Solved-trying to get server PCI DSS Compliant for my ecommerce site

I’m at a loss here… 2 Months ago (!) I submitted a support request regarding the failure of a server to be PCI DSS compliant. Below is a copy of my question. I have followed up about 4 times through Live Chat and I have submitted another request. And… nothing. No answer, no reply, no help. I was told Security is looking into it and no one could tell me how long it would take. Now I am unable to Chat Live anymore. Should I just move everything top a different company?

Any suggestions?

June 26, 2011
I am in the process of validating my website to be PCI DSS compliant. (This is the mandatory request from my merchant account)

I ran their “scan” and they gave me a list of server failures. Below is the email my contact sent me:

“I looked and saw that you started a scan yesterday. I noticed that the scan completed and several servers failed to to a couple of vulnerabilities. You will need to have these items remediated and then run another scan. Once you have a successful scan on all servers, you can log in to the PCI ToolKit on the following day, after our system updates, and complete that one remaining task. once you have certified the item is complete you will attest to your compliance and you will be done until next year.”

I have the scan attached.

What do I do now since these are your servers?

So I was able to Live Chat twice today, the second time- they guy told me he couldn’t help me and he terminated my conversation. Below was the first chat that abruptly ended. And… still nothing.

Please wait for a site operator to respond.
You are now chatting with 'Art’
Art: Hello. How can I help?
ME: It’s been 2 months (almost) since I submitted my ticket: 4368150
ME: I have not heard anything
ME: I know security is looking ito it
ME: but i need more from someone
ME: I need someone to tell me something
ME: If you can’t help me, please find someone who can
Art: Let me check
ME: o k
ME: any news?
Art: I have an Abuse rep looking over the ticket now
Art: He will be replying to you shortly

I am sure nobody will be able to help you here, since we are all customers.
I did do a basic google search to find out what it is you want/need.
For starters probably a dedicated server with unique IP and https and then of course specializated software, which you need to purchase and install.

Not my/our business here, but unless you are setting up a gigantic internet shop or something, which will bring in millions of dollars, why just not use one of the many very good and reliable merchant programs out there who will have you setup within a day and only charge between 2 to5 % of your sales

Also live chat is not available all the time unless you are paying the 9.95 a month it is a premium service. Depending on their workload they make the live chat available to the rest of us but its not an every day thing.

ronthai is right. Unless you already have steady sales that warrant having a merchant account who makes you jump through hoops you might as well go with something like paypal or google checkout (have to have ssl to use them though i think). i have had paypal for years and have not yet had any issues with them.

Dreamhost did contact me and diligently worked with me on my issues. Everything is resolved.

Of course I have a dedicated server, https and software. I also use an excellent merchant account company, my question wasn’t about that. All is well.

Can you outline what you ended up having to do to your site to make it compliant? My Payment Processor (PP) is requiring my site to be PCI Compliant too, and I’d like to stay with DH as my host. Per DH emails, my PP can scan my site and let me know what might need to change to bring it into compliance. Who scanned your site to verify compliance?

Is the dedicated server and HTTPS service a requirement to compliance? I see that cost goes way up with that.


A dedicated server is not required for PCI compliance — we have plenty of PCI-compliant customers on VPS or shared hosting. You will almost certainly need an SSL certificate, though, as most activity which requires PCI compliance (e.g, handling credit cards) will require HTTPS.