I am a small-time developer webdesigner and have a client who needs PCI compliance.
I charge him 50 USD a month for a Amazon AWS micro instance which costs me about 15 USD. So I get 35 USD for patching and maintaing his virtual box.
Recently the PCI scanning company upped the stakes and the existing SSL cert that was installed then started to fail on SSL1 and SSL2 and I had to prevent the server negotiating on these protocols and only allow TLS 1.1 or SSL3
E.g. "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers
to only support cipher suites that do not use block ciphers."
Now if that looks like a load of gobbled-gook then your right. It was to me when I first looked at it. Anyway 1hr and 40mins later I had learned enough to block the weaker ciphers.
My question is to you other hosts, would you feel its right to charge the client for this kind of work (1hr 40mins time) or just absorb it?