Quote:
Originally Posted by xplorer
First of all, X-Payments will require a dedicated server. It is not because of its performance, it is due to the PCI DSS requirements. I believe that no stores hosted on shared servers will ever be verified as PCI DSS compliant. The only exception are stores that don't collect credit cards via the store website
|
Boy, someone sold you a bill of goods. You must have hired an extremely overzealous QSA. If you look at the PCI-DSS 1.2 Requirements and Security Assessment Procedures document you will see there is an Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers that makes it quite clear that shared hosting is allowable under PCI-DSS. It does require that processes run under the merchants user ID, so a shared host using mod_php could not be used, but a host using suphp should be fine. It is up to the merchant to validate that the host meets the requirements of Appendix A.
Quote:
Originally Posted by xplorer
Also, if you host X-Payments with other web applications on the same server, the server will require a special configuration because PCI DSS dictates a payment application (X-Payments) to be isolated from other applications (your website, X-Cart, forums and other web applications). It can be done either on the hardware level (different hardware servers) or on the software level (firewalls and jail systems).
|
Wow, again. This simply isn't true. Ask your QSA to point you to the specific PCI-DSS requirement that dictates this. Take a look at your competition who are already PA-DSS certified -- they don't have this requirement because it doesn't exist.
If this kind of stuff is going to make it into your PA-DSS required implementation guide you are going to put yourselves at a significant disadvantage in the market place. Forcing merchants onto multiple dedicated servers/VPS, X-Cart on one and X-Payments on another, will send your old and new customers to competitive shopping carts that have done the job right and don't impose silly "PCI requirements" that don't exist.