Home » Canvas Host blog

PCI Compliance – Common Issues and Troubleshooting

Regulated by the Payment Card Industry, PCI Compliance is a set of standards designed to help protect merchants against credit card fraud. The overall goal of PCI compliance is to limit fraud at all levels of the credit card transaction world. That said, achieving PCI compliance for your website can be tricky.

Any business that accepts credit or debit card payments is required by their merchant processor to pass a series of PCI compliance tests. Until the merchant has met compliance, they may face monthly financial penalties assessed by the merchant processor; The PCI compliance seal on the merchant’s website will appear broken or indicate they are not in compliance; And in some cases, they may have their merchant account revoked by the processor until such a time as compliance can be verified.

For a primer on PCI compliance, please see this page of our website:

We’ve written the following article to address some of the ongoing steps to troubleshoot PCI compliance. Specifically, we want to explain some issues we frequently encounter in helping you reach compliance, and how we work to resolve them.

This article assumes the following:

  • You are the owner or manager of a website that needs to pass PCI compliance
  • You have access to the website hosting environment
  • You are authorized to access your company’s merchant account
  • You are authorized to access your merchant processor’s Approved Scanning Vendor (ASV) interface, where all of the PCI tests and results are compiled

In this article, we’ll go over the general workflow of achieving PCI compliance, including the Self-Assessment Questionnaire (SAQ) and setting up for your first PCI scan through an Approved Scanning Vendor (ASV); We’ll touch on possible issues, like challenging false-positives assessed by your ASV, and Risk Mitigation and Migration plans; And we’ll address specific steps Canvas Host takes to ultimately guide you to reaching PCI compliance.

1. Workflow

At the time you signed up for your merchant account, you should have received instructions to access the online portal for the ASV that partnered with your merchant processor.

The first step is to log into that portal and take a look around. Most interfaces will provide an overview of your merchant account, and report on your account’s current PCI Compliance, which typically is presented in two categories. You will need to go through both sets of steps as part of the overall compliance process. They are:

1a. The Self Assessment Questionnaire (SAQ)

You are required to complete the SAQ each year and answer hundreds of questions pertaining to how you physically conduct business, process and store credit card information about your customers, and what steps you take to ensure the security of your entire business.

If this is the first time you have logged into your account, the SAQ will be displayed as “incomplete” or “not passing compliance”. Clicking on the “start” or “begin report” button should start the online form. You should prepare for upwards of one hour, perhaps two hours, if this is your first time. On subsequent reports, you will find it faster to go over and refine previous reports, noting aspects of your operations that have changed, as well as being able to skip over details that have not changed.

Once you have gone through the SAQ, there may be follow-up questions provided by the interface that ask you to clarify or rectify incomplete or unacceptable answers. Once you have met all of the requirements of the SAQ, the interface will indicate that you have passed the SAQ. It is important to be as accurate as possible on all answers, to both ensure your company is operating safely, as well as to mitigate any liability that might arise from having provided untruthful information.

1b. PCI Compliance Scan

This is the hardest part. Every quarter (three months). you are required to permit the ASV vendor to scan your website and hosting service and to analyze them both for vulnerabilities, and generate a report that will either come back as “pass” or “fail”. After each scan, the results will be tallied into a printable/downloadable report, typically in PDF format, for review by you and potentially, your website host as well.

If this is your first time logging in, you will need to set up the ASV interface to scan your website, noting the domain name, and possibly the IP address associated with your hosting account. Once set up, the scan will be scheduled to start, and you will be notified of the scan’s findings.

If this is not your first time logging in, or you have recently changed website hosting providers and the old reports are still noted in the ASV interface, please be sure to check the configuration of the ASV, to ensure they will be scanning the correct IP address and/or website host! In the past, we have had customers notify us of failed scans; Upon reviewing the reports, we determined the failure was due to the ASV scanning the old hosting provider and not Canvas Host.

