PCI compliance is getting ridiculous

[ehask71]

So PCI compliance is getting out of control .... Now they will not allow FTP as it is now classified as Obsolete or insecure.

"Insecure services and industry-deprecated protocols can lead to information disclosure or potential exploit."

They are saying the same for SSH

If this keeps up my clients wont be allowed to process cards .....

 

[cPanelKenneth]

Hi,

Who are "they"? What sources do they cite for stating FTP or SSH are "Industry-deprecated protocols"?

 

[webhostuk]

Yes, can you update where you got this detail from any supporting website or article would help.

 

[random]

I agree with Eric, the steps one needs to take to achieve PCI compliance are ridiculous. For example, if you allow your clients to use FTP a PCI scan from hackerguardian.com will state...

Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that control connections are encrypted.

If you have opened port 587 for email, it will show that as being "industry deprecated protocols", the same if you have opened port 110.

If you have opened a port for SSH access, the scan report will tell you that...

Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the
business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix C or disabled/
removed. Please consult your ASV if you have questions about this Special Note.

You will also need to have OpenSSH version 7.6 or greater installed which, I believe, is not provided with the current versions of CentOS. As earlier versions contain vulnerabilities, the scan will fail.

 

[cPanelMichael]

You will also need to have OpenSSH version 7.6 or greater installed which, I believe, is not provided with the current versions of CentOS. As earlier versions contain vulnerabilities, the scan will fail.

Hello @random,

I noticed this part of your post and wanted to point you to discussion of this topic on the CentOS forums at:

PCI compliance when update not available - CentOS

While it's unsupported, the thread includes a user-submitted post with information about a potential workaround.

Thank you.

 

[sparek-3]

In the past I've always just replied back mentioning that we use CentOS/RHEL which uses backported packages, and include the changelog rpm output for a specific package, i.e:

rpm -q --changelog openssh-server | head -n 50

And that has always satisfied the outdated binary out of date issues.

As an aside, would it be more beneficial if PCI regulators knew about shared hosting? It's one thing to have the server (packages, ports, etc) secure. It's quite another to run an outdated script. I keep all of our servers up to date with the latest packages, Apache, PHP, etc. But I can't speak for every client keeping their WordPress or WooCommerce script up to date.

A better approach to PCI compliance might be to allow server administrators to run server penetration tests, which identifies things like outdated SSH and/or insecure ports and keep that information up to date and posted (certified) with a central body.

Then when randomsharedhoster.com wants to become PCI compliant, they request a PCI scan, the PCI scanner finds that randomsharedhoster.com resolves to XX.XX.XX.XX IP address. XX.XX.XX.XX IP is found to have a recently certified server PCI compliance at the central body storing that information. Now the PCI scan can focus more on whether randomsharedhoster.com is keeping their script up to date, using strong and secure passwords, and storing information securely.

This would seem to make better sense to me. But I'm not sure if the people running the PCI standard realize what shared hosting is.

 

[random]

Thank you for the info cPanelMichael, I realise there are possible ways around the issue, but still, the totality of the changes required would make it quite troublesome for clients on a shared server.

My guess is this is only viable on a separate machine hosting only the clients requiring to have a PCI compliant server.

I understand the push towards greater security, but the current demands made to achieve PCI compliance seem to be 'unreasonable'.

 

[sparek-3]

I understand the push towards greater security, but the current demands made to achieve PCI compliance seem to be 'unreasonable'.

I agree with you here. Unfortunately I don't think there is anything cPanel can do about it. This is an industry issue.

The idea behind PCI is good. There is a ton of insecurities throughout the web hosting industry and something like PCI really needs to be there to clamp down on this. But the implementation of PCI is way off. Like I said, I don't think the people that designed the PCI standard know about shared hosting. PCI would appear to be aimed at the Amazons and Walmarts of the world.