Hey,
I've scanned resources regarding this within the DO community, but what level of PCI compliance are the DO servers if any?
I'm currently running a magento store and planning on letting users enter card information on site but process the transaction with 3rd party such as sage or stripe.
Has anyone tackled this before?
Thanks
I roughly followed this guide: http://bodhizazen.net/Tutorials/SSH_security
the droplet passed the PCI Compliance scanner on the first try. In years past (when I was using other hosting) there would always be something that needed fixing or updated, so it was nice to have it pass on the first go.
You can find information on our certifications/compliance for each datacenter here.
Much of PCI-DSS compliance depends on the configuration of your droplet and the services you run on it. We do not provide a hardened image by default but you receive full root access to configure your droplets as you require.
I just did a PCI compliance test on a droplet. The server itself passed with flying colors (had basic SSH secured, firewall, etc)
Where it did not pass is the loads of documentation they now require. This must be something new because I have passed every year until now.
Things like:
*Are written policies and procedures defined for reviewing the
following at least daily, either manually or via log tools?
•
All security events
•
Logs of all system components that store, process, or
transmit CHD and/or SAD, or that could impact the security
of CHD and/or SAD
•
Logs of all critical system components
•
Logs of all servers and system components that perform
security functions (for example, firewalls, intrusion-detection
systems/intrusion-prevention systems (IDS/IPS),
authentication servers, e-commerce redirection servers, etc.)
*
The amount of documentation required is a bit overwhelming. In the end, the company decided to just stop storing CC numbers rather than pay me to do all the documenting.
Ye i'm planning on using something like stripe.js to handle the bulk of processing payments, i'm just wondering where the server stands in terms of data protection etc.
The problem that we just ran into is Digital Oceans data center is not PCI compliant. So anything you do on the server will not matter because if you want to get level 1 you need at minimum Digital Ocean to show you an AOC for the Data Center. They cannot do that right now.
As far as I know. We ended up moving our PCI servers to RackSpace with CloudPassage and Twistlock. The only other thing you need is logging server and the policies written and you are good to go for PCI level 1
How did you find that Digital Ocean data centers are not PCI compliant? A report somewhere that I can see?
You need to submit a PCI cert to your auditor for all of your partners. DigitalOcean does not have this Cert because they have not been audited for PCI. Their data centers ARE compliant but you need DigitalOcean to qualify as well as the data center. Until they do this then your auditor will not approve your cert.
At Rackspace you ask for the Cert and they give you an electronic signature and then you get the cert in a few mins.
I contacted DO support and they pointed me to this page:
https://www.digitalocean.com/help/policy/
Specifically the question titled, "Are your datacenters certified / PCI compliant?"
Does that not address your concerns?
No they need to be able to provide you with a cert that you have to keep on file and keep it updated https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-AOC-ServiceProviders.docx?agreement=true&time=1467210918089
I wonder if this is still needed as DO states that has PCI-DSS at https://www.digitalocean.com/security/compliance/
Would anyone knows?
