 100% PCI compliant. You would need a dedicated server for that."
I pushed a bit, saying that I realized that a security scan would likely identify some potential vulnerabilities, but would they be serious enough that we would not receive a passing report? I also asked whether they were aware of any other clients on their shared hosting plan that had achieved PCI compliance. The answer:
"We have told them if they need PCI compliance to go with a dedicated server that is PCI compliant."
Obviously, this does not inspire confidence, though I haven't actually submitted the site to a scan yet and so can't say for sure what the results might be. (By the way, is Paypal going to ask me for a copy of the scan result?)
So I guess my question is whether anybody has successfully implemented WPP and achieved the required PCI compliance in a shared hosting environment. (If so, and if this isn't against forum rules, I'd also be curious to know the name of the hosting company.)
Re: PCI compliance on shared server?
You would not necessarily need a dedicated server - just a dedicated IP and Security certificate.
Before getting too worried about it- you might ask PayPal if they are going to require a PCI scan.
Re: PCI compliance on shared server?
dkoehler,
their statement is false,
we have many clients that are PCI Compliant on shared servers
Re: PCI compliance on shared server?
I took Kim's advice and spoke to somebody at Paypal, who told me that he didn't expect Paypal to ask for a PCI scan, and that if I was asked it would be by one of the credit card companies.
So I guess that doesn't entirely solve my problem, but at least postpones it for a while. Good to hear that it's possible to achieve PCI compliance on a shared server. Seems that the worst case scenario is that I'll have to switch to a hosting company that is more prepared to help its clients with this issue.
Re: PCI compliance on shared server?
Dkoehler
I have been using WPP on a few sites for a while, i have not been asked to acheive PCI DSS as of yet and have been accepting payments for about 6 months, my host is PCI DSS Compliant, if you require the hostname send me a pm and i will let you know, i wouldn't worry too much though as it is unlikly a CC company will need to PCI scan you.
Rob
Re: PCI compliance on shared server?
It's usually the Banks that ask for PCI compliancy, when you have an Internet Merchant ID with them. Only some Banks will ask for PCI compliance., and even then they will only usually require it of sites which sell high-value high-tech items in large quantities.
As to whether a shared server can be made to be PCI compliant depends upon whether or not the Bank asking for the scan requires you to use a specific scaning company and what the scanning company requirements are. Mc Afee Security Scan have recently changed their requirements to such an extent that it cannot be achieved on a shared server without causing inconvenience to all other customers.
I find this rich coming from McAfee, as their Virus Scanning software lets through so many viruses that we dumped them years ago.
Vger
Re: PCI compliance on shared server?
vger,
we have several folks using mcafee with no issues and no hardships.
Re: PCI compliance on shared server?
You may want to wait until they have their next scheduled McAfee Security Scan before saying that.
We had no problems either, until a scheduled security scan came around and failed (where previously it had passed).
But it may depend on your server setup as to whether their new conditions are a problem for your customers.
Rather than go into detail here I'll send you a PM.
Vger
Quote:
Originally Posted by
Merlinpa1969
vger,
we have several folks using mcafee with no issues and no hardships.
Re: PCI compliance on shared server?
thats kool,
we just passed one like 3 days ago
Re: PCI compliance on shared server?
i, also have issues with the PCI scans... according to the scan, the PHP version isn't the one our host uses. could Zencart override the host settings when they scan our site? then, how do i get certified when Zencart is running an "unsecure" php version?
can you private me w/answer if that would be safer?