2. Reviewing the PCI scan

Scans of your website and hosting environment can take several hours to complete. The scans target two components of your online business:

2a. Your website and application code

During the scan, the ASV may test random URLs of your website, specifically looking for website forms, such as account logins, or fields requesting credit card information or other personal information (noted by the field name in the actual HTML code).

The scan will also attempt to determine the application you are running, such as WordPress/WooCommerce, Magento, or ZenCart (some of the many popular cart applications); Their versions (which is important, as code releases and minor revision patches are regularly issued to correct code vulnerabilities); And whether your application contains known bugs, such as cross-site scripting vulnerabilities, Javascript- or CSS- based bugs, or other technologies that may all present a risk to the website being hackable.

2b. Your website’s hosting environment

The ASV will also attempt to scan details of your website hosting provider — in this case, Canvas Host and the server we use to host your website — to determine if the server itself meets certain security criteria, or if it contains known vulnerabilities or similar “problems” that need to be fixed, in order to pass compliance.

Examples of things tested for include:

  • The version of operating system and related technologies, such as CentOS and WHM
  • Encryption and security technologies, such as SSH, SSL, and SFTP versions
  • Server-level login interfaces and if they force https:// or permit http://
  • Insecure technologies that should not be permitted, such as FTP
  • Open ports that may be subject to hack

This portion of the scan is sometimes the trickiest, and for you can also be the most frustrating part, as it pertains to things completely outside of your control.

For Canvas Host, it can provide the greatest set of challenges, as every ASV operates a different set of criteria by which a server will be judged to be PCI compliant or not. The greatest quandary is in regards to suspected vulnerabilities or errors that actually do not exist, but which have turned up as a result of the ASV not being able to fully scan our servers, and whether the ASV will accept the answers and evidence we provide back to them in the course of trying to meet their criteria. This brings us to the next section.

3. Troubleshooting and resolving PCI scan failures

Whenever a PCI scan comes back with a “fail”, we ask you to open a ticket and provide us with a copy of the report to our Support system, at https://support.canvashost.com.

Our team will review the scan report and provide assistance in understanding the points of failure. For any points of failure due to code or website issues, our team will inform you that those are things you will need to fix. For any issues pertaining to the server in question, we will review the issue to determine if it is a new requirement that we need to act upon, or if it is something we’ve already fixed but which could not be determined because of limitations by the ASV.

3a. False positives

The most common situation we see in failure reports are deemed “false positives”, which are in fact not a threat but stem from the ASV not being able to dig deep enough into the server to figure that out for themselves. This is actually a good thing, because quite frankly, no outside service should ever have the right to scan or potentially hack into one of our servers. But, we recognize the irony of ASV’s intrusive nature in the grand scheme of PCI compliance, and so it is a game we woefully play.

Whenever an issue is deemed a false positive, Canvas Host will submit to the ASV, through the provided interface, necessary documentation about the purported issue, whether it is a back-patched version of SSH that the ASV feels is outdated but in fact is running the very latest version and therefore is secure; Or, if it is in regards to an outlandish request for the server’s primary IP address or even the website’s static IP that should not be referenced with the domain’s SSL — all of which generate a SSL mis-match. In any case, when it comes to a false positive, we want you to know we will do whatever we can to help bring to light that it is in fact not an issue and for which the ASV should grant an exception.

3b. Outdated TLS, and Risk Mitigation and Migration Plans

This part, honestly, makes us chuckle. While TLS 1.0, which is accepted as an older, yet secure and compliant technology, was due for an upgrade, the Payment Card Industry jumped the gun about two years ago, and began informing ASVs of a mandatory upgrade to TLS 1.2 for all website hosting providers. The problem is that at the time, most operating systems and their web browsers only worked with TLS 1.0.

This created a very problematic scenario. On the one hand, ASVs began failing all PCI merchants and blaming the web hosts for not supporting TLS 1.2. Those hosts that did upgrade to TLS 1.2 immediately found that certain Apple OS versions didn’t support it, nor did outdated versions of Microsoft Internet Explorer. So while the hosting environment was now PCI compliance, few visitors to the merchant’s website could access the website!

