Does "HackerSafe" (PCI Compliance http://www.pci-compliance.eu/) logo on a website make sense to attract more customers?
Will you (as a customer) prefer to see that logo on the hosting website where you bought your hosting from?
Printable View
Does "HackerSafe" (PCI Compliance http://www.pci-compliance.eu/) logo on a website make sense to attract more customers?
Will you (as a customer) prefer to see that logo on the hosting website where you bought your hosting from?
It might work to attract lower-end clients but generally anybody looking for professional or medium to high end hosting would likely be turned off by a "HackerSafe" logo. The HackerSafe logo I think probably has a tendancy to cause more problems than it solves. DDoS or hack attempts come to mind.
As for being PCI Compliant - that is a given... Generally a merchant account won't allow you to process payments on your site without being PCI Compliant.
I know merchant account requires it, I was just asking about attracting customers...
Please clarify your exact definition of "lower-end clients "?
so HackerSafe may cause some problems? please clarify them, what are the problems and please ex0plain what is DDoS?
Merchant accounts require you to be PCI compliant, not to use hackersafe its services. Hackersafe will help you audit your servers, but as long you can show to your CC company you do use/hire other external auditors it will be fine too.
sorry, I never used it before. I thought HackerSafe is the same as PCI compliance. So by "be PCI compliant, not to use hackersafe its services" do you mean HackerSafe service is separate from PCI compliance?
I thought HackerSafe is usefull!
PCI compliance is standard. HackerSafe is audit company.
PCI compliance requires to have third party assessment (quarter scan, on-site audit etc.etc.etc depends on compliance level)
So if you want to be compliant with PCI-DSS you should make your environment according to this standard and involve certified third party (HackerSafe, TrustWave etc.etc) assessment company to confirm that.
I prefere to make purchases only on certified site. it is kinda guarantee from stupid mistakes like SQL Injects etc.
Do you mean you would perefer to buy your website from a hosting which is PCI compliant + HackerSafe?
Do you mean in order to become PCI compliant, I should use HackerSafe or any other recognized third party like that?Quote:
Originally Posted by perfsys
To Perfsys:
Please participate in poll too.
To dynamicnet & FHH - Tim:
please clarify it depends on what?
I meant as a customer (purchasing products/services on internet) I would prefere PCI compliant site. I'm not quite sure that there are any out-of-the-box hosting package that includes PCI DSS compliance.
Yes, it is required by this standard.Quote:
Do you mean in order to become PCI compliant, I should use HackerSafe or any other recognized third party like that?
try to find out some info at visa site.
Perfsys, I thought you would vote for "Yes" because of what you said here. Please clarify it depends on what in your opinion?
To ALL folks:
Please participate in this poll too:
http://www.webhostingtalk.com/showthread.php?t=683288
also if you vote for "It depends" for this thread, please leave a post and clarify it depends on what?
sorry. misstyped.
my answer is - Yes
To a Moderator:
Polls are not editable by users. Please move prefsys's vote from "It depends" to "Yes" in order to get a more serious result from this discussion as I believe this discussion is serious and important.
Sorry, I still see prefsys's name for "It dpends" however the statistic became 2 which is correct. I can't see his name for "Yes".
I appreciate your own vote too! :)
I voted YES because i work for a computer accessory manufacture and i get calls about our website security all the time. Most people i talk to are paranoid about punching in their credit card info on someone's (our) website. The "hackersafe" logo, i believe, would give us more sales and allow so many of our customers to have some piece of mind.
"Hackersafe" is a name everyone understands, but "PCI compliance" is something only a geek would know off the top of their head. The every-day individual would have google it to know what it is and what it stands for.
Besides hacker safe are there any other PCI compliant services that are good?
Does hacker safe check for vulernable php applications? Like and out of date phpBB?
Or if the user is including() a variable without validation? and if it does, how is it able to tell if a user is using proper validation on the variable he is including.
it should.
[QUOTE]
Or if the user is including() a variable without validation? and if it does, how is it able to tell if a user is using proper validation on the variable he is including.
[QUOTE]
not sure that it will check all, but most of certified assessors have "penetration test" which is usually performing manual break-in attempt.
[QUOTE=perfsys;5041203]it should.
[QUOTE]
Or if the user is including() a variable without validation? and if it does, how is it able to tell if a user is using proper validation on the variable he is including.
Does it check for popular out of date 3rd party scripts like phpBB wordpress, joomla, etc?Quote:
not sure that it will check all, but most of certified assessors have "penetration test" which is usually performing manual break-in attempt.
If it just scans the IP of the server, how does it know what domains to check? Like if I have 100 domains all on the same IP?
How about if like my kernel is out of date, does it check that? Or is only able to do something like nessusd would do?
It depends on what utility will be used for scanning.
usually it utilize huge vulnerability database to lookup and scan all such 3rd party things and much more.
The point of PCI-DSS is not just a scan.
PCI scan is to confirm that your external resources patched and secured.
take a look at PCI DSS documents on visa site.
scan is just a one point from hundred.
By one hundred points do you mean the 12 main points, plus all the sub points from this:
https://www.pcisecuritystandards.org/tech/pci_dss.htm ?
yes. exactly.
PCI Compliance = paper tiger, but needed for insurance claims.
http://www.visaeurope.com/documents/...ants_guide.pdf
section 7.2
quarterly scan
I don't pay much attention to the Hacker Safe logo but I know that some of our customers would.
Where is the cheapest place to get the HackerSafe seal/service?
http://www.hackerguardian.com/ is another company like HackerSafe.
Most sites that are doing e-commerce will have an SSL which in turn means that the site will
have its own IP Address!!
The whole HackerSafe stuff is a joke, but if it lets a client more immediately know you've had the basic checks/scans done and you passed, if they even know what it means, then it could save some questions from them, or even make them think it means you really are a more secure provider over another. I'm unsure how it could be a bad thing for potential clients to see, other than it might give some the impression that you believe your servers are more secure than they actually are, just because of some lame, basic scans by a service like that.
What I mean by that, is that it could make people think that you believe that's all you need done/checked to have a secure server. Of course, that doesn't mean that's the case or you believe that, but that would be my only concern about displaying such a seal (since I don't put much credence into that sort of service). I.e., an informed client might think that the hosting company was ignorant about it enough to pay some pointless service to do a basic scan just to use their seal -- so I'd never do it for that reason.
I know it's a lot of meaningless nonsense, but I still order items online from stores that have the logo (it doesn't make me not order -- I don't think they are more secure or safer, but it doesn't turn me off from ordering), so I think if anything it's a good thing to have since most clients see media nonsense about "hacking" and if you can have some meaningless seal that says you're safe from it, it might earn you more uninformed clients and that's still more clients.
I don't think informed clients will usually hold it against you, even if I worry that they would. I see a lot of "services" and "seals" used on sites that seem people are just paying these services to collect icons on their pages, and it makes me think they are suckers. But, for a HackerSafe seal, I'm not offended by them passing the basic checks. I doubt most potential customers will know or care what PCI compliance means, and if you run an online order form, you usually have to pass those checks anyway, so I think you're better off with the HackerSafe logo to appeal to them, even though it's pretty much nonsense anyway.
Anyway, why not have both? You'll need a PCI compliance check for most merchant services to accept clients for your hosting anyway, so have the PCI Compliant logo or text, and if you're going to pay for a HackerSafe seal, then do that, too. Do both, the PCI Compliant verification seal or text should be of no cost. Just create one, it's not immoral if you are compliant. There's no reason to pay someone for a PCI Compliant test that your bank or merchant service will perform before you can accept orders anyway.
In fact, why not just ensure you're secure from the same things HackerSafe checks and just create a logo that says you're Hacker Safe (just make it clear it's not their service's seal). I don't see any reason to pay anyone to run a basic test, as long as you truly are at least the level of secure as those services will check for anyway.
I guess it work out good i be use hackerguardian.com :)
Well, there's a good point. If you want to put some "hacker safe" type of seal on your web site and if you want to pay someone to run those basic scans, then I seriously doubt it matters which company you use. Any client that will be drawn to your service from such a seal, will not know enough about it or what it really means in the first place, so I really doubt it matters which company's seal you use.
Nice points Tim Greer, I completely agree. :)
I think if evetually I will buy HackerSafe service, I'd pay only to become PCI Compliant to use a merchant account and not just pay to show the seal to clients to tell them we are secure. I am sure clients won't care about that seal and they have their own factors to decide if you are secure or not and buy from you.
HackerGuardian is a lot cheaper than HackerSafe!!
True but it do the same b/c I try both I dont see nothing differ :)
To a moderator:
one poll option is:
It depends
please change it to:
It depends (if you vote this, please leave a post and clarify what it depends on)
To Folks who already voted for "It dpends":
Please clarify what it depends on.
I've never once seen one of those logos tell me a site was not safe. I'm sure it has or could happen, but after seeing dozens of such logos I really am not sure I can trust that they actually mean anything.
I mean, I think in many cases all those logos do is test connections. If all they are saying is that the site has a non-expired SSL certificate, well, yeah my browser does that for me.
In short, I don't think either of those is going to weigh positively on prospective customers.