Results 1 to 16 of 16
Thread: Affordable PCI Certification
-
05-12-2009, 06:09 PM #1Web Hosting Master
- Join Date
- Jan 2008
- Location
- St. John's, NL
- Posts
- 2,201
Affordable PCI Certification
Does anyone know of a firm that offered PCI certification for a low price (something in the ballpark of $200-300)? I have Google'd it and turned up companies charging $1500-5000 per year, which is retarded.
I have already run a PCI compliance scan from Comodo and came back clean, so I would like to get the certification done
Regards!Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
LCWSoft - Canada web hosting (based in Newfoundland) since 2007
Servers based in the US and Canada (Uptime Report)
-
05-12-2009, 08:15 PM #2Hosting Systems Specialist
- Join Date
- Dec 2003
- Location
- New Zealand
- Posts
- 1,265
Try Rack911.com
It is very expensive, Im not sure of steves rates.
I only provide it to corporate clients, its very very expensive for us too as a service to offer.
-
05-12-2009, 08:21 PM #3Disabled
- Join Date
- Sep 2005
- Location
- A box
- Posts
- 2,051
Liquidweb provides the scan+certification to its clients for 50$ per month
-
05-12-2009, 09:23 PM #4Web Hosting Master
- Join Date
- Jan 2008
- Location
- St. John's, NL
- Posts
- 2,201
Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
LCWSoft - Canada web hosting (based in Newfoundland) since 2007
Servers based in the US and Canada (Uptime Report)
-
05-13-2009, 02:52 AM #5Newbie
- Join Date
- Dec 2004
- Posts
- 6
You can go to scan alert (now mcafee) directly for 319.00 a year for 4 ips.
I take it you are a level 4 merchant? You should talk to your acquiring bank and see what they require. You may not have to do anything above a quarterly scan to demonstrate compliance. Actually being compliant (and staying compliant) is a different matter.
-
05-13-2009, 03:03 AM #6Aspiring Evangelist
- Join Date
- Dec 2002
- Posts
- 371
-
05-13-2009, 11:57 AM #7Web Hosting Evangelist
- Join Date
- Jun 2007
- Posts
- 501
Do you mean validation ? Validation != certification. If you have a clean scan, and are level 3 or 4, all you need to do is fill in your SAQ and submit to your bank which should not cost any $$. Comodo should have an online method for doing this for free. If however you are a Level 1, expect to spend $10k or more.
ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
Custom configurations, firewall, VPN, load balancers, private networks and more.
-
05-13-2009, 02:25 PM #8Web Hosting Master
- Join Date
- Jan 2008
- Location
- St. John's, NL
- Posts
- 2,201
Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
LCWSoft - Canada web hosting (based in Newfoundland) since 2007
Servers based in the US and Canada (Uptime Report)
-
06-15-2009, 12:55 PM #9New Member
- Join Date
- Jun 2009
- Posts
- 4
To clear things up a bit, the McAfee $319.00 a year option does not include a trust seal.
My question is, if you are going to pay for the scans to make sure your site is safe why not let your customers know about it by displaying a trust seal?
What I'm saying is, having your site scanned on a regular basis is really important and displaying seals to give your visitors peace of mind is equally important, besides that increased confidence will usually bring in more sales!
-
06-15-2009, 01:03 PM #10Custom Hosting Master
- Join Date
- Jan 2007
- Posts
- 2,602
Having some colourful small button that says you are secure doesn't garner that much trust as a Verisign Secured seal which is present on some of the biggest websites, like PayPal; if you're going for a seal it should be only one and from Verisign.
Getting PCI compliance is easy, as long as you follow the guidelines and stick to them. Some companies may charge per year because they probably include continuous support throughout a year to keep your setup PCI compliant.
A seal only lets your users know it, but being PCI compliant is still a requirement if you accept credit cards on your site.
-
06-15-2009, 09:01 PM #11Web Hosting Evangelist
- Join Date
- Jun 2007
- Posts
- 501
Having a seal only makes it easier for hackers. If hackers know who did your scan or that you received one, they already know what not to test. You just made their job easier for them. Ask batteries.com how well having a seal did for them.
Any ASV/QSA worth their salt won't offer a seal showing compliance for just the above reason.ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
Custom configurations, firewall, VPN, load balancers, private networks and more.
