If you are selling online, you have likely already dealt with or will soon deal with PCI DSS. If you’ve gone through the audits you know they can be a real pain. We are starting on a new project to test the PCI compliance of the Plesk control panel. We plan on using several different vendors during the process to get an idea of who has the best tools to get this onerous security task completed.
Do I need PCI Scanning?
The best answer to this question is to ask your billing or merchant provider. The requirement for scanning depends on your number of transactions per year. Most of our clients are Level 4 Merchant — meaning you process less than 20,000 transactions per year and may not be required to have a PCI audit. However, recently the PCI rules have broadened and require acquirers for level 4 merchants to put in place better security and procedures. So while you may not be directly required to have an audit, many providers have now passed on that obligation.
Project Overview
Many of our clients are using Plesk, so we selected it as a baseline. What we plan to do is to run a PCI compliance test on the latest version of Plesk. We are currently selecting 3-5 approved scanning vendors that have lower end price points. We are looking at sub $500.00/year price targets based on the service provided. We will evaluate each vendor as we fix security issues. We are paying especially close attention to false positives and consistency of the audits. Recently, using ScanAlert, I noticed significantly variability between consecutive scans. I never found the cause but variable scans make it very difficult to quickly fix an audit.
Project Goal
We have two key objectives:
- Find a reliable, cost-effective PCI scanning vendor
- Establish procedures for securing Plesk for PCI-compliance
We have used about a half dozen different vendors to date. I know want to find one and develop a strong working relationship. Through this partnership, I hope we can better assist with PCI compliance issues. We will rate each vendor in ease of use, false positive handling, support and pricing.
Also, as we do this, we will develop procedures and configurations that we can roll into our server deployment packages. This will allow us to offer out-of-the-box PCI compliant servers.
Timeframe
We should have the vendor selection finalized this week and run the audits next week. We will keep you posted on our progress.
Feedback
If you have dealt with PCI compliance issues and have some key items you would like us to evaluate please let us know.