Shared Hosting and PCI DSS

[Magnafix]

I work for a relatively small web hosting company that hosts hundreds of ecommerce stores on a shared hosting cluster. Customers upload their own ecommerce software and manage their own stores.

I believe we meet all the requirements of Appendix A, and we have some work to do to bring our CDE into compliance.

If all of our ecommerce customers do quarterly scans (which inevitably produce false positives), then we will receive, on average, something like 4 scan reports every single day of the year.

I have been searching for a while and can't find how other hosting companies are handling this.

I have 100 other questions but this is the one that is causing us pain right now.

Thanks in advance for any replies.

[jbhall56]

What a lot of hosting companies are doing to address this is to conduct their own quarterly scanning and penetration testing and submitting the results to their customers. The cost of this scanning is part of the customer's charges for having their e-Commerce site hosted.

That said, since you are getting the scanning reports, it implies that your organization is responsible for the patching and management of the operating systems and likely the major services run on these servers. As such, these activities are NOT covered by Appendix A of the Security Assessment Procedures. Services provided by hosting providers above and beyond the hardware and physical security and environmental controls need to be covered within the 12 requirements of the Security assessment Procedures.

Under my previous assumptions of the services you are providing for OS maintenance, you are likely going to be on the hook for Requirement 2 because you are configuring the servers, Requirement 5 for maintaining anti-virus, Requirement 8 because your personnel have accounts on these systems, Requirement 11 if you adopt to do your own vulnerability and penetration testing, and Requirement 12 for your policies regarding the management of your own business and personnel that involve your services that must be PCI compliant.

That's just for what we know from your posting. If you are providing other services such as backup and recovery and others, those services will bring additional PCI compliance responsibilities. This is why most hosting companies go through their own PCI assessment process that they then provide to their customers (free or for a fee) so that their customers know what portions of the PCI Security Assessment Procedures they are responsible.

[Magnafix]

Thanks for the reply.

Our assumption is that we need to comply with 1 through 12 with regards to our CDE -- which stands apart from our shared hosting platform, and additionally, the shared hosting platform needs to comply with Appendix A.

But it sounds like you are saying our shared system is subject to complete compliance requirements too, because it handles somebody else's CHD?

You mentioned our role as the maintainers of the operating system and major services:

Yes - we maintain these on the shared hosting system. We also offer managed dedicated servers, and we are responsible for patching the operating system on those as well.

We provide backup and recovery services for both our shared system and managed srevers as well.


Are you saying that because our customers (probably) handle CHD on these systems we maintain, we are responsible for full PCI Compliance on all those systems? If so, is there a specific section that leads you to that conclusion?


Finally, we offer unmanaged virtual private servers. We install the operating system and then hand complete administrative access to the customer and they are responsible for upkeep and services thereafter. Our conclusion is that these customers are on their own to take whatever measures they deem appropriate to maintain compliance.


It sounds like there is indeed a provision buried somewhere which will allow us to present our quarterly scan results to our customers, and inform them to stop sending in their own independent scan results, at least for our shared system. Is that right? If so, where is that stated?


Like I first mentioned I have 100 questions; here's one more related to shared hosting:

I cannot see tens of thousands of small web hosts ever meeting the one-service-per-server requirement (2.2.1), and the firewall requirements (1.3.6, 6.6). As customers begin demanding 100% compliance from their web hosts and these smaller hosts are slowly driven out of business, I hope the growing PCI Compliance industry can create jobs for those entrepreneurs and their employees. Am I missing something?

[wconway]

Quote:

Originally Posted by Magnafix

Our assumption is that we need to comply with 1 through 12 with regards to our CDE -- which stands apart from our shared hosting platform, and additionally, the shared hosting platform needs to comply with Appendix A.

But it sounds like you are saying our shared system is subject to complete compliance requirements too, because it handles somebody else's CHD?

I would agree you need to comply with the full PCI DSS since from what you describe, it sounds like you are a Service Provider. And based on your having "hundreds" of e-commerce sites using your service, you are likely a Level 1 Service Provider per the new Visa definition.

