WEB HOSTING SUPPORT NETWORK
     
 

Common steps you can take before running a PCI scan

The list below includes the most common items that could appear in a PCI scan report as failed. You can take these steps prior to running the PCI scan, or simply have the scan run, and then fix the "failed" points in it.

Obtain a personal certificate for your domain

The default certificate on our servers is issued to the server name. Therefore, if you want your site to be accessed over https:// without raising warnings, you need to obtain a personal certificate for your domain, and it should be installed on the server on a dedicated IP address. You can contact your hosting provider for assistance in obtaining and/or installing an SSL certificate on a dedicated IP. You will not be able to pass a PCI scan without having a personal certificate and a separate IP address for your domain.

Force HTTPS on statistics folders (http://yourdomain.com/stats)

PCI compliance usually requires all parts of your website to be accessible through HTTPS. As the statistics folder is a system one, and it is not a part of your website, forcing HTTPS over it is done separately from the site. You can force HTTPS connection to your statistics page through the hosting Control Panel's Site Statistics section.

Disable directory listing

Some PCI scans will require the directory listing for your website to be blocked, so that files are not visible if an index page is not present in some directory. Directory listing can be disabled for your site at the hosting Control Panel > Protection section -> Web access protection subsection. There, you need to click on the Disable button under Directory listing for the folder in which your website is (usually, /www/www)

Maintaining the website software

While we maintain the server software and are responsible for its security, it is a responsibility of the customer to run secure software on their website. PCI scans also test your website for SQL injections, cross scripting vulnerabilities, remote inclusion vulnerabilities, etc. If any such issues arise, they must be fixed by the developer of your website.

Additional port blocking / firewall protection

Most companies that provide PCI compliance certification require the server to have open ports only for the web service (ports 80 and 443), and not to have open ports for FTP, SMTP, SSH, MySQL, etc. This can be achieved on our servers by adding firewall rules so that only ports 80 and 443 are open.

To have this feature enabled:

  • Your site must have a separate IP address. You will have such if you have a personal SSL certificate installed on your domain.
  • You should perform certain DNS modifications before enabling the port blocking, so that your mail services continue to work.
  • Your hosting plan must include this feature. You can contact our support team for more details on this.

Once the feature is enabled, your email, FTP, and remote MySQL services will be available only on the server default IP address, and not on your domain IP address.

DNS modifications

The DNS modifications you need to make are meant to point the MX record for your domain to the default server IP address. This will ensure that your email services will continue to work when the ports on your domain IP address are blocked. If your domain uses our DNS service, the modifications are to be made through the DNS Manager section of the hosting Control Panel. In general, if the MX record for your domain is mail.domain.com, the A record for mail.domain.com must be pointed to the default IP address of the server. Then, you need to allow at least several hours for DNS propagation, prior to enabling the port blocking.

If your domain uses a third-party DNS service, you need to make the required DNS changes there.

Enabling port blocking

The additional port blocking can be enabled only by our system administrators. You can contact our support team for assistance. We will check whether your DNS records are set properly, and will have the feature enabled.

Mail, FTP, MySQL, and SSH services with port blocking enabled

You must have in mind that with enabled port blocking, all services except the HTTP/HTTPS service will be available only at the server IP address/hostname. Therefore, you should modify your email programs to connect to mail.your_server.com instead of mail.domain.com. The same is valid for FTP/MySQL/SSH programs - use the server name to connect to the server instead of your domain name.