I am a small-time developer webdesigner and have a client who needs PCI compliance.
I charge him 50 USD a month for a Amazon AWS micro instance which costs me about 15 USD. So I get 35 USD for patching and maintaing his virtual box.
Recently the PCI scanning company upped the stakes and the existing SSL cert that was installed then started to fail on SSL1 and SSL2 and I had to prevent the server negotiating on these protocols and only allow TLS 1.1 or SSL3
E.g. "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers."
Now if that looks like a load of gobbled-gook then your right. It was to me when I first looked at it. Anyway 1hr and 40mins later I had learned enough to block the weaker ciphers.
My question is to you other hosts, would you feel its right to charge the client for this kind of work (1hr 40mins time) or just absorb it?
I agree that since you are the "host" you sort of got paid for doing this. However, you might up your monthly fee just a bit, and cite the new "PCI requirements" for having increased your tasks.
I think that is justified - the PCI requirements demand a higher level of server security than a basic website. Since the scanning companies are getting more stringent, then I think a monthly increase is justified.
I helped a client recently with getting PCI compliant, and I charged my time, because I'm not the hosting provider.
the PCI requirements demand a higher level of server security than a basic website
The OP is hosting the site on an AWS micro-instance, with an SSL cert. What would qualify as a "higher level of server security"?
The storyline that a PCI "scan" can either pass or fail the security of a website is simply not true. Until a "scan" can detect a fired former employee with an axe to grind, a scan can do nothing more than flag SSL1/2 protocol support, and do some basic query-injection testing when their scanner detects a textbox.
PCI requirements are a great guideline, but that's all they are... a guideline for proper eStore design and implementation. But writing a bigger check to move from a "basic website" to a "higher level of security" based on a PCI "scan" is throwing good money after bad.
The OP's client needs to hire someone who didn't have SSL1/2 active in the first place, not prompted to disable it because a silly PCI scan told him to. How many other backdoors are on this site that a scan can't detect?