9 replies to this topic

[walkman]

Anyone have a shared server that has passed a PCI compliance scan? If so, please post the company.    I'm using Hostmysite.com and they refuse to try.

[Jack_mcs]

It is against forum policy to post recommendations. It wouldn't matter anyway since scans will always show up problems sooner or later since new security holes are always being found. What you need to find is a host that will address those problems. Many, if not most, will do that. Some charge for it - some don't.

[walkman]

Would it be okay for someone to post what hosting company they use?  The reason I'm asking is that some hosting companies state you can't get shared hosting to be PCI compliant, but some forum members have stated their shared servers are.

[Jack_mcs]

No, that's against the rules. I can't imagine why a hosting company would say a shared server couldn't be PCI compliant since it is certainly possible. I tried PM'ing you but your account will not allow it for some reason.

Edited by Jack_mcs, 25 May 2010 - 03:29 PM.

[walkman]

Jack_mcs, on 25 May 2010 - 03:28 PM, said:

I tried PM'ing you but your account will not allow it for some reason.

I had to respond to an activation message. Personal Messaging to me should be working now. Thanks.

[revenson]

Moved to a new hosting company a year ago in order to be pci compliant on shared server.  Now I find out they are not compliant.  Upset, but what to do now?

[Jack_mcs]

Have you tried asking them to fix the problems? If so, and they refuse, then you need to find a new host since you can't make them do it.

[Ryan Taylor]

Well, PCI compliant can be integrated with Shared hosting, as I understood, PCI compliance is actually two parts. There's a server scanning which checks for some exploits and a survey that each individual e-commerce client would have to fill out on their own.The PCI scanner basically just checks for port usage, application versions, and a few common exploits.

[MrPhil]

This seems to be an area of contention. Some people are adamant that you can't meet PCI-DSS specs on a shared server, while others are just as certain that it can be done. It's entirely possible that those who think they are compliant on a shared server aren't really, and someone (they, their host, and/or the compliance certifier) will pay the price once they're hacked. Even VPS can vary by host, depending on how it's implemented. Part of it is what software is running and how up to date it is, part of it is what other users share the hardware and how well partitioned off they are from each other (including all aspects of network communications and databases), and part is physical access controls (can anyone wander in, stick a USB thumb drive in a PC, and walk out with credit card data?). All I can suggest, if you really feel it's important to handle credit cards on your own site (through a payment gateway and merchant account), is to find a host with high recommendations for security and PCI-DSS compliance, and a reliable certifier/tester who is insured and you can trust to back you up (indemnify you) if you're hacked.

I get the feeling that unless you're a huge outfit who can afford all the costs of robust security and airtight PCI-DSS compliance, in return for lower per-transaction processing costs, that you should stick with a Third Party payment system such as PayPal.

[DunWeb]

Phil is entirely correct.  However, from my past experience I have found that some PCI DSS certification companies have different methods and requirements for certification.   This COULD be state/ province dependent but in all of the audits I have been involved in, NONE of them were for standard shared hosting, they were Virtual Dedicated Hosting and Dedicated hosting servers.



Chris