Is Mass Hosting PCI Compliant? (Biting the hand that feeds me)
If anybody actually pays attention to what I have to say, there's a good chance that this post is going to make a lot of people awfully mad. It needs to be said.
Most web sites built by my company are mass-hosted on cPanel servers. We're not the only company around that does this- there are many more. On the internet, there are hundreds of thousands of mass hosting servers, with hundreds of users on each server. On our systems, about 1/3 of those accounts have some kind of ecommerce software. I don't know whether that fits with industry averages, but it paints a pretty interesting picture.
The internet has a massive number of ecommerce web sites, all processing credit card transactions, hosted on servers with at least a few hundred other users. Let's presume one thing for the sake of this post: breach of one account can lead to compromising another account through local attacks (world-readable configuration files, local file inclusion, and a whole host of others that I haven't publicly disclosed yet) as well as web-based attacks (see my previous post on server and client attacks via mod_userdir). I'll be posting a lot more ways to attack shared hosting in the future, but humor me and take it for granted if you must.
I've seen some debate as to whether PCI standards apply to ecommerce apps that outsource the payment processing to a third party like PayPal or Authorize.net, but I honestly don't think it should matter. First off, any site that handles CC data, even if they are not stored on the system, can be abused. If I can break into your Zen Cart installation and 'customize' your payment module to email those numbers to me, it doesn't matter who does the payment processing. If you have a payment form, the PCI standards should apply to you.
But here's the thing: every one of my company's servers gets scanned for PCI compliance. Every one of them passes, and I've got the certificate to prove it. When you hit a cPanel server directly (via IP address), only one website will come up, and it is usually a default cPanel page, which is pretty minimal. Each of these servers has hundreds more accounts that don't even get touched by McAfee's web app scanner.
Finding XSS holes on at least one of those accounts is practically guaranteed. In fact, when I first started in my current position, I was able to gain shell access on any given server in less than 5 minutes. I've since been able to make incredible progress with mass patchings and my own vulnerability research, but there are enough unknown issues and custom code that I'll never be able to fix them all.
So why are these servers being certified as PCI compliant?
Now, my company don't actually advertise that our shared servers are PCI compliant, but we do test them as part of our own merchant agreements. In addition, we've greatly improved our processes and sales practices to make sure that new code is reviewed and apps with sensitive data go on VPSes, but that does nothing for all the old clients, and even less for the millions of other sites out there.
The main point here, of course, is that these servers are consistently tested as PCI compliant. This isn't really a attack on McAfee. Many of our clients use other ASVs for their own sites, and none have a problem with the fact that these sites are mass-hosted, nor the fact that other sites on the same server are not PCI compliant (though if they tried to scan the other sites on the server, I'd put a stop to it pretty quickly, for obvious reasons).
Can somebody with more background in PCI weigh in on this? Is this just a massive oversight on the part of every ASV out there? When my company gets big enough that they need a PCI QSA audit rather than the ineffective ASV scans, are we going to be have to rebuild all of our customers' websites? Are we going to be completely screwed compliance-wise?
Most web sites built by my company are mass-hosted on cPanel servers. We're not the only company around that does this- there are many more. On the internet, there are hundreds of thousands of mass hosting servers, with hundreds of users on each server. On our systems, about 1/3 of those accounts have some kind of ecommerce software. I don't know whether that fits with industry averages, but it paints a pretty interesting picture.
The internet has a massive number of ecommerce web sites, all processing credit card transactions, hosted on servers with at least a few hundred other users. Let's presume one thing for the sake of this post: breach of one account can lead to compromising another account through local attacks (world-readable configuration files, local file inclusion, and a whole host of others that I haven't publicly disclosed yet) as well as web-based attacks (see my previous post on server and client attacks via mod_userdir). I'll be posting a lot more ways to attack shared hosting in the future, but humor me and take it for granted if you must.
I've seen some debate as to whether PCI standards apply to ecommerce apps that outsource the payment processing to a third party like PayPal or Authorize.net, but I honestly don't think it should matter. First off, any site that handles CC data, even if they are not stored on the system, can be abused. If I can break into your Zen Cart installation and 'customize' your payment module to email those numbers to me, it doesn't matter who does the payment processing. If you have a payment form, the PCI standards should apply to you.
But here's the thing: every one of my company's servers gets scanned for PCI compliance. Every one of them passes, and I've got the certificate to prove it. When you hit a cPanel server directly (via IP address), only one website will come up, and it is usually a default cPanel page, which is pretty minimal. Each of these servers has hundreds more accounts that don't even get touched by McAfee's web app scanner.
Finding XSS holes on at least one of those accounts is practically guaranteed. In fact, when I first started in my current position, I was able to gain shell access on any given server in less than 5 minutes. I've since been able to make incredible progress with mass patchings and my own vulnerability research, but there are enough unknown issues and custom code that I'll never be able to fix them all.
