Recently, while still working on my WPP implementation, I've started worrying about meeting the PCI compliance requirements. I sent a quick note to my hosting company, who responded:
"Because these are shared servers they will never be 100% PCI compliant. You would need a dedicated server for that."
I pushed a bit, saying that I realized that a security scan would likely identify some potential vulnerabilities, but would they be serious enough that we would not receive a passing report? I also asked whether they were aware of any other clients on their shared hosting plan that had achieved PCI compliance. The answer:
"We have told them if they need PCI compliance to go with a dedicated server that is PCI compliant."
Obviously, this does not inspire confidence, though I haven't actually submitted the site to a scan yet and so can't say for sure what the results might be. (By the way, is Paypal going to ask me for a copy of the scan result?)
So I guess my question is whether anybody has successfully implemented WPP and achieved the required PCI compliance in a shared hosting environment. (If so, and if this isn't against forum rules, I'd also be curious to know the name of the hosting company.)