1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance

Discussion in 'Data Protection' started by vajjas1, Dec 30, 2010.

  1. vajjas1

    vajjas1 New Member

    Joined:
    Mar 14, 2008
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hi i recently started using VPS for my clients, lot of clients are asking the same question, is your server PCI Compliant?.

    How can i make my VPS PCI Compliant?
     
  2. UBERHOST

    UBERHOST Member

    Joined:
    Jan 13, 2008
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    California, US
    First of all I would recommend that you install the ConfigServer Security & Firewall (CSF) if you haven't already. From the Plugins section of WHM you can access CSF and run "Check Server Security" to obtain a report on many things you can do secure your VPS. If you can achieve a perfect security score with CSF then you should only have to block port 21 (FTP) to be PCI compliant.

    It's not absolutely necessary to get a perfect CSF score, but you will have to get close and also pay particular attention to the following items:

    • In php.ini: disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
    • Block ports 2082 and 2086 (force secure ports)
    • Block port 21 and ask users to make use of SFTP on your SSH port instead
    • Block SSLv2 and use SSLv3

    Hope this helps,
    Rick
     
  3. sirdopes

    sirdopes Member

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Generally, your clients will need to sign up with a 3rd party pci scanning company. They will scan the server and provide some kind of report with any items that need to be fixed. Some things will probably be false positives and information will need to be submitted to get this marked correctly.
     
  4. twhiting9275

    twhiting9275 Member

    Joined:
    Sep 26, 2002
    Messages:
    373
    Likes Received:
    0
    Trophy Points:
    16
    This is all rubbish. Pay no attention to anything but the second point here (secure ports).
    I've had a PCI compliant server for years, while still allowing clients to properly use ftp AND php (disabling nothing). Disabling functions in php isn't the solution here.

    A few things to look for in cPanel:
    #1 In WHM -> service configuration -> apache configuration, make sure EVERYTHING is set to 'PCI recommended'.
    #2 You will most likely have to disable mailman and it's logins, as this is considered (by most PCI scanners) to be a problem. Simply disabling this won't do, you have to actually redirect the /mailman/ url. Here's how you do this:

    In /usr/local/apache/conf/includes/pre_main_global.conf, add
    Code:
    Alias /mailman/ /usr/local/apache/htdocs/
    Alias /mailman /usr/local/apache/htdocs/
    
    <Files ~ ".(pl|tpl|inc)$">
        Order allow,deny
        Deny from all
    
        Satisfy All
    </Files>
    
    then restart apache.
    The first bit of code (re: mailman) is all you really need, but the second bit of code disallows individuals from viewing certain types of files directly (.inc, .tpl, .pl) which is a security risk in many cases.

    Do all of that, then find a PCI compliance scanner (not cheap for a simple VPS) and have it run a scan on your server, then fix what it comes back with to be errors. This will be a painstaking process, but if ANYONE is storing, or processing CC info on your server, it's mandated by the providers.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    12,122
    Likes Received:
    32
    Trophy Points:
    48
    Location:
    Pennsylvania
    There's really no need to be rude on these forums. Please lighten up a bit.
     
  6. twhiting9275

    twhiting9275 Member

    Joined:
    Sep 26, 2002
    Messages:
    373
    Likes Received:
    0
    Trophy Points:
    16
    Nobody was 'rude' here whatsoever. Misinformation was given, and it was corrected.
     
  7. vajjas1

    vajjas1 New Member

    Joined:
    Mar 14, 2008
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Thank you twhiting, i will get this done. Hopefully that will prvent some opensource hacking too..
     
  8. twhiting9275

    twhiting9275 Member

    Joined:
    Sep 26, 2002
    Messages:
    373
    Likes Received:
    0
    Trophy Points:
    16
    Being PCI compliant does not necessarily mean that hacking will be prevented. In fact, the two are rarely together. While some of the tips in this thread might throw you less of a chance of being hacked, they will also come with problems attached, such as not being able to use certain php scripts if you disable functions, or giving ssh access out to simply transfer files (bad idea, period).

    Security is never all about following some 'standard' set forth by a company, but about knowing your server and what it's telling you is going on. This is one of the reasons that PCI compliance, as of now, is a joke, because these "companies" that supposedly certify you know nothing about what they're certifying.

    Good luck in getting certified!!!
     
  9. UBERHOST

    UBERHOST Member

    Joined:
    Jan 13, 2008
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    California, US
    The steps I shared have been required each and every time we've helped clients pass SecurityMetrics scans. YMMV.

    Rick
     
  10. twhiting9275

    twhiting9275 Member

    Joined:
    Sep 26, 2002
    Messages:
    373
    Likes Received:
    0
    Trophy Points:
    16
    disabling php functions is not required by any PCI compliance provider, nor is moving ssh ports, ftp ports, or anything else. I've dealt with a number of them over the past few years (including SM), and none of them have been that insane.
    I've gotten clients by SM as early as July of last year, and late as October/November this year without having to change any ports, disable any functions, or any of the other nonsense you posted, except for the clear text login (changing cPanel ports).
     

Share This Page