Our WordPress Hosting and Universal Hosting platforms are 100% PCI compliant as standard. This means that any website hosted on these plans should be able to pass a PCI-DSS automated scan moments after the plan and SSL certificate are activated.
Please note that while the container itself will be compliant this does not mean the owner of the container is necessarily compliant nor that the application/s running inside the container is compliant.
Our primary goal is to ensure the infrastructure we provide is PCI compliant. Once the additional software is added to the platform, it is possible that might cause PCI issues. We're of course always happy to lend advice if your site fails a PCI scan due to this, and suggest alternative courses of action.
Running PCI Scans
Before you run a PCI scan on your WordPress or Universal container we recommend that:
- HTTPS is enabled on the site and the site is not showing mixed content messages.
- The SFTP Lock is set to locked (Trustwave for example, will fail on an open SSH port)
Mitigation and known issues
While containers are compliant regularly tested, the CentOS OS we use is based on RedHat; this backports security patches meaning automated scans that rely on package versions might incorrectly assume our platform is running out of date packages. This is incorrect.
Here are the most common issues we see and how we mitigate ensuring compliance:
Can't be scanned with SFTP set to locked. As such you will be asked to provide further information about security on SSH. The following is what we recommend “We only support Protocol 2 of SSH with a limited cipher set, which is regularly tested against Mozilla and Redhat best practices. We regularly review and test this set of suites. We support passwordless entry via SSH Keys, and restrict access to prevent access to root.”
General package versions
As above, historically a PCI scan might query a package version incorrectly. If this occurs we can confirm the use of the latest package supplied by CentOS, which is derived from RedHat Enterprise. This resolves any package issues.
PCI compliance is a set of security and procedural standards created by the Payment Card Industry Security Standards Council to ensure security when processing or storing card data. These best practice standards are designed to reduce fraudulent credit card transactions.
If you're handling sensitive data such as credit cards, your website will need to be compliant with the standards. PCI compliance is a strict requirement of any website that processes credit card and it's likely your credit card processor won't allow you to proceed until you can demonstrate your compliance.
If on the other hand the sensitive data is handled outside of your site, eg you use Square card processing, you might not need to meet the requirement. That said, the additional security steps taken on our PCI compliant containers means your site will be that much more secure even if you don't technically need to meet the strict standards.
Recognising the need to quickly create websites which are PCI compliant, we built both our WordPress and Universal Hosting accounts with this requirement in mind. Both hosting accounts a certified compliant right out of the box.