So why are these servers being certified as PCI compliant?
Now, my company don't actually advertise that our shared servers are PCI compliant, but we do test them as part of our own merchant agreements. In addition, we've greatly improved our processes and sales practices to make sure that new code is reviewed and apps with sensitive data go on VPSes, but that does nothing for all the old clients, and even less for the millions of other sites out there.
The main point here, of course, is that these servers are consistently tested as PCI compliant. This isn't really a attack on McAfee. Many of our clients use other ASVs for their own sites, and none have a problem with the fact that these sites are mass-hosted, nor the fact that other sites on the same server are not PCI compliant (though if they tried to scan the other sites on the server, I'd put a stop to it pretty quickly, for obvious reasons).
Can somebody with more background in PCI weigh in on this? Is this just a massive oversight on the part of every ASV out there? When my company gets big enough that they need a PCI QSA audit rather than the ineffective ASV scans, are we going to be have to rebuild all of our customers' websites? Are we going to be completely screwed compliance-wise?
Labels: Audits, cPanel, McAfee, PCI-DSS, Shared Hosting
posted by mckt at
6:27 AM
14 Comments:
"The CC data doesn't get stored on the server, but it certainly gets handled by server-side code."
Right, and the second the server handles any of it, you are on the hook for the DSS
By
Jason Remillard - 54f3.com, At
November 30, 2009 2:06 PM
Just some quick words of advice.
I am a pci expert that helps fortune 500 companies become pci compliant.
First off, I would like to say don't trust a website just because it has a logo image stating it gets scanned daily. That means absolutely nothing and is laughable.
Retaining real pci compliance is harder and much more expensive. This means physical security, hardening the host system and applying updates on a regular basis, monitoring logs and services, writing secure programming code, testing for bugs and vulnerabilities on a regular basis, etc...
When your computer systems have been certified, only then you can retain customer information.
One of the best generalized guides on how to properly secure a server is freely available to anyone. You can read it in pdf form here:
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
For people like me, its easy to get a server pci compliant because we have the knowledge and the means.
Protecting customer data is important and trust is equally important to people.
By
Steve, At
November 30, 2009 2:06 PM
Do you have links to the info about PayPal API allowing access to credit card data?
By
SneakySimian, At
November 30, 2009 2:06 PM
In Paypal's case, you're looking for Website Payments Pro, I believe (It's been a while since I was a developer, and none of my teams are around at the moment). Here's the developer documentation: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_paymentspro
Authorize.net, Linkpoint, and the rest have similar setups, but basically your application picks up CC data, formats it (usually SOAP), and sends it to their transaction server. The CC data doesn't get stored on the server, but it certainly gets handled by server-side code.
By
mckt, At
November 30, 2009 2:06 PM
Well that's certainly news to me. I'll have to look in to that some more.
By
SneakySimian, At
November 30, 2009 2:06 PM
That used to be the point with PayPal, but now they, along with Auth.net, Linkpoint, and the others, have developers' APIs which allow the application to take the credit card data and hand it off directly to the payment gateway. As far as I can tell (and the reaction I got from a few PCI experts confirms this), these applications are still subject to the PCI-DSS.
However, most developers don't know this. The payment gateways are often "nudge nudge, wink wink" about it, and really aren't trying to correct this misinformation. In fact, I made a few calls to payment gateways' sales departments a few weeks ago (as a potential customer), and while they're generally careful to not say "you will be PCI compliant", they won't make a point of telling you that it's not the case, either.
By
mckt, At
November 30, 2009 2:06 PM
I'm not an expert in PCI, but I did have some comments.
Please let me know if I'm misunderstanding something, but isn't the point of PayPal, Authorize.net, etc. that the e-commerce operator never sees the credit card data? Now, if the e-commerce operator does ever see the credit card data, even in passing, then they should absolutely be held to PCI DSS. As a customer, I don't know or care who is storing or seeing my credit card data, so long as it doesn't get compromised. So wouldn't PCI DSS have the same goals in that regard?
As for shared hosting, I agree that it is a disaster in the making.
"Requirement 7: Restrict access to cardholder data by business need-to-know" - Doesn't that mean that shared hosting, by definition, breaks PCI DSS? Other requirements, like writing secure applications, are not possible on shared hosting. The e-commerce operator is not going to be able to control some clueless site admin running 3 year-old code and getting compromised. As soon as that happens, an improperly setup server is going to allow the crossing of accounts in to the e-commerce operator's account and downloading all of the credit card data - because of an insecure application.
By
SneakySimian, At
November 30, 2009 2:06 PM
Post a Comment
<< Home