Any merchant that stores, processes or transmits cardholder data must be PCI compliant which involves quarterly scan by a PCI SSC Approved Scanning Vendor (ASV).
Sometimes such PCI scans fail due to certain vulnerabilities found on our servers. The vulnerabilites exist not because the servers are insecure, but because PCI requirements are too strict for usual web sites. Many web servers do not host any ecommerce sites, thus they do not need to be PCI certified. If your site happened to be the first card processing site on the server, there is a chance the PCI scan will not pass after the first attempt.
Depending on what vulnerabilities have been found by the PCI scan, some of them can be resolved on your end, while others require our assistance. However, if you have a hosting plan in our shared environment, we cannot guarantee PCI Compliance as some of the required changes may negatively affect other customers on the server.
Bellow the lists of most common vulnerabilites we came across so far.
Windows Servers: All critical Windows updates are installed as soon as they have been issued.
|80||HTTP||The remote web server generates predictable session IDs.||Use CFID/CFTOKEN combination to generate unpredictable session IDs. Refer to http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_17915 for details.|
|21||FTP||The remote FTP server allows credentials to be transmitted in clear text.||All versions of IIS web server prior IIS 7.0 use plain FTP and do not have FTPS. This vulnerability is not critical for PCI compliance and can be left as is.|
|443||HTTPS||The remote service supports the use of weak SSL ciphers.||Contact our technical support team and request to disable weak ciphers.|
Linux Servers: The latest stable version of Debian is running on our Linux servers. All critical security updates are installed promptly on the servers. Please check Security Advisors section at http://debian.org/
|443||HTTPS||Vulnerability in OpenSSL 0.9.8X||OpenSSL is a part of Debian distributive. We are currently working on upgrading to next version of Debian Linux.|
|80||HTTP||Web Server HTTP TRACE Method Supported||Contact our technical support team and request to disable the method.|
For more information on PCI compliance, please refer to: http://www.pcicomplianceguide.org/