Results 1 to 10 of 10

Thread: PCI Compliance

  1. #1
    Registered Member
    Join Date
    Mar 2008
    Posts
    7

    Default PCI Compliance

    Hi i recently started using VPS for my clients, lot of clients are asking the same question, is your server PCI Compliant?.

    How can i make my VPS PCI Compliant?

  2. #2
    Registered Member UBERHOST's Avatar
    Join Date
    Jan 2008
    Location
    California, US
    Posts
    102

    Default Re: PCI Compliance

    Quote Originally Posted by vajjas1 View Post
    Hi i recently started using VPS for my clients, lot of clients are asking the same question, is your server PCI Compliant?.

    How can i make my VPS PCI Compliant?
    First of all I would recommend that you install the ConfigServer Security & Firewall (CSF) if you haven't already. From the Plugins section of WHM you can access CSF and run "Check Server Security" to obtain a report on many things you can do secure your VPS. If you can achieve a perfect security score with CSF then you should only have to block port 21 (FTP) to be PCI compliant.

    It's not absolutely necessary to get a perfect CSF score, but you will have to get close and also pay particular attention to the following items:

    • In php.ini: disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
    • Block ports 2082 and 2086 (force secure ports)
    • Block port 21 and ask users to make use of SFTP on your SSH port instead
    • Block SSLv2 and use SSLv3


    Hope this helps,
    Rick

    click logo to visit us for dedicated
    cPanel servers and more

  3. #3
    Registered Member cPanel Partner NOC Badge
    Join Date
    Sep 2007
    Posts
    141

    Default Re: PCI Compliance

    Generally, your clients will need to sign up with a 3rd party pci scanning company. They will scan the server and provide some kind of report with any items that need to be fixed. Some things will probably be false positives and information will need to be submitted to get this marked correctly.

  4. #4
    Registered Member twhiting9275's Avatar
    Join Date
    Sep 2002
    Posts
    369
    cPanel/WHM Access Level

    Root Administrator

    Default Re: PCI Compliance

    Quote Originally Posted by UBERHOST View Post

    • In php.ini: disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
    • Block ports 2082 and 2086 (force secure ports)
    • Block port 21 and ask users to make use of SFTP on your SSH port instead
    • Block SSLv2 and use SSLv3
    This is all rubbish. Pay no attention to anything but the second point here (secure ports).
    I've had a PCI compliant server for years, while still allowing clients to properly use ftp AND php (disabling nothing). Disabling functions in php isn't the solution here.

    A few things to look for in cPanel:
    #1 In WHM -> service configuration -> apache configuration, make sure EVERYTHING is set to 'PCI recommended'.
    #2 You will most likely have to disable mailman and it's logins, as this is considered (by most PCI scanners) to be a problem. Simply disabling this won't do, you have to actually redirect the /mailman/ url. Here's how you do this:

    In /usr/local/apache/conf/includes/pre_main_global.conf, add
    Code:
    Alias /mailman/ /usr/local/apache/htdocs/
    Alias /mailman /usr/local/apache/htdocs/
    
    <Files ~ ".(pl|tpl|inc)$">
        Order allow,deny
        Deny from all
    
        Satisfy All
    </Files>
    then restart apache.
    The first bit of code (re: mailman) is all you really need, but the second bit of code disallows individuals from viewing certain types of files directly (.inc, .tpl, .pl) which is a security risk in many cases.

    Do all of that, then find a PCI compliance scanner (not cheap for a simple VPS) and have it run a scan on your server, then fix what it comes back with to be errors. This will be a painstaking process, but if ANYONE is storing, or processing CC info on your server, it's mandated by the providers.

  5. #5
    cPanel Product Evangelist Infopro's Avatar
    Join Date
    May 2003
    Location
    Pennsylvania
    Posts
    11,328
    cPanel/WHM Access Level

    Root Administrator

    Exclamation Re: PCI Compliance

    There's really no need to be rude on these forums. Please lighten up a bit.

  6. #6
    Registered Member twhiting9275's Avatar
    Join Date
    Sep 2002
    Posts
    369
    cPanel/WHM Access Level

    Root Administrator

    Default Re: PCI Compliance

    Quote Originally Posted by Infopro View Post
    There's really no need to be rude on these forums. Please lighten up a bit.
    Nobody was 'rude' here whatsoever. Misinformation was given, and it was corrected.

  7. #7
    Registered Member
    Join Date
    Mar 2008
    Posts
    7

    Default Re: PCI Compliance

    Thank you twhiting, i will get this done. Hopefully that will prvent some opensource hacking too..

  8. #8
    Registered Member twhiting9275's Avatar
    Join Date
    Sep 2002
    Posts
    369
    cPanel/WHM Access Level

    Root Administrator

    Default Re: PCI Compliance

    Quote Originally Posted by vajjas1 View Post
    Thank you twhiting, i will get this done. Hopefully that will prvent some opensource hacking too..
    Being PCI compliant does not necessarily mean that hacking will be prevented. In fact, the two are rarely together. While some of the tips in this thread might throw you less of a chance of being hacked, they will also come with problems attached, such as not being able to use certain php scripts if you disable functions, or giving ssh access out to simply transfer files (bad idea, period).

    Security is never all about following some 'standard' set forth by a company, but about knowing your server and what it's telling you is going on. This is one of the reasons that PCI compliance, as of now, is a joke, because these "companies" that supposedly certify you know nothing about what they're certifying.

    Good luck in getting certified!!!

  9. #9
    Registered Member UBERHOST's Avatar
    Join Date
    Jan 2008
    Location
    California, US
    Posts
    102

    Default Re: PCI Compliance

    Quote Originally Posted by twhiting9275 View Post
    This is all rubbish.
    The steps I shared have been required each and every time we've helped clients pass SecurityMetrics scans. YMMV.

    Rick

    click logo to visit us for dedicated
    cPanel servers and more

  10. #10
    Registered Member twhiting9275's Avatar
    Join Date
    Sep 2002
    Posts
    369
    cPanel/WHM Access Level

    Root Administrator

    Default Re: PCI Compliance

    Quote Originally Posted by UBERHOST View Post
    The steps I shared have been required each and every time we've helped clients pass SecurityMetrics scans
    disabling php functions is not required by any PCI compliance provider, nor is moving ssh ports, ftp ports, or anything else. I've dealt with a number of them over the past few years (including SM), and none of them have been that insane.
    I've gotten clients by SM as early as July of last year, and late as October/November this year without having to change any ports, disable any functions, or any of the other nonsense you posted, except for the clear text login (changing cPanel ports).

Similar Threads

  1. PCI Compliance
    By eglwolf in forum Security
    Replies: 5
    Last Post: 09-26-2012, 04:15 PM
  2. PCI Compliance
    By mickalo in forum Security
    Replies: 3
    Last Post: 12-15-2009, 12:41 PM
  3. PCI Compliance
    By mickalo in forum E-mail Discussions
    Replies: 2
    Last Post: 08-20-2009, 12:34 PM
  4. PCI Compliance
    By FourMat in forum cPanel & WHM Discussions
    Replies: 10
    Last Post: 02-19-2009, 10:09 AM
bargain