If you had to choose failing PCI compliance, or hosting a broken website, which would you pick? And so, several of our customers made the decision to cancel their merchant account, firing the ASV as well, and switch to PayPal for checkout purposes, which is handled over at PayPal.com and not the merchant’s website. In essence, the process negated not only the need for PCI compliance, but also the customer’s need for PCI hosting with us. It was a dark day for all.

At Canvas Host, we were faced with an inordinate task, of informing both our merchant customers, as well as fighting an impossible task upstream with various ASVs, many of whom disputed our findings, or who simply didn’t care. As soon as enough egg had landed on the Payment Card Industry’s face, a magic solution appeared: The Risk Mitigation and Migration Plan!

What is it? A templated, form letter that web hosts fill out, addressing concerns about TLS 1.0, how its use is being mitigated, how the host is monitoring for new vulnerabilities, how the host is ensuring that new threats are not being permitted into the environment, and when the host will migrate away from TLS 1.0? All of this can be summarized with the following statement: Through server and firewall technologies, and an actively researched hosting environment supported by a team that knows what it is doing and gives a damn. We don’t phrase it exactly that way, but hopefully you get the point.

There is indeed a deadline for when Risk Mitigation and Migration Plans will no longer be supported: June 30, 2018. Though it is recommended that hosts not wait this long, some large software companies have stated it will still be some time before their OS actively supports TLS 1.1 and 1.2, and lest we cut off our customer’s customers (who use those platforms) from accessing our network, we are going to wait a while before pushing through this upgrade.

Here is what a sample Risk Mitigation and Migration Plan looks like. When responding to certain ASV failures, the following document should suffice for the June 30, 2018 exception.

Risk Mitigation and Migration Plan
Prepared by Canvas Host

1. Where are SSL/TLS 1.0 currently used in your environment? (Description(s) of where and how you are currently using SSL and/or early versions of TLS.

All SSL connections currently use TLS1.0 but also support TLS 1.1 and TLS 1.2. At present, certain operating systems, website browsers, and/or email applications are limited to supporting TLS 1.0. Until such a time as greater adoption of more recent TLS versions occurs, we will continue supporting TLS 1.0. We understand the deadline for this has been extended by the PCI industry to June 30, 2018.

2. How are you mitigating risks with SSL/TLS 1.0? (Description(s) of the level of risk with SSL/TLS 1.0 in your environment and the additional security controls you have put in place to mitigate these risks.)

We monitor traffic and server activity constantly. Any type of suspicious traffic or activity is handled immediately.

3. How are you monitoring for new vulnerabilities associated with SSL/TLS 1.0? (Description(s) of the processes you are employing to monitor for new vulnerabilities associated with SSL/TLS 1.0.)

We monitor and update software daily. We check back patches implemented inside of our software and validate that they are not vulnerable.

4. How are you ensuring that SSL/TLS 1.0 are not introduced into your cardholder data environment? (Meaning, how can you verify that new or upgraded systems connected to your cardholder data environment don’t contain SSL/TLS 1.0?) (Description(s) of changes you are making in your processes to make sure that SSL/TLS 1.0 are not introduced into new environments.)

Cardholder data and all customer data are the responsibility of each customer we host. At present, our environment does support SSL/TLS 1.0, 1.1, and 1.2. Some browsers and devices, as previously noted, do not currently support TLS versions 1.1 and 1.2.

To the best of our abilities, the environment supports the latest/most secure SSL/TLS versions.

5. When will your migration plan from SSL/TLS1.0 be completed? (completion must be no later than June 30, 2018.)

For best practice, we plan to migrate fully away from SSL/TLS 1.0 before the PCI deadline of June 30, 2018, just as soon as we are confident that adequate support for TLS 1.1 and 1.2 have been rolled out to our customers’ platforms, devices, and applications.

