Results 1 to 16 of 16
  1. #1
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,201

    Affordable PCI Certification

    Does anyone know of a firm that offered PCI certification for a low price (something in the ballpark of $200-300)? I have Google'd it and turned up companies charging $1500-5000 per year, which is retarded.

    I have already run a PCI compliance scan from Comodo and came back clean, so I would like to get the certification done

    Regards!
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  2. #2
    Join Date
    Dec 2003
    Location
    New Zealand
    Posts
    1,265
    Try Rack911.com

    It is very expensive, Im not sure of steves rates.

    I only provide it to corporate clients, its very very expensive for us too as a service to offer.

  3. #3
    Liquidweb provides the scan+certification to its clients for 50$ per month

  4. #4
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,201
    Quote Originally Posted by LoganNZ View Post
    Try Rack911.com

    It is very expensive, Im not sure of steves rates.

    I only provide it to corporate clients, its very very expensive for us too as a service to offer.
    Thanks. It appears to be $100 upfront, then $50 per month to maintain.
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  5. You can go to scan alert (now mcafee) directly for 319.00 a year for 4 ips.

    I take it you are a level 4 merchant? You should talk to your acquiring bank and see what they require. You may not have to do anything above a quarterly scan to demonstrate compliance. Actually being compliant (and staying compliant) is a different matter.

  6. #6
    Join Date
    Dec 2002
    Posts
    371

  7. #7
    Do you mean validation ? Validation != certification. If you have a clean scan, and are level 3 or 4, all you need to do is fill in your SAQ and submit to your bank which should not cost any $$. Comodo should have an online method for doing this for free. If however you are a Level 1, expect to spend $10k or more.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  8. #8
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,201
    Quote Originally Posted by zendzipr View Post
    Do you mean validation ? Validation != certification. If you have a clean scan, and are level 3 or 4, all you need to do is fill in your SAQ and submit to your bank which should not cost any $$. Comodo should have an online method for doing this for free. If however you are a Level 1, expect to spend $10k or more.
    To be honest, the Comodo site confuses me lol Any assistance would be greatly appreciated.
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  9. #9
    Quote Originally Posted by orexsolutions View Post
    You can go to scan alert (now mcafee) directly for 319.00 a year for 4 ips.

    I take it you are a level 4 merchant? You should talk to your acquiring bank and see what they require. You may not have to do anything above a quarterly scan to demonstrate compliance. Actually being compliant (and staying compliant) is a different matter.
    To clear things up a bit, the McAfee $319.00 a year option does not include a trust seal.

    My question is, if you are going to pay for the scans to make sure your site is safe why not let your customers know about it by displaying a trust seal?

    What I'm saying is, having your site scanned on a regular basis is really important and displaying seals to give your visitors peace of mind is equally important, besides that increased confidence will usually bring in more sales!

  10. #10
    Having some colourful small button that says you are secure doesn't garner that much trust as a Verisign Secured seal which is present on some of the biggest websites, like PayPal; if you're going for a seal it should be only one and from Verisign.

    Getting PCI compliance is easy, as long as you follow the guidelines and stick to them. Some companies may charge per year because they probably include continuous support throughout a year to keep your setup PCI compliant.

    A seal only lets your users know it, but being PCI compliant is still a requirement if you accept credit cards on your site.
    478east
    High Bandwidth Servers
    Custom Hosting Solutions

  11. #11
    Quote Originally Posted by Trust Guard Admin View Post
    To clear things up a bit, the McAfee $319.00 a year option does not include a trust seal.

    My question is, if you are going to pay for the scans to make sure your site is safe why not let your customers know about it by displaying a trust seal?

    What I'm saying is, having your site scanned on a regular basis is really important and displaying seals to give your visitors peace of mind is equally important, besides that increased confidence will usually bring in more sales!
    Having a seal only makes it easier for hackers. If hackers know who did your scan or that you received one, they already know what not to test. You just made their job easier for them. Ask batteries.com how well having a seal did for them.

    Any ASV/QSA worth their salt won't offer a seal showing compliance for just the above reason.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  12. #12
    Join Date
    Dec 2007
    Posts
    1,278
    This business we're in is like a circus. I never heard of the batteries.com data breach and their website isn't going to do anything to educate anyone about it.

    They do carry a McAfee Secure Logo and it's astonishing that McAfee would allow a company that had a very recent breach to say "it's safe".

