Results 1 to 8 of 8
  1. #1

    Question PCI, Web App Development, Small Hosting, and Unhappy Clients

    Mock me and get it over with...

    I've finally had to come to terms with the fact that my web applications should no longer directly deal with cardholder information, nor should my little hosting service.

    Over the years, I have truly loved wearing both of these hats... PCI compliance was up to this point a "fringe" issue, something I believed only the merchants themselves had to deal with, and relying on the fact that we didn't "store" any cardholder data as a fallback for how "safe" things were.

    Obviously that's not really the case, and now some changes are being made. I'm in the process of choosing a partner of sorts, in the Hosted Payment Form and/or Hosted Payment Fields industry, and preparing to modify our web apps to support this means of processing cards, etc. It will be a long process, I'm not sure which company to go with yet (hoping for one with low fees, seemless site integration, and true PCI compliance with certification proof from the likes of Trustwave, etc.)

    I post here to let others who are straggling know... it's time to do this. My hosting company, while fairly well secured, is by no means truly PCI compliant. My web apps certainly aren't going to be certified as such. They're just little tiny customers with their little corner of the web chugging away daily... but I wanted to post first to say: Look, this is actually LIBERATING. No longer will I need to try and be a security expert... deal with backend code that is poorly documented, to try and integrate with a gateway/merchant service that doesn't care. I can do what I do best, host it up, and pass the actual payment "thing" to the professionals. And since the code is modular, if I (or my client) doesn't like how one "professional" is doing things, we can plug in a different one.

    So the second reason for my post is to ask - for those of you already doing this, which Hosted Payment service provider are you using, and what do you like/dislike about them?

    Lastly... i already have one client complaining about this change... i've tried to convince them that the risk is real, but he keeps saying "well, my BANK/bank rep approved me..."

    I need to deal with him, get him to understand that since his site and my server/network directly handle cardholder information, we're directly responsible for the full PCI (SAQ-D) compliance... which is something that's just not feasable for a company of my size... and that the risk of handling the cardholder information is more expensive than the cost to make some changes to the way his site works, and perhaps the time and effort to switch to a different merchant service if necessary.

    Anyone else have to deal with this, too?

    Thanks for paying attention to a WHT forum noob.

  2. #2
    Join Date
    Aug 2011
    Location
    Chicago
    Posts
    89
    Your concerns are quite valid. Retail industry Merchants suffered through these changes few years back throwing out millions of swipe terminals that didn't truncate all but last 4 digits of card # and of course a laundry list of other security issues.

    There are many levels of PCI compliance as it sounds like you already know. There's some lists of current PCI compliant providers posted on Visa.com every year, but some of them are smaller companies and can lose their certification during the time which the list is tracked and updated.

    There are probably 10 + large payment gateways a majority of experienced online Merchants could reference most of which will be found linked up on partner pages of hosting sites catering to ecommerce vendors. My two cents would just go to Authorize.net if asked but I am by no means current with the best information, they are simply one of the guys that has been around long enough to have a generally good reputation that I would be confident recommending for most any Merchant / industry.

    As for the customer of yours who needs further insight, probably associated press archives or a quick google search on "fines, credit card, hack" will bring you enough articles from major news sources detailing the big and small history of why anyone would be crazy to be handling credit card #s in a non-100% trusted PCI environment. That being said I'm sure you can find plenty of complaints with the whole PCI system just as well but of course this post is applicable for your specific customer case.
    High Risk Merchant Consult

    Unbiased Payment Solution Analysis since 2001_ info[at]highriskmc.com

  3. #3
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    We're with Innovative Merchant, all of our credit card processing is via Ubersmith which passes the transactions to Authorize.net (and ultimately Innovative).

  4. #4
    So here's a question that may bake some noodles...

    Upon checkout, the user is sent to a page hosted by a PCI-compliant vendor where they can enter cardholder data, and they are subsequently returned to our system upon completion. Sounds great, right?

    Hold on there, sports fan... let's think about this.