3d. Worst case scenario? Fire the ASV

Unfortunately, Canvas Host has given this recommendation to several customers over the past year, whose ASVs refused to listen to us, and refused to accept the very Risk Mitigation and Migration Plan set forth by the Payment Card Industry! In these situations, there literally was and is nothing you, the customer, nor us, the web host, can do. In certain situations, terminating your working relationship with the ASV is in fact called for.

Some merchant processors support more than one ASV. Some do not. Unfortunately, if it is a situation where you are forced to use a specific ASV “or else”, then it may come to a point where we recommend you go the “or else” route. At the end of the day, we have nothing to gain by wasting your time by trying to do the ballet with an ASV that keeps stepping on everyone’s toes. In these situations, the ASV is not acting in your best interest, nor the spirit of why they even exist.

If it comes down to this worst case scenario, please know that Canvas Host is willing to try anything to help you pass compliance, and it is for that reason that we are recommending you work with a new merchant processor. We have an established relationship with an IonPOS, an excellent Authorize.net reseller that offers extremely competitive rates, and which dovetails with TrusteWave, a respected ASV that provides a friendly interface, and whose support staff approach PCI standards in a fair, manageable way.

4. Reaching PCI Compliance

After everything has been checked out, we will make the determination for you to ask the ASV to re-scan your website. If all goes as it should, the report will turn up a pass, in bold, green letters! Additionally, you will be able to place a nice seal on your website that attests to the domain passing compliance, with a datestamp and other verifiable information that is intended to build trust with your customers.

Remember, the SAQ has to be done each year, and you will receive a reminder when it is up for renewal. Also, your ASV will re-scan your website in another three months, and while we can all hope they will give you a pass for the items cleared as false positives or given exceptions through the Risk Mitigation and Migration Plan, we have seen just as many situations in which the ASV suffers abrupt memory loss and requires everyone to go through the process all over again.

If you detect a bit of sarcasm here, it’s because we know how important it is for you to remain compliant, and yet have been through countless hoops for various ASVs, some of whom in our honest opinion simply should not be in business to begin with. Ultimately, we are here to serve you and ensure you reach compliance.

5. In summary….

In the history of our company’s operations, rarely has Canvas Host’s environment passed a PCI scan on the first try, unless it’s the same ASV that recently scanned another customer’s website. In fact, having just met compliance with one ASV, we have grown accustomed to another ASV immediately taking issue with our environment as well. To some degree, ASVs are in the business to find errors — which is fine — but some do it to such a degree, as to undermine the purpose of PCI compliance and instead create a space that devolves into finger pointing.

The challenges of PCI compliance that face you as a merchant, and Canvas Host as your hosting provider, can be overcome through a spirit of cooperation between all parties. If ever you feel overwhelmed by the process, please don’t be alarmed. We’ve been there before, and we understand the steps we must take to help you get there.

While Canvas Host cannot guarantee an “easy” path to PCI compliance, what we can guarantee is our willingness to help you as best we can.

So much more than a paycheck

It’s been one of those days, one of those weeks, one of those months, and it all got me thinking.

If you dare look at the headlines, I hope you can see the silver linings. Most folks see storm clouds, and I can’t blame them. You name it, the world is in turmoil. Close to home, endless concerns of lost jobs, housing costs, increasing homeless families… the list goes on. All of these things are important. I don’t have the answers to these problems, though I have a sense that if we as a community put our heads together, we could solve many of them in creative ways.

Many of us wake up, and it’s enough to be able to get out of the house, to school or work, let alone make a difference in someone else’s life. It’s been a time of deep reflection for me also, having suffered the loss of a close family member from a car accident little more than two weeks ago.

At moments like this, some things seem incredibly important, and others suddenly not at all. Life-changing moments put everything into focus and fast. For me, it was the realization that my daily routine was something many dream of, and something my cousin will never again be able to do. To pick my son up after school, or help him with homework, or hear him outside playing with new friends, all of that a blessing which some working fathers never get to see. The joy of sharing life with my partner, a chance to start over anew, is something not many survivors of divorce get to experience.

