16 replies to this topic

[markw10]

I know the deadline is coming up to become PCI Compliant and I currently use Shared Hosting and I know it's not PCI Compliant. I have heard the best way to be PCI Compliant is to change to Dedicated Hosting. I am looking at several options that are VPS Hosting though. Would these be PCI Compliant?

[mdtaylorlrim]

markw10, on 11 February 2010, 09:11, said:

I know the deadline is coming up to become PCI Compliant and I currently use Shared Hosting and I know it's not PCI Compliant. I have heard the best way to be PCI Compliant is to change to Dedicated Hosting. I am looking at several options that are VPS Hosting though. Would these be PCI Compliant?

Shared hosting can be PCI compliant, just like VPS and dedicated. You just have to have a hosting company willing and able to deal with the requirements.

[ozeworks]

A dedicated server does not make you PCI compliant by default.

It is mainly about who has access to it.

But provided you do not store cards it is not that hard to comply.

However there is the provision for code audits, PCI complicance by your suppliers etc. to be dealt with.

[Mark Evans]

mdtaylorlrim, on 11 February 2010, 12:37, said:

Shared hosting can be PCI compliant

The restrictions imposed on providers to achieve PCI compliance make it impossible to offer a PCI compliant shared hosting environment. VPS would be open to debate since the physical hardware is a shared resource. Dedicated servers would be the only way to ensure 100% PCI Compliance IMO and even then would only apply if the whole hosting company itself was PCI Compliant.

The best solution though would be to speak with your bank and discuss the details since its them who will decide if you will receive a fine for non-compliance.

[mdtaylorlrim]

Mark Evans, on 14 February 2010, 10:42, said:

The restrictions imposed on providers to achieve PCI compliance make it impossible to offer a PCI compliant shared hosting environment.

I'm curious why you believe this Mark. I host three sites that require PCI compliance and all is passing weekly checks. No problems. What are the specifics of your statement?

[Mark Evans]

mdtaylorlrim, on 14 February 2010, 16:04, said:

I'm curious why you believe this Mark. I host three sites that require PCI compliance and all is passing weekly checks. No problems. What are the specifics of your statement?

Passing the PCI-DSS security scan is different from being PCI-Compliant. PCI-Compliance is much more than just passing a website scan, there are access restrictions to be placed on physical hardware and also limitations on what each of the users of a shared server can access such as server resources which are very complicated to get setup in a shared hosting environment hence pretty much every shared hosting company doesn't bother except when dealing with dedicated servers.

I don't know of any company providing PCI Compliant hosting on shared servers, if the company you use does I would be interested to speak with them as I know of others looking for a way to host sites and be PCI Compliant without going fully dedicated. If you could send me a link via PM I would be grateful

Disclaimer I am not a PCI-DSS "Expert" so take my advice with caution, for legal opinions always consult an official PCI-DSS Consultant and get all advice in writing

[mdtaylorlrim]

Mark Evans, on 14 February 2010, 19:21, said:

I don't know of any company providing PCI Compliant hosting on shared servers, if the company you use does I would be interested to speak with them as I know of others looking for a way to host sites and be PCI Compliant without going fully dedicated. If you could send me a link via PM I would be grateful

I guess that's where ya got me... I don't use a company. It is my server with three clients so access is limited and the correct firewalls,etc are in place. And no, I was not saying that the scans are the only part of being compliant, but we do pass on all counts.

[Mark Evans]

mdtaylorlrim, on 14 February 2010, 20:26, said:

I guess that's where ya got me... I don't use a company. It is my server with three clients so access is limited and the correct firewalls,etc are in place.

Then your setup would be considered dedicated in the normal sense of hosting setups. Shared hosted is what I would consider mass virtual hosting with 200+ sites setup for a wide range of clients.

[AlanR]

Mark Evans, on 14 February 2010, 19:21, said:

I don't know of any company providing PCI Compliant hosting on shared servers, if the company you use does I would be interested to speak with them as I know of others looking for a way to host sites and be PCI Compliant without going fully dedicated. If you could send me a link via PM I would be grateful

I checked 1&1's web site for PCI compliant options and in their FAQs they state that they can only offer PCI compliance on dedicated and virtual private servers. So it seems that a VPS is an option at least there and cheaper than dedicated.

Edited by AlanR, 17 February 2010, 05:00.

[markw10]

I will talk to my host, HostGator, and see what they can tell me. I know my bank is PCI Compliant and my gateway, authorize.net is. I don't store credit card numbers and have a dedicated SSL. It seems the only part missing was the type of hosting. I just assumed standard shared hosting is not PCI complaint. I hope VPS is and can't afford to go to dedicated at this time.

[Mark Evans]

AlanR, on 17 February 2010, 04:59, said:

I checked 1&1's web site for PCI compliant options and in their FAQs they state that they can only offer PCI compliance on dedicated and virtual private servers. So it seems that a VPS is an option at least there and cheaper than dedicated.

That would make sense since VPS servers are just dedicated servers that use some kind of virtualisation to partition off resources

[cannuck1964]

Hi Mark,

From what I understood, the PCI compliance also means that the web site owner needed to do the questionaire / survey. The answers would depend on if the shop was compliant.

This entire process takes into account who has access to the credit card info, if it is stored and how are payments taken.

My servers are all shared and run with the compliance scans without issue. My clients also have taken the survey and based on the scans and the answers are compliant based on the initial level (they do not take credit card info and do not store it anywhere).

So a shared server can be compliant. Now when the credit card data is retained and saved, this is when the dedicated server and limited access to the customer credit card data etc is more restrictive and a shared server will not do.

So in effect, the compliance is not a simple answer of dedicaterd or shared being compliant, but rather what are youy saving who has access to it etc.

This is what I have found anyways....


cheers

[mdtaylorlrim]

Mark Evans, on 17 February 2010, 08:42, said:

That would make sense since VPS servers are just dedicated servers that use some kind of virtualisation to partition off resources

Why didn't it make sense in your post #4 above where you said VPS was debatable?

[Mark Evans]

cannuck1964, on 19 February 2010, 15:23, said:

So in effect, the compliance is not a simple answer of dedicaterd or shared being compliant, but rather what are youy saving who has access to it etc.

Completely.

[Mark Evans]

mdtaylorlrim, on 19 February 2010, 15:49, said:

Why didn't it make sense in your post #4 above where you said VPS was debatable?

VPS is debatable IMHO, it all depends on the company and what they allow you to do with the VPS. There are many different ways to do VPS some would be possible to make compliant easily, some wouldn't ever be possible. They are still classed as VPS though.

My motto, if its important then always deal with a company who will guarantee they can provide compliant hosting rather than just assume because its VPS it is compliant.

[johnnybebad]

Mark Evans, on 20 February 2010, 14:14, said:

VPS is debatable IMHO, it all depends on the company and what they allow you to do with the VPS. There are many different ways to do VPS some would be possible to make compliant easily, some wouldn't ever be possible. They are still classed as VPS though.

My motto, if its important then always deal with a company who will guarantee they can provide compliant hosting rather than just assume because its VPS it is compliant.

I use vps at the moment and am considering dedicated, but dont like the jump in cost involved.
The sites on my vps are pci compliant as it stands. I am pleased with my service and nothing seems to be any trouble and its all done for free. (well included in the price at the start).

Never go for a company on promises, find one that delivers quickly what you ask for.

[ken0306]

how often you need to pass the PCI Compliant? once a year or only once.
ken