-
06-16-2009, 02:59 AM #12relax, im a professional
- Join Date
- Dec 2007
- Posts
- 1,278
This business we're in is like a circus. I never heard of the batteries.com data breach and their website isn't going to do anything to educate anyone about it.
They do carry a McAfee Secure Logo and it's astonishing that McAfee would allow a company that had a very recent breach to say "it's safe".
One with a sane mind would think it would probably be good to say this merchant recently was pwned and buy at your own risk, I guess at the end of the day all this PCI compliance and site seals is only about the money it brings in and not about protecting consumers.James Paul Woods
Operations Manager
HostKitty Internet Services
-
06-16-2009, 03:11 AM #13Newbie
- Join Date
- Mar 2004
- Location
- Derby, Kansas
- Posts
- 25
I could not disagree more. Although site seals provide a false sense of security (security by assumption), PCI compliance is an absolute must for hosts that accept credit cards. It would be silly to assume otherwise. PCI-DSS does a very good job at protecting consumers if they are followed correctly.
Part of the reason the PCI services are so expensive is because it is a very complex set of standards that must be followed precisely. Not just anyone can sit down and make a server compliant without specialized training or extensive research.
The merchant in question was "pwned" because - although they displayed a site sea - the site seal did not really protect their consumers. Had they actually been fully PCI-DSS compliant instead of just using one "PCI scan", it would have been more difficult for the attackers to successfully gather PII.Tyler Thompson
Marketing Manager
WebHostingBuzz.com | Shared, Business, Reseller, VPS, and Dedicated Hosting
WebHostingBuzz Hosting, Marketing, Secuity and Technology Blog
-
06-16-2009, 09:44 AM #14Web Hosting Evangelist
- Join Date
- Jun 2007
- Posts
- 501
ZZ Servers - Business Hosting, HIPAA and PCI Compliant Hosting Solutions - http://www.zzservers.com
Xen Virtual Private Servers | Dedicated Servers | Shared Hosting
Custom configurations, firewall, VPN, load balancers, private networks and more.
-
06-16-2009, 05:41 PM #15Newbie
- Join Date
- Mar 2004
- Location
- Derby, Kansas
- Posts
- 25
Exactly - a scan is only one small part of the pie.
Too many people think that a scan telling them they are compliant means they are really compliant, but worse than that, after a scan they feel they are safe. That false sense of security will bite them HARD every time.
If you read any book on security or look at breaches, many of the breaches arise from a store either underestimating the risks or having a false assumption that they are safe.
When you are holding or doing transactions with credit card information, you must ALWAYS be vigilant and not rely on just one element. You must be comprehensive!
Let's look at it this way. Do a search to find the construction and upkeep requirements of a SCIF (Sensitive Compartmentalized Information Facility). SCIFs are used by the United States government as the exclusive areas to discuss TS: SCI. Their specifications spell out standards down to the precise thickness of wall that must be used for different construction materials (drywall, steel, etc), the type of vaults that must be used, and the response time of both emergency response personnel AND backup response personnel.
These standards are spelled out to the T for every location: domestic US, military base abroad, foreign land, etc.
Simply put, you need to treat the PCI standards as if you were holding TS: SCI, but instead of conforming to the (insane) complex restrictions of a SCIF, you must conform to the comparitively light PCI: DSS requirements.
Cost of breech > Cost of protection. Always!Tyler Thompson
Marketing Manager
WebHostingBuzz.com | Shared, Business, Reseller, VPS, and Dedicated Hosting
WebHostingBuzz Hosting, Marketing, Secuity and Technology Blog
-
06-16-2009, 07:30 PM #16relax, im a professional
- Join Date
- Dec 2007
- Posts
- 1,278
tathompson, I didn't knock PCI scanning or site seals. I don't see what you would have to disagree with me on. Some people on this forum have an argument for it because they make money off of it, more power to them.
If your saying it's fine for a company to have their information breached and to carry along business like nothing ever happened perhaps we disagree on that. Furthermore to put up site seals after a breach or keeping one up after one is a false sense of security.
It's bad enough trying to convince people it's safe to buy online then you have companies like this that have a problem and push it all under the rug with expensive seals.
If my grandfather were to want to go to a website to buy something and he seen all these fancy icons saying "sites safe" he'd probably believe it, especially if he seen well known companies that he's heard of.
This is all going away from the OPs question, perhaps you can pm what you disagree with.James Paul Woods
Operations Manager
HostKitty Internet Services