To look at the things I take for granted and to realize that perhaps, I haven’t given thanks enough for the many great things I have in my life, is where my mind has been lately. A loving family. To be able to enjoy long runs along leaf-covered trails in the Fall. Better yet, to be able to simply move under my own two feet. Things like that. Most of us don’t stop long enough to recognize the good we have.

And that is when I looked at my job. Yes, I’m a business owner, but what does that really mean? It’s a job. It’s just a paycheck, nothing more. It’s not a career, it’s not a lifelong pursuit of something greater. It’s just a way to pay the bills. I tell you this as a business owner of too many years and who has seen too many friends burn out, give up, or even lose their lives from a job that never stopped demanding more.

The good things of a job are in the friendships and relationships you create with your coworkers. The team you are part of becomes like family. You win some, you lose some, you fight it out, you argue, you make it right, you grow together, you prosper and you all win… if you want that.

Most people want that, I think. A place to belong to, a place where they fit in and are appreciated for the things they do for the company and each other. I certainly feel that with my team. I suppose I could work from home every day like many business owners, but it would be at the cost of missing out on so much good stuff, not to mention, I wouldn’t be in the thick of it, and that’s where the magic happens.

This company, this team, has overcome a lot of things over the years, including a really awful server failure last week that saw an incredible outpouring of grace and support from many of the affected customers. That’s how I know we’re doing it right, because even those customers, in the darkest of times, were cheering us on.

And that is why we’re here. We’re here for our customers, for each other, for the community and culture we’ve created and which we work to grow each and every day. It’s everyone in this that makes it as important as it has become. Canvas Host is not just a paycheck or a career, it’s so much more. It is friends and family collaborating to make great stuff happen. It is genuine. That authenticity shines through in the work we do each day, and it is reflected in the thanks our customers show.

I am so thankful for the opportunity to work with an amazing team, and to help support such a wonderful, caring family of customers. To help others makes it matter. And for something to matter gives everything that depends on my job, in turn, even more importance. It is making a difference in the life of those I work with and the customers I serve. And all of it is so much more than a paycheck.

Thank you all,

David Anderson

Introducing the High Desert Core – Secure cloud and hosting services



September 29, 2016

Bend, Oregon — Living in the Pacific Northwest, we’ve known about the Cascadia subduction zone for some time. It’s a set of tectonic plates located off the coast and which stretch from Vancouver Island to northern California.

Recent headlines have warned of the possibility our region will experience a major earthquake in future years. While we are confident in the security of our Portland data center, we nevertheless take these warnings seriously and have put a plan into action.


To address these concerns, we’ve been working on a new data center build-out in the beautiful city of Bend, Oregon.

Located about 200 miles from Portland on the East side of the Cascade Range, and sitting atop 4,000 feet of solid basalt, the High Desert Core is safe from a Cascadia  subduction zone earthquake.

From this location, we’ll soon be offering a new line of services, including secure data backup, cloud hosting, and virtualized solutions for your high availability and scaled hosting needs.

And, there is the environmental angle on our new location. Cooling requires much less energy and electricity in the high desert. The facility also uses a closed water cooling system and is aligned with our sustainability goals.

hdc-racks2Located at the Cascade Divide data center, the High Desert Core benefits from critical infrastructure:

  • 26,000 square feet
  • Up to 22kW per rack
  • N+1 Power, Backup, and Cooling
  • Dry pipe pre-action fire Suppression with VESDA
  • CCTV surveillance, biometric and access card
  • Carrier Neutral
  • 24x7x365 Remote Hands

As a certified B Corporation and Oregon benefit company, we are committed to delivering the highest quality of services that are reliable, secure, and scalable.


The high desert environment is a living example of permanence and durability. We drew on its elements in creating the branding for the new business: Featuring a background silhouette of Smith Rock, the foreground circuitry represents an ancient juniper tree. Found throughout the Oregon high desert, some junipers are 1,600 years old!

