PCI compliance on shared server?

[dax702]

I am not a Zen Cart user. Just someone that has been pulling his hair out all day trying to understand all this PCI Compliance nonsense.. At this moment I had come to the conclusion that magnafix did after reading the PCI Council's site, then investigating further and finding support for the conclusion I reached here:

http://tylerhannan.com/2009/07/hoste...ci-compliance/

I would like to know where Kobra read that if you are only transmitting cardholder data (like most of us are) that you need only be using SSL and other PCI DSS Compliance criteria do not apply?

[dax702]

Further, I found this on Glowhost information page:

Why do I need a Dedicated Server?
PCI still remains a gray area. Recent "standards" state that all merchants must comply, regardless of how many dollars they process per month. It is important to know that that PCI standards say that a dedicated server is required to accept payment via credit card due to the nature of access controls and the inability to effectively manage users in a shared hosting environment. PCI states that a machine that holds, transmits, or stores sensitive data must be owned by a single entity, and that entity must only grant access to sensitive cardholder data on a "need to know" basis.

We feel that the above requirements are impossible on a shared hosting platform, and this is why we only offer PCI Compliance on a dedicated machine. If you see a host offering PCI compliance on a shared machine we strongly suggest reviewing the current PCI standards.

[kuroi]

It seems to me that it doesn't really matter how much opinion, conjecture and interpretation is bandied about here ... the key test is whether the PCI compliance specialists appointed by the banks are willing to approve as compliant merchants operating on shared servers for the transmission only of card data.

Vger has confirmed that in the UK they are. Merlin has confirmed the same for the US.

[Merlinpa1969]

Further, I found this on Glowhost information page:

Why do I need a Dedicated Server?
PCI still remains a gray area. Recent "standards" state that all merchants must comply, regardless of how many dollars they process per month. It is important to know that that PCI standards say that a dedicated server is required to accept payment via credit card due to the nature of access controls and the inability to effectively manage users in a shared hosting environment. PCI states that a machine that holds, transmits, or stores sensitive data must be owned by a single entity, and that entity must only grant access to sensitive cardholder data on a "need to know" basis.

We feel that the above requirements are impossible on a shared hosting platform, and this is why we only offer PCI Compliance on a dedicated machine. If you see a host offering PCI compliance on a shared machine we strongly suggest reviewing the current PCI standards.

This is the work of a good sales person,
I can in fact tell you that PCI Compliance can be attained on a shared hosting environment ( IF the host is willing to do the work ) any host that says that you MUST have a dedicated server only wants deep in your pockets

[magnafix]

This is the work of a good sales person,
I can in fact tell you that PCI Compliance can be attained on a shared hosting environment ( IF the host is willing to do the work ) any host that says that you MUST have a dedicated server only wants deep in your pockets

I suppose if the definition of PCI Compliance is whatever a QSA tolerates, then yes, anything's possible. I have heard of QSAs only requiring a remote scan; I have also heard that some QSAs provide the self-assessment questionnaire already filled out for you, with YES to everything of course, because that is the only way to pass.

[Merlinpa1969]

well,
scanalert trustwave security metrics

we have passed them all,

it is VERY POSSIBLE to pass PCI Compliance on a shared server.

remember that you said

Some of my interpretations

Unless you have spent the time withthe folks at these companies and verified that everything is good to go please STOP saying its not possible....