    Let's say that despite all our other due diligence efforts to protect our service and software, someone hacks our network and/or our application, and where the user is supposed to be redirected to a PCI-compliant Hosted Payment page, they are somehow redirected to some jerk's "pretend" payment page? What's the liability THEN? We are supposedly " out of scope for PCI DSS compliance" but still there's a real security breach at play. Granted, given the smaller size of our operation, such a breach would have a minimal effect as far as actual dollars of liability, and it would probably be noticed fairly quickly that something was awry... but still... how deep can the litigation/liability rabbit hole go? How many entities can be affected when protection of code can only be reasonably guaranteed up to a certain point? We can't all be security experts, hence the reason we outsource to the Hosted Payments solution... but what if that still gets bypassed?

    Are we ever truly in the clear, even when we simply lay a finger on eCommerce just enough to send someone to someone else's checkout counter?

  5. #5
    Join Date
    Aug 2005
    Posts
    521
    You would still be "out of scope" for PCI but you would be liable for the breach in your security.

  6. #6
    Quote Originally Posted by oranuf View Post
    Lastly... i already have one client complaining about this change... i've tried to convince them that the risk is real, but he keeps saying "well, my BANK/bank rep approved me..."
    I'd have a chat to the merchant services rep at their bank.. No need to mention the client's name straight up, but ask if they can give you some info to pass onto your/their client which shows them how big an issue it is.. One of the companies I work with just landed in the dirty stuff when they went to add a fourth country to their available currencies on their multi-currency account - they hadn't talked to the bank in three years, so PCI wasn't on the cards for them until the bank came back with the usual new-website checklist to be submitted.. And there's that 'PCI SoC Supplied' checkbox on the form..
    Now they're rushing around like mad trying to get compliant in as short a time as possible, so their timeframes aren't too skewed! Would have been better to have been prepared for it!

    BTW, talk to your payment processors - All the ones I deal with in .au (eWay, Camtech, even directly to St.George and NAB banks) provide a hosted solution to go alongside their API access.. It's totally simple to change over (redirect out for payments rather than doing them internally), and means no extra paperwork for you or the client! - you may find that you can just switch over to their hosted solution

  7. #7
    I had a long conversation with the client, and convinced them to allow us to modify the web app, and perhaps the necessity of changing merchant services or whatever (it's been so long I'm not sure what, if anything, is going to need to change) and that the cost would be fairly low.

    If you could point me to the specific area of the PCI documentation where "PCI SoC Supplied" might appear - or whatever the language might be - that would simply drive home the point for him just how clueless his bank rep seems to be on this issue... they kept telling him he was "compliant," insist that he just needed to answer 20 or so questions and he was "set". I'd like to just put is mind fully at ease that I'm not making this all up.

    I think our solution beyond this will be to make sure our servers are secure (obviously) and put a directory watcher on relevant files and throw an alert if a file or setting that controls a redirect to the Hosted Payment Form is changed in some way, as an extra precaution... I think that might be sufficient due diligence at this point for these smaller clients.

  8. #8
    Join Date
    Nov 2005
    Location
    Pennsylvania
    Posts
    778
    Quote Originally Posted by oranuf View Post
    Are we ever truly in the clear, even when we simply lay a finger on eCommerce just enough to send someone to someone else's checkout counter?
    In a word, no. You've always got some liability exposure, because anyone can sue anyone at any time. Even if you're in the clear, the cost of going and defending yourself -- or even hiring an attorney to file a motion for dismissal -- can still be damaging.

    To that end, it's worth consulting with an attorney for an answer on this one. It may be that by following certain specific "best practices" in your development, combined with choosing a PCI-compliant merchant interface (such as CDGCommerce), you can build a substantial amount of protection in the event that you do get breached. Although you can still get sued, such practices might be enough to get the other attorney to advise his client that a lawsuit has a low likelihood of success, which in turn might be enough to reduce a lawsuit to a menacing letter.

    You've nailed a significant issue, one that demands professional guidance.
    The world would be a better place if people drank better coffee.

Similar Threads

  1. Sales/Biz Development for Successful Small Web Development Firm
    By mouschi in forum Employment / Job Offers
    Replies: 13
    Last Post: 02-06-2011, 11:36 AM
  2. Replies: 0
    Last Post: 09-15-2010, 01:30 AM
  3. [For Sale] Very Small Web Hosting & Development Company
    By CLCook in forum Other Offers & Requests
    Replies: 8
    Last Post: 09-17-2004, 05:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •