PCI DSS compliance for a VPS using Centos

Question

I have a VPS with linode, great hosting by the way.

I am confident with centos apache ect but I know nothing about PCI DSS compliance, I usually let SagePay or PayPal deal with it.

But I have a client that is interested in not having customers go off to another website and dealing with the card details on there own website.

I have looked into it and it seems I need the following(plz correct if wrong):

• Another IP address separate for the SSL certificate for the https://
• The SSL certificate, which can be self signed with linux commands
• Be PCI DSS compliant

Its the PCI DSS compliant thats confusing, reading on the website it seems that you can just fill out a form, perform penetration testing yourself and adhere to the PCI DSS standards they set. You do not actually need to pay to have your server scanned by an external company to ensure you are PCI DSS compliant you can do it all yourself?

If so great lol as I dont really want to be paying out to be PCI DSS compliant, but are there any free software scans or common security holes to check?

Answer 1

You cannot be PCI DSS compliant if you do not control physical access to the server hardware which will store customer card information.

Related:

• PCS DSS Guide PDF - see "Requirement 9: Restrict physical access to cardholder data"

• Linode forums topic

Answer 2

You really don't ever want to be storing CC data on your site, it opens you up to all kinds of liability and as @danlefree mentions, the PCI DSS requirements are quite strict. You can use PayPal Pro or Authorize.net or any number of other payment processing systems that do the payment processing behind the scenes, so the visitors never need to know the processing is being done via a 3rd party. The browsing experience doesn't redirect them to another site, they stay on your site.

For the most seamless experience, you still will need a SSL certificate to collect the CC data, but you are sending it straight through to the payment processor. Even in this case, I wouldn't use a self-signed SSL cert, there are plenty of discount vendors to get a basic certificate that is going to be supported by most browsers if you don't want to spring for a premium one.

Also note that regardless of how you set it up, the level of PCI compliance and other security measures may depend on your merchant account and even the specific cards you support.

Also, note that most CentOS/RHEL stock distros (at least < 6) will not pass PCI scan due to the software versions they come with, at least last time I had to deal with it. This was true even though the older versions had the latest security patches, the scan wasn't sophisticated enough to detect this, so I had to use alternate repos to upgrade the LAMP stack.

Answer 3

Bringing our web sites (3) up under PCI was a full 6 month slog and we're still fighting with it daily several years later. It's not easy. Each of the answers in that form need documentation and support and there are more requirements. If it were up to me, I would use a third party cart that is compliant, pay more and let them keep up the compliance for you.

Answer 4

You will have to do a scan if you use PayPal Pro, they spring it on you a few months down the track, though don't store CC data, you'll have to have a fort-knox setup. And be able to prove it.

Just going through this PCI DSS compliance process ourselves. Its not too difficult - certainly not 6 months - all you have to do is identify which errors you are patched for, and dispute any scan findings.

This is a basic vulnerability scan from Trust Wave, its not particularly authoritative, and, to my eye, it seems like a revenue share arrangement between them and PayPal. It doesn't really require much "hardening" rather just puts some hoops up to be jumped through.