As for your customers, if my understanding is correct then they likely qualify for SAQ A (if they don't store any cardholder data electronically) and they won't need to do any scanning at all.

[Magnafix]

Quote:

Originally Posted by wconway

I would agree you need to comply with the full PCI DSS since from what you describe, it sounds like you are a Service Provider. And based on your having "hundreds" of e-commerce sites using your service, you are likely a Level 1 Service Provider per the new Visa definition.

!! Visa expects us to guesstimate the number of ALL our customers' transactions in a year and include them for the purposes of defining our Service Provider Level? We are Level 3, internally, and have no good way to estimate how many transactions our customers might be processing on our servers since they install whatever web apps/gateway software they want.

Quote:

Originally Posted by wconway

As for your customers, if my understanding is correct then they likely qualify for SAQ A (if they don't store any cardholder data electronically) and they won't need to do any scanning at all.

We don't know whether our customers are storing cardholder data -- they install X-Cart, Zencart, OSCommerce, Interspire Cart, whatever they desire.

We are striving to reduce the scope of our CDE, but it sounds like you're saying that the hosting provider must treat their entire infrastructure as the CDE if they have a single customer who is processing their own transactions?

[jbhall56]

Quote:

Originally Posted by Magnafix

You mentioned our role as the maintainers of the operating system and major services:

Yes - we maintain these on the shared hosting system. We also offer managed dedicated servers, and we are responsible for patching the operating system on those as well.

We provide backup and recovery services for both our shared system and managed srevers as well.

Are you saying that because our customers (probably) handle CHD on these systems we maintain, we are responsible for full PCI Compliance on all those systems? If so, is there a specific section that leads you to that conclusion?

While the services you provide to your customers provide great assistance, they are also covered under requirements of the PCI DSS. Since you perform these services instead of the customer, your organization is on the hook to ensure compliance of these services with the PCI DSS.

This is the problem hosting providers run into. They provided a lot of additional services such as security, OS maintenance, backup and recovery and the like, not realizing that these services require PCI compliance if the customer is processing, storing or transmitting cardholder data (CHD). That is why we recommend to our hosting providers that they ask their customers annually whether or not they are processing, storing or transmitting CHD from the systems hosted. If the customers do process, store or transmit CHD, then our hosting providers typically move these systems to a different part of their hosting facility that they maintain as PCI compliant and is annually assessed by a QSA.

Quote:

Originally Posted by Magnafix

Finally, we offer unmanaged virtual private servers. We install the operating system and then hand complete administrative access to the customer and they are responsible for upkeep and services thereafter. Our conclusion is that these customers are on their own to take whatever measures they deem appropriate to maintain compliance.

Yes, these customers are responsible for their PCI compliance and you are only responsible for those items documented in Appendix A.

Quote:

Originally Posted by Magnafix

It sounds like there is indeed a provision buried somewhere which will allow us to present our quarterly scan results to our customers, and inform them to stop sending in their own independent scan results, at least for our shared system. Is that right? If so, where is that stated?

The PCI DSS requirement responsibilities are with the organization and their personnel that actually perform the activity covered by the requirement. As an example, for some customers, you maintain their systems and those activities are covered by a variety of PCI requirements and your organization is responsible for ensuring they are PCI compliant.

Quote:

Originally Posted by Magnafix

I cannot see tens of thousands of small web hosts ever meeting the one-service-per-server requirement (2.2.1), and the firewall requirements (1.3.6, 6.6). As customers begin demanding 100% compliance from their web hosts and these smaller hosts are slowly driven out of business, I hope the growing PCI Compliance industry can create jobs for those entrepreneurs and their employees. Am I missing something?

Unfortunately, those hosting companies have to comply with the PCI requirements. That said, there is the compensating controls approach to meeting requirements. But any compensating control MUST go above and beyond the requirement it is addressing, which in a services environment typically means even more work than just meeting the requirement.

