Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 36
  1. #11
    Join Date
    Mar 2004
    Posts
    16,042
    Plugin Contributions
    5

    Default Re: PCI compliance on shared server?

    zencart has nothing to do with the version of php

    thats ALL your host

    you can see what version they are running by going to your ZC -> admin -> tools -> server settings
    Zen cart PCI compliant Hosting

  2. #12
    Join Date
    Sep 2006
    Posts
    277
    Plugin Contributions
    2

    Default Re: PCI compliance on shared server?

    thanks. this is SOOOO frustrating. how do they expect small start ups to get this done PHP versions, open ports, "you need a dedicated server... heck, i ain't a millionair to pay 200 a month for the server, 50+for CC gateway, and, and, and... and then, they charge you anouther 150+ a year just for that damn compliance. and "you either comply or we charge you even more... we're sooo *ucking ducky for the right to pay everyone....

  3. #13
    Join Date
    Mar 2004
    Posts
    16,042
    Plugin Contributions
    5

    Default Re: PCI compliance on shared server?

    you dont need a dedicated ssl for PCI Compliance, and anyone that tells you so is full of crap.....

    we have alot of folks ( on shared servers ) that are PCI Compliant,

    how do I know this,

    cause Im the ############## that gets to deal with

    Macfee
    Comodo
    Security Metrics
    etc.....

    its a little more intense to setup a shared server to be pci compliant... the thing is that the servers themselves need to be compliant before you worry about an account
    Zen cart PCI compliant Hosting

  4. #14
    Join Date
    Dec 2005
    Location
    Cincinnati Ohio
    Posts
    1,030
    Plugin Contributions
    13

    Default Re: PCI compliance on shared server?

    Like Merlin said shared or dedicated can be PCI compliant and as said in the thread previously only Banks or processing companies will ask for PCI not PayPal. But if you use PayPal Pro merchant service it is possible you will be asked to meet the PCI compliance standards not for personal or every day use like most use.

    PCI can go many ways there is false positives that are often reported which means the server is up todate but the PCI scanner is not able to read the updated boards from the upgrade due to the scanner is not updated itself.

    We deal with hundreds of these as well and shared and dedicated ssls can be used even though sometimes it is not required but ssl maybe required by the Merchant such as authorize.net requires it and a few others but as far as I know we have never been asked to put ssl up for PCI compliance as a requirement for a customer.

    To find out truly what is required it is best to contact the company scanning or offering the service what is required so you can get your host up to date what needs done where the work load is not as heavy on the hosts and yourself.
    PCI Certified Web Hosting - ControlScan, Security Metrics (Platinum Partner), McAfee, TrustKeeper
    Business Class Web Hosting - Linux and cPanel Powered

  5. #15
    Join Date
    May 2009
    Posts
    8
    Plugin Contributions
    0

    Default Re: PCI compliance on shared server?

    I need to resurrect this 6 month old post due to some bad information.

    It is true that you don't need a dedicated server to be truly PCI compliant. You need multiple dedicated servers.

    A remote scan of your website is a tiny, tiny sliver of what PCI compliance requires. A "clean" scan does not mean you are compliant.

    Each server must have one primary role -- you can't pile Apache, MySQL, DNS, and a mail server all on one box. You must have a web application firewall. Credit card information must be encrypted. You must have a documented security policy for employees and contractors. If you use a commercial ecommerce application, it must be PCI PA-DSS certified. If you built your own, you must have rigorous security testing policies, and separation of dev/test/stage/production environments. You must have agreements in place with any service providers who handle your credit card data -- they must be PCI compliant as well.

    That's a subset of the requirements from https://www.pcisecuritystandards.org.../pci_dss.shtml

    And 100% of this is required for all merchants who accept credit cards, large and small.

  6. #16
    Join Date
    Feb 2005
    Location
    Lansing, Michigan USA
    Posts
    20,024
    Plugin Contributions
    3

    Default Re: PCI compliance on shared server?

    Quote Originally Posted by magnafix View Post

    And 100% of this is required for all merchants who accept credit cards, large and small.
    I think you meant to say "and 100% of this is required for all merchants who store credit card information, large and small."