    One with a sane mind would think it would probably be good to say this merchant recently was pwned and buy at your own risk, I guess at the end of the day all this PCI compliance and site seals is only about the money it brings in and not about protecting consumers.
    James Paul Woods
    Operations Manager
    HostKitty Internet Services

  13. #13
    Join Date
    Mar 2004
    Location
    Derby, Kansas
    Posts
    25
    Quote Originally Posted by woods01 View Post
    One with a sane mind would think it would probably be good to say this merchant recently was pwned and buy at your own risk, I guess at the end of the day all this PCI compliance and site seals is only about the money it brings in and not about protecting consumers.
    I could not disagree more. Although site seals provide a false sense of security (security by assumption), PCI compliance is an absolute must for hosts that accept credit cards. It would be silly to assume otherwise. PCI-DSS does a very good job at protecting consumers if they are followed correctly.

    Part of the reason the PCI services are so expensive is because it is a very complex set of standards that must be followed precisely. Not just anyone can sit down and make a server compliant without specialized training or extensive research.

    The merchant in question was "pwned" because - although they displayed a site sea - the site seal did not really protect their consumers. Had they actually been fully PCI-DSS compliant instead of just using one "PCI scan", it would have been more difficult for the attackers to successfully gather PII.
    Tyler Thompson
    Marketing Manager
    WebHostingBuzz.com | Shared, Business, Reseller, VPS, and Dedicated Hosting
    WebHostingBuzz Hosting, Marketing, Secuity and Technology Blog

  14. #14
    Quote Originally Posted by tathompson View Post
    I could not disagree more. Although site seals provide a false sense of security (security by assumption), PCI compliance is an absolute must for hosts that accept credit cards. It would be silly to assume otherwise. PCI-DSS does a very good job at protecting consumers if they are followed correctly.

    Part of the reason the PCI services are so expensive is because it is a very complex set of standards that must be followed precisely. Not just anyone can sit down and make a server compliant without specialized training or extensive research.

    The merchant in question was "pwned" because - although they displayed a site sea - the site seal did not really protect their consumers. Had they actually been fully PCI-DSS compliant instead of just using one "PCI scan", it would have been more difficult for the attackers to successfully gather PII.
    Darn, got beat to my response. Excellent points. A scan is but 1 part of 200+ items on the SAQ D and only covers a small list of common vulnerabilities. Had they been compliant, there is a high likelihood that they would not have been breached.
    ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
    Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
    Custom configurations, firewall, VPN, load balancers, private networks and more.

  15. #15
    Join Date
    Mar 2004
    Location
    Derby, Kansas
    Posts
    25
    Quote Originally Posted by zendzipr View Post
    Darn, got beat to my response. Excellent points. A scan is but 1 part of 200+ items on the SAQ D and only covers a small list of common vulnerabilities. Had they been compliant, there is a high likelihood that they would not have been breached.
    Exactly - a scan is only one small part of the pie.

    Too many people think that a scan telling them they are compliant means they are really compliant, but worse than that, after a scan they feel they are safe. That false sense of security will bite them HARD every time.

    If you read any book on security or look at breaches, many of the breaches arise from a store either underestimating the risks or having a false assumption that they are safe.

    When you are holding or doing transactions with credit card information, you must ALWAYS be vigilant and not rely on just one element. You must be comprehensive!

    Let's look at it this way. Do a search to find the construction and upkeep requirements of a SCIF (Sensitive Compartmentalized Information Facility). SCIFs are used by the United States government as the exclusive areas to discuss TS: SCI. Their specifications spell out standards down to the precise thickness of wall that must be used for different construction materials (drywall, steel, etc), the type of vaults that must be used, and the response time of both emergency response personnel AND backup response personnel.

    These standards are spelled out to the T for every location: domestic US, military base abroad, foreign land, etc.

    Simply put, you need to treat the PCI standards as if you were holding TS: SCI, but instead of conforming to the (insane) complex restrictions of a SCIF, you must conform to the comparitively light PCI: DSS requirements.

    Cost of breech > Cost of protection. Always!
    Tyler Thompson
    Marketing Manager
    WebHostingBuzz.com | Shared, Business, Reseller, VPS, and Dedicated Hosting
    WebHostingBuzz Hosting, Marketing, Secuity and Technology Blog

  16. #16
    Join Date
    Dec 2007
    Posts
    1,278
    tathompson, I didn't knock PCI scanning or site seals. I don't see what you would have to disagree with me on. Some people on this forum have an argument for it because they make money off of it, more power to them.

    If your saying it's fine for a company to have their information breached and to carry along business like nothing ever happened perhaps we disagree on that. Furthermore to put up site seals after a breach or keeping one up after one is a false sense of security.

    It's bad enough trying to convince people it's safe to buy online then you have companies like this that have a problem and push it all under the rug with expensive seals.

    If my grandfather were to want to go to a website to buy something and he seen all these fancy icons saying "sites safe" he'd probably believe it, especially if he seen well known companies that he's heard of.

    This is all going away from the OPs question, perhaps you can pm what you disagree with.
    James Paul Woods
    Operations Manager
    HostKitty Internet Services

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •