Web Hosting Talk : Web Hosting Main Forums : Web Hosting : PCI Compliant Web Hosting

[mstracy]

I just signed up with you because I need some advice. I want to start up a website and have seen a lot of signs for Hostgator, they have some pretty good prices but I can't find if their billing systems are PCI compliant, the CSR I talked to directed me to a support link which doesn't really say anything about their billing system. Does anyone know for sure if they are PCI compliant? If not any suggestions on good hosting services that are affordable with PCI compliant billing systems?

The major reason I ask is because I was one of those people that had may had my info hacked off Zappo's and now I"m nervous about my credit card info and identity getting stolen.

Thank you

[48-14]

Quote:

Originally Posted by mstracy

I just signed up with you because I need some advice. I want to start up a website and have seen a lot of signs for Hostgator, they have some pretty good prices but I can't find if their billing systems are PCI compliant, the CSR I talked to directed me to a support link which doesn't really say anything about their billing system. Does anyone know for sure if they are PCI compliant? If not any suggestions on good hosting services that are affordable with PCI compliant billing systems?

The major reason I ask is because I was one of those people that had may had my info hacked off Zappo's and now I"m nervous about my credit card info and identity getting stolen.

Thank you

Is the PCI request for the host your looking for or for your website?

Most "large" hosts will most likely be pci compliant since they also process credit cards for their customers.

But I would say depending on what you site is about, you should look in the shared offers section and find a smaller host that will suit your needs. Here's a few reasons which will tie into your request;

1. larger hosts tend to be targerted for hacking. So whether or not the host is compliant if the hacker wants in they will get in

2. If you or the host is only holding customer information but sending the actual financial transaction to another site like paypal, then the host doesn't need to be compliant but they should have a good SSL certificate in place (https://)


Unfortunately I would say nothing is ever 100%. It all depends on how well the host has measures setup to give a hacker less chances of getting in.

Your other option is paying through paypal or another similar type processor. So only paypal will have your credit info, and the host will only have your billing address info.

[lilrob]

I do not see anything on host gator's site that talks about being PCI compliant. Most of the sites I've seen that are PCI compliant advertise it all over there site. They also seem to be a bit more expensive. I agree with web hosting master though it depends on how you will have your site setup. If you make your customers pay you through paypal then you do not need PCI compliant.

[Crothers]

Hello,

As a previous employee of Hostgator I can tell you with 100% confidence their billing system is PCI compliant.

The servers that run the "gbclient" billing system are housed outside of the normal network. Meaning that our shared hosting servers and so on cannot access the server, neither can anything else without being logged into the datacenters VPN.

The database fully encrypts all of your personal credit card information.

Regular employees and even supervisors cannot see you billing information, as a matter of fact none of the upper management can see your information by default as well. The ability to see your information is actually limited to 2-3 people in total, one of them being the company accountant.

There has never been a leak from the GBClient system in its existance.

SSH access is not available to the servers without VPN access.

Nobody in the company, except for the developers who work in the office on locked down physical computers in the office (not remotely) knows where the databases are stored.

There is an extensive firewall in front of all of this equipment preventing intrusion.

--

I hope that helps.

[pmabraham]

Good day:

If a hosting provider is PCI compliant, the only way to be 100% confident is if they publish their PCI compliance certificate which they received from an authorized 3rd party recognized by the PCI Security Council.

Thank you.

[gkg_net]

If the hosting provider is also an ICANN approved registrar, they have to be PCI compliant: https://community.icann.org/display/...ration+Process

It can actually be a liability to advertise PCI compliance with hosting, as it can imply that all hosted accounts are compliant, which is never the case (with shared hosting anyway).

As 48-14 said, most 'large' companies are in fact PCI compliant in terms of their billing.

[WebzPro]

It is very unlikely that shared servers at HostGator are PCI Compliant. Read this. http://support.hostgator.com/article...-pci-compliant

For a host to have PCI Compliant shared hosting accounts on a typical shared server you need to to go beyond what is actually worth(unless you dedicate a dedicated server for that purpose). Every IP must be tested for PCI compliance. If you have a host that tells you there shared hosting environment is PCI complaint and you are not presented with a PCI Compliant Certificate for each IP then you are not PCI Compliant. We run a completely independent server for our site alone in order to be PCI Compliant.

[stablehost]

Quote:

Originally Posted by WebzPro

For a host to have PCI Compliant shared hosting accounts on a typical shared server you need to to go beyond what is actually worth(unless you dedicate a dedicated server for that purpose). Every IP must be tested for PCI compliance. If you have a host that tells you there shared hosting environment is PCI complaint and you are not presented with a PCI Compliant Certificate for each IP then you are not PCI Compliant.

Correct. PCI compliance is extremely hard to get and anyone that offers PCI compliant at $5/month is lying to you, it's a marketing ploy to get foolish customers to signup.

[lilrob]

I feel that the best way to do this is with pay pal or another type of company similar this way you still get paid and do not have to worry about any ones money. Also you do not have to pay the PCI expenses.

[MacAndy]

Quote:

Originally Posted by dfxgrid

what is pci compliancy? havent heard this one before

Google for more info about that.

[bluecamel]

Quote:

Originally Posted by lilrob

I feel that the best way to do this is with pay pal or another type of company similar this way you still get paid and do not have to worry about any ones money. Also you do not have to pay the PCI expenses.

Yea, that might be the EASIEST but not the BEST. Most people will NOT pay using PayPal or Google Checkout or anything else that takes them away from the site they are on. So you don't get paid.

So the best way is to become PCI compliant, which gives me a headache just looking over all of the requirements.

My personal feelings on this is that right now, there are a ton of easy targets for hackers so they aren't bothering with that many PCI compliant sites. But as soon as PayPal and Google Checkout are the only ones left (which is sort of what the PCI companies want), the hackers will go after them and will, without a doubt, hack them. So I think that the whole PCI thing is dumb and they are trying to work on the wrong end of things, transferring the costs to small businesses who can't foot the bill as easily as Visa or Mastercard could. I like what American Express (and some other issuers) have done with One Time Use credit card numbers. That's honestly the best way for all of them to go, that way, it doesn't matter who gets the card number.

[HostingBig]

its tough getting a a shared hosting server pci compliant because many scanners have different rules but it can be done

That being said would you really want to store such confidential information on a shared host.

when your neighbor is running his outdated unpatched wordpress install

I'm sure HG billing system is PCI complaint as mentioned but I am 100% sure they do not run it on their shared hosting servers that they sell to the public

we certainly do not
you should go dedicated or at the very least VPS

[Brian_R]

We've sort of strolled off the topic the OP asked, which is whether hostgator's own billing system is PCI compliant, but that's ok cos this is interesting!!!

For the OP, a merchant's PCI status is commercially confidential between the merchant and their acquirer. The only way for you to be sure if hostgator's systems are PCI compliant is to ask them to show you their PCI ROC (Report on Compliance). This is the document their QSA (PCI Auditor) prepares and signs. If they haven't got one it may be they are small enough to self certify. However your chances of getting hold of their ROC are fairly slim unless you are spending large amounts, as this contains lots of info on their security processes and workarounds.

The PCI council not long ago released some new guidance on the use of virtualised environments for in-scope processing (ie apps with Cardholder Datastuff and therefore subject to PCI). It's here https://www.pcisecuritystandards.org...nfoSupp_v2.pdf. This doesn't replace the PCI standard itself but gives guidance on how it should be interpreted. The bottom line, I would suggest, is that if anyone is looking at getting a virtual environment PCI certified, take some advice from a QSA - this won't be cheap but neither will the whole project, don't start on it if you're not prepared to spend. As a benchmark, and for a small environment, getting to PCI Level 1 certification will cost £10k's. Large environments cost much, much more.

Note also some folks are talking about scanners - this is an external vulnerability scan done quarterly by a PCI Approved Scanning Vendor (ASV). This is one small part of getting certified, one requirement from 250 odd, but the most visible one for small merchants who self-certify.