Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PCI compliance is getting ridiculous

Discussion in 'Security' started by ehask71, Feb 22, 2018.

Tags:
  1. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    59
    Likes Received:
    5
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    So PCI compliance is getting out of control .... Now they will not allow FTP as it is now classified as Obsolete or insecure.

    "Insecure services and industry-deprecated protocols can lead to information disclosure or potential exploit."

    They are saying the same for SSH

    If this keeps up my clients wont be allowed to process cards .....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,563
    Likes Received:
    42
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    Hi,

    Who are "they"? What sources do they cite for stating FTP or SSH are "Industry-deprecated protocols"?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. webhostuk

    webhostuk Well-Known Member

    Joined:
    Sep 11, 2013
    Messages:
    138
    Likes Received:
    13
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Website Owner
    Twitter:
    Yes, can you update where you got this detail from any supporting website or article would help.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. random

    random Member

    Joined:
    May 13, 2004
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    153
    I agree with Eric, the steps one needs to take to achieve PCI compliance are ridiculous. For example, if you allow your clients to use FTP a PCI scan from hackerguardian.com will state...

    If you have opened port 587 for email, it will show that as being "industry deprecated protocols", the same if you have opened port 110.

    If you have opened a port for SSH access, the scan report will tell you that...

    You will also need to have OpenSSH version 7.6 or greater installed which, I believe, is not provided with the current versions of CentOS. As earlier versions contain vulnerabilities, the scan will fail.
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @random,

    I noticed this part of your post and wanted to point you to discussion of this topic on the CentOS forums at:

    PCI compliance when update not available - CentOS

    While it's unsupported, the thread includes a user-submitted post with information about a potential workaround.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,746
    Likes Received:
    111
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    In the past I've always just replied back mentioning that we use CentOS/RHEL which uses backported packages, and include the changelog rpm output for a specific package, i.e:

    rpm -q --changelog openssh-server | head -n 50

    And that has always satisfied the outdated binary out of date issues.

    As an aside, would it be more beneficial if PCI regulators knew about shared hosting? It's one thing to have the server (packages, ports, etc) secure. It's quite another to run an outdated script. I keep all of our servers up to date with the latest packages, Apache, PHP, etc. But I can't speak for every client keeping their WordPress or WooCommerce script up to date.

    A better approach to PCI compliance might be to allow server administrators to run server penetration tests, which identifies things like outdated SSH and/or insecure ports and keep that information up to date and posted (certified) with a central body.

    Then when randomsharedhoster.com wants to become PCI compliant, they request a PCI scan, the PCI scanner finds that randomsharedhoster.com resolves to XX.XX.XX.XX IP address. XX.XX.XX.XX IP is found to have a recently certified server PCI compliance at the central body storing that information. Now the PCI scan can focus more on whether randomsharedhoster.com is keeping their script up to date, using strong and secure passwords, and storing information securely.

    This would seem to make better sense to me. But I'm not sure if the people running the PCI standard realize what shared hosting is.
     
  7. random

    random Member

    Joined:
    May 13, 2004
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    153
    Thank you for the info cPanelMichael, I realise there are possible ways around the issue, but still, the totality of the changes required would make it quite troublesome for clients on a shared server.

    My guess is this is only viable on a separate machine hosting only the clients requiring to have a PCI compliant server.

    I understand the push towards greater security, but the current demands made to achieve PCI compliance seem to be 'unreasonable'.
     
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,746
    Likes Received:
    111
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I agree with you here. Unfortunately I don't think there is anything cPanel can do about it. This is an industry issue.

    The idea behind PCI is good. There is a ton of insecurities throughout the web hosting industry and something like PCI really needs to be there to clamp down on this. But the implementation of PCI is way off. Like I said, I don't think the people that designed the PCI standard know about shared hosting. PCI would appear to be aimed at the Amazons and Walmarts of the world.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice