Jump to content

Pci Compliance


stevesh

Recommended Posts

This morning, in the Zencart support forum, a TCH customer posted a question about PCI compliance on his shared server account here, and received (according to him) this reply (in part):

 

"The remaining noted items on the PCI certification scan are inherent to shared hosting environments, these can not be corrected on the server that the site currently resides without causing adverse effects for others hosted on the same server. We apologize for the inconvenience this is causing, should you require full PCI compliance you will need to consider a semi-dedicated or full dedicated server."

 

Another frequent poster on that forum, who makes his living operating a hosting provider, replied that shared hosting can, in fact, be PCI compliant.

 

Unless there's more to this particular story, is the other guy wrong, or is there something about TCH's servers which preclude compliance?

Link to comment
Share on other sites

Another frequent poster on that forum, who makes his living operating a hosting provider, replied that shared hosting can, in fact, be PCI compliant.

 

Unless there's more to this particular story, is the other guy wrong, or is there something about TCH's servers which preclude compliance?

 

He is not wrong, but that's an easy statement to make when you only have one or two servers compared to several hundred. The fact is, we are fully aware of the needs of those that choose to use processors that require PCI compliance and have plans to provide this service. However, it will not be offered on our standard shared servers and is currrentlly only avaiable on dedicated servers.

 

 

Thanks. I did exactly that, and received this reply:

 

"Unfortunately PCI compliance cannot be met on a shared server environment and can be configured only on a dedicated server."

 

Those considering TCH for ecommerce might want to look elsewhere.

 

 

The features this customer would like us to disable will have a negative impact for all customers on the server and will not be changed for one site. I will list each of these requests and any resulting issues if they are disabled.

 

1. Disable the Apache option UserDir:

This is the feature that allows you to access your site by servername/~username and also enables the use of the free SSL certificate we supply on all of our servers. So as you can clearly see, disabling this option for one customer cripples those that choose not to purchase their own certificate to secure their store/site.

 

2. Non-standard SMTP port:

We enable port 26 as well as the standard port 25 to send email so that customers can use it in case their ISP blocks port 25. Once again a clear case of we can not cripple the server for the use of one site.

 

3. Disable SSL 2.0:

This is a known issue with cPanel servers that we and many other hosts have worked with cPanel to have corrected. In fact the next stable release of cPanel(11.24)addresses this and we see no reason now to manually tweak several hundred servers. We have done this in the past only to have cPanel updates overwrite the changes or prevent updates from proprely running. This will be corrected in the near future.

Link to comment
Share on other sites

Unless there's more to this particular story, is the other guy wrong, or is there something about TCH's servers which preclude compliance?

 

There is always more to a story and there are always two sides. TCH sells low cost Hosting and is a very good at providing this service. I would imagine that making their servers PCI compliant would add a cost and push our cost out of the low cost range we currently enjoy.

 

There are lots of folks here currently doing ecommerce and PCI compliance is not needed. Why chase customers away over a false assumption?

Link to comment
Share on other sites

Those considering TCH for ecommerce might want to look elsewhere.

That is entirely wrong, we do have hundreds of clients having e-commerce site hosted here.

 

Regarding PCI compliance, what Dick said is true and the same was conveyed to the client over the ticket he raised with the Help Desk. Guess the comment was posted before I was able to clarify the points he raised.

Link to comment
Share on other sites

It's possible, then, that I just don't understand the situation.

 

I've been a enthusiastically satisfied customer of TCH for several years, and currently have 2 reseller accounts. I have gone out of my way to recommend TCH to anyone looking for hosting.

 

My comment about 'looking elsewhere' that got you guys all fired up was based on this logic - please let me know if I'm missing something.

 

 

 

Merchant account providers and payment processors are increasingly requiring their customers and their websites to be PCI compliant.

 

TCH doesn't offer PCI compliance on their shared server packages.

 

Therefore, if you're looking for a low-cost shared-server hosting account for ecommerce, TCH isn't your place.

 

 

 

Not a criticism at all. I'm not suggesting that TCH should offer shared PCI compliance, and I never once suggested that TCH should 'disable any features'. I agree with (and appreciate) the strict security measures TCH enforces on it's servers.

 

Again, my point is that if you want to accept credit cards on your site, you won't be able to with a TCH shared account, once the PCI compliance requirement is universal, and I would suggest that this fact should be explained in the pre-sales pages.

 

Thanks to Dick for the explanation of the issues involved. I'll discuss those with the other hosting guy, but as of now it looks like I'll be switching to a TCH dedicated server.

 

No thanks to Bruce for his particularly unhelpful comments, volunteer or not.

 

 

Steve

Link to comment
Share on other sites

There are many people on shared servers accepting payments. That was the point I was trying to make. There are other carts besides Zencart. And a lot of people with small commerce sites use PayPal. So saying that if you are looking for a low-cost hosting company to do ecommerce to look elsewhere in my opinion is ridiculous. Sorry if you took it any other way.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...