If you accept a large volume of credit cards, your site may be required to pass a PCI scan or a similar "security vulnerability" scan.

We have several customers who have passed these scans without problems, and our own www.tigertech.net Web site passes PCI scans from Trustwave.

However, you may need to ask us to make some minor changes to the way your site is set up before a scan:

• SSL certificate
• Disabling telnet and NTP
• MySQL version numbers
• PHP version numbers

SSL certificate

First of all, you'll need your own dedicated SSL certificate. The certificate includes a dedicated IP address.

Disabling telnet and NTP

Most scanning companies require your site to reject telnet and NTP connections. To help you pass the test, we can disable access to telnet and NTP (ports 23 and 123) at the firewall level if you contact us.

MySQL version numbers

If you don't use remote MySQL connections, we can also disable MySQL access (port 3306) from outside our network at the firewall level. We recommend doing this.

However, if you require remote MySQL connections, things are a little more complicated. If you tell your PCI scan company that your database doesn't contain credit card numbers, they'll either accept that, or claim that your site still fails the test because we use an "outdated version of MySQL". This is not the case, though.

Like almost all hosting companies, we use a Linux distribution that includes "backports" of security patches, including MySQL. This means the Linux "distribution" (in our case Debian Linux) provides an initial stable version of MySQL (such as 5.0.51a). When new versions of MySQL are released, the security fixes from those new versions are added to the MySQL packages (although the brand new features of the new versions aren't).

This allows us to run a version of MySQL with a known set of features, while keeping it secure. Our customers wouldn't like it if we were constantly upgrading to full new versions of MySQL, with all the bugs and changes that come from new software — stability is important.

So checking just the "5.0.51a" version number of MySQL doesn't tell the scanning company how secure the actual software is. You should tell them that the full version number (which they can see) actually has more data than just the MySQL version — it will actually have a format like "5.0.51a-Debian_XlennyY". The extra parts show that this is Debian security version "XlennyY", which is the current secure version provided by Debian Linux (they can check that).

Explaining this to the scanning company has allowed our customers to pass this part of the test, even though they continue to use MySQL remote connections.

PHP version numbers

If your scanning company checks only the first part of the PHP version number, they may think you're using an old version of PHP that has security vulnerabilities. This is not the case.

As described above, we use a Linux distribution that includes "backports" of security patches, including patches for PHP.

So checking just the start of the PHP version number doesn't tell the scanning company how secure PHP is. If they think there is a problem, you should point out that the full version number (which they can see) has a format beginning with something like "5.2.6-X+lennyY". The extra parts show that it's Debian security revision "X+lennyY", which will be the current secure version provided by Debian Linux. The scanning company can see the exact version on our servers and verify that it correctly includes all security patches.

Related Topics