PCI compliance on shared server?

[shwn]

Would it be possible to run a PCI compliant e-commerce site on a shared server at JPC? Or would one need to go dedicated?

[the_ancient]

this is an intresting subject, one I need to research more but here is some info I have found

With strict measures for hosting providers such as having multiple servers available for each merchant, a separate database server and Web server, and a dedicated firewall, it is next to impossible for a shared hosting provider to reach compliance. Many e-commerce providers are running into the same problem.

The Web host, e-commerce software and payment gateway must all adhere to the basic requirements in order for the merchant to have an end-to-end solution that's compliant.

This even rule out you getting a single dedicated box, you might be able to do 2 vps's one to run as a datbase server, and one as a web server.

[the_ancient]

Well, I got this from visa web site

The CISP Requirements:

1) Install and maintain a working firewall to protect data
2) Keep security patches up-to-date
3) Protect stored data
4) Encrypt data sent across public networks
5) Use and regularly update anti-virus software
6) Restrict access by "need to know"
7) Assign unique ID to each person with computer access
8) Don't use vendor-supplied defaults for passwords and security parameters
9) Track all access to data by unique ID
10) Regularly test security systems and processes
11) Implement and maintain an information security policy
12) Restrict physical access to data

all of those can be done on a shared server, JPC maintains the firewall, and does security patches, All the rest would be up to the Software you choose and as long as it can run on the server you should be fine,

[Ron]

I would say you might be able to get away with a shared account for the webserver with a VPS running strict software firewall for the backend. The only problem with that setup (other than the normal security holes of a shared server) would be that any site on the shared machine would have IP-based access to the database server. However, the security flaws of a hared environment could make access to the database through compromised software a very real possibility.

I'm not sure that 2 VPSs if run on the same physical box meets the requirements, and certainly not the spirit of the rule. The requirements for multiple servers, aside from security, do they relate to reliability?

[the_ancient]

I'm not sure that 2 VPSs if run on the same physical box meets the requirements, and certainly not the spirit of the rule. The requirements for multiple servers, aside from security, do they relate to reliability?

Well first off, VISA/MC should ONLY be conserned with security, all other aspects of the business should be up to the business, in reality so should security

I got the 2 server thing from a web hosting online mag. However Visa's web site does not say thing about it, so I am wondering where that publication got its info

Also I notice there are differant levels, and differant requirments based on the number of transaction you process, so the 2 server requirement may only be for the higher levels

If all Web site are going to be forced to operate in a dual dedicated enviroment, you might as well close the internet to online sales. Only the big boys will survive.

[rainboy]

IMO VPS would be just fine, it is what they call in the industry UBC (utility based computing) and thus sharing hardware, if this would not be allowed, i think all major players in the IT can close their accounts. (probably even VISA's credit-card processing on their servers is done on a UBC platform (called a mainframe), or will be moved to that soon.

I would choose for a VPS and not a shared server though. (you could of course set up 2 small VPS servers on different hardware nodes to get compliant). And that would be always cheaper as 2 dedicate servers

Kind regards,
Patrick