PCI Question


New Member
I currently have a VPS with KH as I was planning to deploy my hosting companies portal there. This portal would be storing credit card data.

As I understand it, to be PCI compliant when storing CC data, the data store (MySQL) would have to be on a machine (or VPS I guess) that is not accessible via the internet. So firewalled off to only allow access from the web server VPS (ie: would need two VPS accounts).

However, unless I misunderstand, the entire server the VPS account on has to be PCI compliant. Plus, KH has to be PCI compliant as they have physical access to the server. On top of that, the datacenter must be PCI compliant, etc.

Am I mistaken? This whole PCI mess is a large steaming pile and is a major headache for small businesses :-/

We have several clients who we make their VPS PCI Compliant. The physical server the VPS resides on definitely doesn't need to be PCI Compliant as the VPS runs as it's own machine with it's own MySQL, Apache, etc, etc. So if you need a VPS and require it to be PCI Compliant all we require is first the VPS is a Managed VPS with us (cPanel, Plesk, or Directadmin only). We won't do PCI Compliancy work on Unmanaged VPS's so this is important to make note of. Second, provide us a security scan for the VPS from whomever you choose to do so (Macafee for example) and then we will do the work necessary to make your VPS PCI Compliant. Hope this helps.

OK. Can the mysql database and the web server reside on the same physical (err, logical) VPS?

Right now, the VPS isn't using a control panel, but I have my own extra Directadmin license. Is this acceptable?
A Managed VPS means we provide a control panel and a VPS. We need to be the ones installing and configuring the control panel. Regarding MySQL and the Web Server, that all depends. Doing everything a PCI Scan says could result in Apache to not work. All we can do is make the VPS PCI Compliant. We can't get into best practices of PCI Compliancy though.