  7. #17
    Join Date
    Nov 2004
    Location
    Norfolk, United Kingdom
    Posts
    3,036
    Plugin Contributions
    2

    Default Re: PCI compliance on shared server?

    Actually there's a whole lot more that is just plain wrong in the statement by Magnafix.

    Vger

  8. #18
    Join Date
    May 2009
    Posts
    8
    Plugin Contributions
    0

    Default Re: PCI compliance on shared server?

    Quote Originally Posted by stevesh View Post
    I think you meant to say "and 100% of this is required for all merchants who store credit card information, large and small."
    "Store, process, or transmit" is the phrase used.

    With PCI you need to work hard to restrict your 'cardholder data environment' to as few machines as possible. Anything that stores, processes, or transmits is in scope.

    If your cart does not directly accept cards, but instead links offsite to paypal, that helps a lot, since you are not storing, processing, or transmitting. But if the cart software accepts the card and THEN transmits it, your webserver is in scope and must be compliant.

  9. #19
    Join Date
    Feb 2005
    Location
    Lansing, Michigan USA
    Posts
    20,024
    Plugin Contributions
    3

    Default Re: PCI compliance on shared server?

    I'm not arguing, but your (magnafix) post is an excellent example of the FUD being perpetrated on the Internet about PCI.

    The idea that even a site (like most Zencart sites) which just passes the CC information to another party requires the security measures you described is (must be) wrong.

    If that were true, Camelot's shared hosting couldn't be PCI compliant, and it seems to be.

    Also, while the federal government doesn't seem to mind putting hundreds or thousands of small Internet sellers out of business (http://online.wsj.com/article/SB123189645948879745.html), my guess would be that the credit card issuers would, unless they think they can survive with only the big Web retailers.

  10. #20
    Join Date
    May 2009
    Posts
    8
    Plugin Contributions
    0

    Default Re: PCI compliance on shared server?

    Quote Originally Posted by stevesh View Post
    I'm not arguing, but your (magnafix) post is an excellent example of the FUD being perpetrated on the Internet about PCI.

    The idea that even a site (like most Zencart sites) which just passes the CC information to another party requires the security measures you described is (must be) wrong.

    If that were true, Camelot's shared hosting couldn't be PCI compliant, and it seems to be.

    Also, while the federal government doesn't seem to mind putting hundreds or thousands of small Internet sellers out of business (http://online.wsj.com/article/SB123189645948879745.html), my guess would be that the credit card issuers would, unless they think they can survive with only the big Web retailers.
    I'm not trying to argue either, just giving my best understanding of the PCI documentation. I work at a hosting company and we have been studying this for a couple years, off and on, and gradually working towards compliance.

    Certainly, if you store card information, all 12 sections apply. If your site has a form which collects card information, and then instantaneously transmits it to a remote processor and doesn't store anything, most if it still applies.

    For hosting companies -- you also have to comply with Appendix A.

    I agree that the requirements appear horrendously onerous to the average "Laura's E-Shop" type small ecommerce sites out there, and even small businesses without dedicated IT/security teams. I further agree that if the card industry really enforced PCI DSS, they would put millions of small businesses out of business, and crush the economy. So that's not going to happen.

    But that doesn't stop the processors/merchant account providers from tacking on a non-compliance fee of whatever they please.

    And now there is a large and growing scanning/compliance/consulting industry to which PCI DSS gives a tremendous boost. Vested interests.

    Our merchant account provider is emailing us weekly urging us to sign up with SecurityMetrics for our quarterly scans. No point in scans if we can't say YES to 100% of the questions on the form though. A single NO, with regards to your cardholder data environment, means you're non-compliant.

    If someone can point to documentation that indicates I have misinterpreted something, I am all ears.

 

 
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. PCI Compliance
    By dereck72 in forum General Questions
    Replies: 7
    Last Post: 4 Nov 2015, 12:47 AM
  2. v152 Do I need get server PCI compliance if using Paypal
    By imfsub12 in forum General Questions
    Replies: 1
    Last Post: 21 Jan 2014, 07:35 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR