Overview
PCI Compliance is a security enforcement practice that ensures best practices of current-day security protocols across all open ports on any given server. All of our shared servers are configured for full PCI Compliance. We typically enable full PCI compliance mode using the Plesk PCI Compliance Resolver tool. This is also used on our managed virtual private servers (VPS). This article describes the impact of having PCI Compliance enabled.
Please note that PCI Compliance requirements change over time as older protocol vulnerabilities are found, they are added to the required "do not use" list for PCI compliance. For example a few years ago SSL 3.x and TLS 1.0 were considered acceptable security libraries, but as of 2017 TLS 1.0 and earlier are no longer considered acceptable security libraries with only TLS 1.1 and 1.2 being allowed for PCI compliance as of Nov 2018. Therefore the PCI Compliance Resolver Tool may need to be run again in the future to ensure compliance with future updates to the requirements.
Impact of PCI Compliance on users
PCI Compliance extends to all services hosted on your server, including email. Many email clients, such as Outlook / Windows Live Mail / legacy applications - under Windows 7/8 will not be able to support TLS 1.1 or TLS 1.2 without additional end-user effort. So the decision comes down to whether or not the requirement for PCI compliance supersedes the desire to keep things accessible for a larger breadth of end-users.
Our preferred solution is to enable PCI Compliance on all servers and let the users sort out their incompatibilities, because security is the priority in any tech-forward company, and people really shouldn't be using outdated and insecure software at this point (Windows 10 was released over three years ago and Windows 7 is now nearly a decade old).
Alternative solutions would be to either purchase a secondary VPS dedicated to weak security users and move them to that VPS, or purchase a dedicated VPS with high security compliance for any customers requiring full PCI compliance.
PCI Scanning Results / Interpretation
PCI Compliance scans are rather limited as to what information they can ascertain from your server. They typically guess at software versions that you're running and often don't attempt to actually test the software to see if it's vulnerable (we frown upon these practices as they imply a weak PCI compliance testing strategy).
You will likely see what are called false positives in your PCI scan results. False positives occur when you are told there is a problem when there really isn't one; this ends up being the result when PCI compliance scans do not actually test the security of your software and instead only look at the version numbers of your software.
All of our shared servers and most of our Hands-On Support Virtual Servers run the CentOS (similar to RedHat) operating system. The developers of CentOS back port security updates to the OpenSSH version used on the server, leaving the actual version of the software at an older version, but manually applying future security patches to that version. So, while it shows an 'insecure' version, they are indeed patched software that ensures security compliance. Your PCI scanning tool will provide an option to report / contest those results wherein you can indicate that you're using a patched back-ported CentOS software package that is patched -- be sure to provide them with the actual CentOS package version which can be obtained by running rpm -q <software> on the server's shell. For example: rpm -q openssh