The High Desert Core is a culmination of our drive to innovate in an ethical and environmentally sustainable manner. We’re excited to have set up new operations in Bend, and will keep you informed as we continue developing our new services.

Please contact us at 800.574.4299 x1, or by email at sales@canvashost.com if you’d like to learn more about High Desert Core, or to schedule a tour of the Cascade Divide data center.


Green Drinks returns this Fall 2016!

Hi Green Drinkers,

We want to update you on some things. We’ve taken a few months off and put some feelers out in the Portland and Westside communities for how best to restart Green Drinks this fall.

We’re making a few changes to the organization of Green Drinks, thanks in part to the excellent feedback we received from attendees. We’re here to address those changes, and some things we are keeping the same, and how they will affect the two events we have been holding each month.

1. Instead of two Green Drinks events each month, we will scale back to just one. We will also alternate each month between Portland and Westside Green Drinks. This means we’ll hold at most, six Portland Green Drinks, and six Westside Green Drinks each year. We aim to help build up interest and participation in the events. As much as we love to put these on, we felt the two-each-month cycle was diluting the effectiveness and importance of the events. So, we’ll have more time now to organize and promote the events.

2. Attendance fees will remain $5 per person. Some of the feedback we received questioned why we charge $5 to attend events. Considerable time and cost goes into planning and promoting Green Drinks events. For those attending Westside events, we provide food and beverages at BestHQ. And for some events, rental fees do apply, especially for larger turnouts that require renting a full-room, private space. As much as we support the spirit of a sharing economy, the fact is that we cannot put on these events for free. We can however improve the experience. This leads to our next items…

3. Speaker and presenter microphones. Some events are well attended and feedback indicates it is sometimes hard to hear the speakers. Therefore, we have purchased a portable speaker and wireless mic setup to help with this! It should make a big difference.

4. Raffle prizes! This is an area we hope to give back. Portland Cider House is still excited to offer up their space, and as we’ve seen with some other Green Drinks events in the Northwest, raffle prizes are fun! All attendees will receive a raffle ticket and depending on the location and event, we will have a variety of prizes to give out. While we cannot give out “free” alcoholic beverages, we certainly can raffle off an empty growler and some cash to help fill it, as an example. Also…

5. Sponsorship opportunities! This is an area we are opening up for outside interest. While PDX and Westside Green Drinks is officially organized and managed by Canvas Host, we don’t want to take all the fun. So if you’re a local company that would love some exposure in front of a fantastic audience of green, well-educated, caring folks — yes, that is us giving you all a big shout-out — then please contact us at info@pdxgreendrinks.org. If you have items that you think would make great raffle prizes, we’d love to hear about them. All sponsors will be given 5-10 minutes to talk about their services and products, during the Green Drinks event they are sponsoring. And finally…

6. First Wednesday of each month. This is the day we will hold future Green Drinks events, whether PDX or Westside. We will alternate, again, every other month. So look for the return of PDX Green Drinks in October, Westside Green Drinks in November, and so forth.

We appreciate all the time and attention you provided us with your feedback. If you are interested in presenting, sponsoring, or assisting in Green Drinks, please do reach out. And, thanks again for your interest!

Join Canvas Host at the 2016 Beaverton Relay For Life


Are you ready to have fun and fight cancer at the same time? Join Canvas Host at this weekend’s Relay For Life of Beaverton, an event organized through the American Cancer Society.

Cancer never sleeps, so neither will we. For 18 hours, 20 teams and hundreds of volunteers will walk, jog, and run around a track as we raise awareness about cancer, and raise money for cancer research, and patient, survivor, and caregiver services.


July 22, 6:00pm to July 23, 12:00pm
Holy Trinity Catholic Church
13715 SW Walker Road
Beaverton, OR 97005

PLUS: We’re sponsoring bubble soccer. It’s safe, bouncy fun for all ages. Just $5 to play, and all proceeds go directly to our fundraising goal.

Please join us if you can! Together, we can help put a stop to cancer.