jwolthuis - 12:27 am on Feb 14, 2013 (gmt 0)
the PCI requirements demand a higher level of server security than a basic website
The OP is hosting the site on an AWS micro-instance, with an SSL cert. What would qualify as a "higher level of server security"?
The storyline that a PCI "scan" can either pass or fail the security of a website is simply not true. Until a "scan" can detect a fired former employee with an axe to grind, a scan can do nothing more than flag SSL1/2 protocol support, and do some basic query-injection testing when their scanner detects a textbox.
PCI requirements are a great guideline, but that's all they are... a guideline for proper eStore design and implementation. But writing a bigger check to move from a "basic website" to a "higher level of security" based on a PCI "scan" is throwing good money after bad.
The OP's client needs to hire someone who didn't have SSL1/2 active in the first place, not prompted to disable it because a silly PCI scan told him to. How many other backdoors are on this site that a scan can't detect?