PCI Scan failed on a VPS

Question

I'm new to PCI, we just paid for the Trustkeeper PCI Scan and here are some of the results (just the vulnerability names):

• DB Accesibility
• SSLv2 Supported
• A lot of BIND (patches) related vulnerabilities
• A lot of OpenSSL (patches) related vulnerabilities
• A lot of Apache Tomcat (patches) related vulnerabilities
• HTTP Server Username Probing

We are paying for a VPS service and my questions are: which vulnerabilities can/should/must be fixed by us (how could we fix them???) and which ones by the hosting provider ?

Thanks in advance!

Answer 1

Generally you will never pass PCI compliance on a VPS.. This is due to shared storage usually.

Answer 2

You should have terms and conditions for your hosting that should narrow down who's responsible for what. That, or contacting their tech support contact at the company should clear it up.

If you're the one installing the services it'll most likely be your responsibility. If they provided the services in question and you have no access, then it's theirs. They may refuse to help you with all of them, however. And if PCI compliance is mandatory for what you do you may need to find another provider.

Answer 3

DB Accesibility

Disable access from the internet to your database service.

SSLv2 Supported

Disable SSLv2. Exact steps depend on what web server has the vulnerability.

A lot of BIND (patches) related vulnerabilities

A lot of OpenSSL (patches) related vulnerabilities

A lot of Apache Tomcat (patches) related vulnerabilities

Patch. Exact steps depend on your OS.

HTTP Server Username Probing

Need more information about the exact request/response that the scan took issue with.

All of these issues would be in your court for a typical VPS arrangement - but, as Mike said, a vulnerability scan is one thing, but you're unlikely to get true PCI compliance in a VPS environment that wasn't built specifically around PCI.