And remember, the PCI DSS is nothing really new. It's just a compilation and codification of information security best practices. Things companies should be doing regardless of whether we're talking about CHD or social security numbers, drivers license numbers or any other personally identifiable information (PII). It all needs to be properly protected so that it cannot be readily released by just anyone with access to the system.

For the firewall requirements, there is absolutely no excuse in this day and age for not having a network firewall in place. While I know there are a lot of geeks out there that believe they can totally harden an OS and not use a firewall, it's just not a prudent business practice because there are typically just too many customers to make sure that you are always on top of every device you have.

In regards to requirement 6.6, an application firewall can be used OR code reviews can be used. And automated code review tools such as AppScan and the like can used, but they must be part of the development cycle and cannot be used after the fact once the application is put into production. The point of requirement 6.6 is to minimize the amount of risky code that ends up on the Internet.

I would recommend that you search the Forum as the bulk of your questions have likely already been discussed here.

[Magnafix]

Quote:

Originally Posted by jbhall56

This is the problem hosting providers run into. They provided a lot of additional services such as security, OS maintenance, backup and recovery and the like, not realizing that these services require PCI compliance if the customer is processing, storing or transmitting cardholder data (CHD). That is why we recommend to our hosting providers that they ask their customers annually whether or not they are processing, storing or transmitting CHD from the systems hosted. If the customers do process, store or transmit CHD, then our hosting providers typically move these systems to a different part of their hosting facility that they maintain as PCI compliant and is annually assessed by a QSA.

I predict that 95%+ of hosts will not do it, ever.

What do they risk? Will merchant account providers invent ever-higher non-compliance fees to eliminate their own customers?

[cmark]

PCI compliance is the responsibility of the organization who owns the data. In a shared hosting environment where it is truly shared hosting and the client can upload whatever they want, then the merchant is responsible for ensuring they are using a hosting provider that meets their needs. Simply having merchants that house data in a hosting environment does not impose the requirements upon the hosting provider.

There are two basic paths here. 1) the merchants need to ensure they are using a hosting provider that complies with the PCI DSS or 2) the merchants need to ensure they can manage their own systems in accordance with PCI DSS.

The fact that you (Magnafix) are actually complying with appendix A puts you in rare company. Very, very few hosting providers care or are even attempting to pursue compliance with requirement A.

Long and short...yes you are a service provider BUT you are not storing, transmitting or processing data. You simply own the systems that allow merchants to do so. Your responsibility is to comply with appendix A unless you manage the ecommerce sites or provide some other function that puts you in the category of storing, transmitting, or processing CHD. Consider a telco as another example. If my company decides to transmit unencrypted cardholder data across Verizon, it is difficult to believe that this would not place Verizon in the category of a service provider that is responsible for the data as they are providing the mechanism to transport. Much of this is related to intent and knowledge. If you are selling a hosting solution that says: "Use our super duper eCommerce hosting" then I think you are now assuming more responsibility for the data.

With regard to the scans, you should have a quarterly scan as the merchants likely do not have the ability to make any changes to the systems/FW. It doesn't make much sense in my mind for the merchants to be scanned in a shared hosting environment as they cannot fix any identified issues. Your scan should be sufficient for the merchants' compliance needs although I suspect you will get grief as it will impact the revenue of the ISOs and ASVs. Unfortunately, there are a large number of ASVs partnering with acquirers and requiring 'opt out' scanning for merchants.

[Magnafix]

Quote:

Originally Posted by cmark

Long and short...yes you are a service provider BUT you are not storing, transmitting or processing data. You simply own the systems that allow merchants to do so. Your responsibility is to comply with appendix A unless you manage the ecommerce sites or provide some other function that puts you in the category of storing, transmitting, or processing CHD.

So you disagree with wconway above who proposed that the aggregated transactions of our hundreds of hosted merchants place us in the Level 1 (highest) level of merchant? That would really be a worst case scenario for us.

[derra]

Yes cmarc is correct.