Web Hosting Talk : Web Hosting Main Forums : Web Hosting : PCI Compliance

[Reaperwebdesign]

Hi guys,

I am helping a friend and we need to work out some pricing and a good company to do what is needed, so if anyone can advice, it is appreciated.

We've spoken to TrustWave, and have determined that the e-commerce website we are building for him is a class 5 website (due to it holding credit card details) and the merchant being a level 3 or 4 (waiting to get a confirmation)

We are going to be using Sagepay direct to take the payments, so we understand it will need to be on a VPS/Dedicated server.

What we need to do, is find a company that can go through all of the PCI compliance with us, and help make sure we have jumped through the right hoops.

Can anyone make any recommendations of a good company? If we can get a rough price, it would be very helpful too.

Reaper

[Moxie Maxwell]

Being PCI Compliant has many different factors:
1. Merchant Gateway setup
2. Shopping Cart Software
3. Hosting Company has the right settings.

Since you already have the Gateway resolved, you need to find the right Shopping Cart for you. Then when you found that, you should find the right Hosting company that will support the Shopping Cart and have the proper parameters in place to be PCI Compliant.

[DATARTIM]

If your going to hold credit card details and are indeed a level 3 or 4 merchant then it's a dedicated server.

PCI isn't a one time thing unfortunately, you need to find a company that can provide an ongoing managed service and advise with your bank/merchant provider on how it needs to be setup.

Your shopping cart/billing system also needs to be taken into account.

Also might be wise to work with a provider in your country as well, where are you based ?

[HostLeet]

Quote:

Originally Posted by Reaperwebdesign

Hi guys,

I am helping a friend and we need to work out some pricing and a good company to do what is needed, so if anyone can advice, it is appreciated.

We've spoken to TrustWave, and have determined that the e-commerce website we are building for him is a class 5 website (due to it holding credit card details) and the merchant being a level 3 or 4 (waiting to get a confirmation)

We are going to be using Sagepay direct to take the payments, so we understand it will need to be on a VPS/Dedicated server.

What we need to do, is find a company that can go through all of the PCI compliance with us, and help make sure we have jumped through the right hoops.

Can anyone make any recommendations of a good company? If we can get a rough price, it would be very helpful too.

Reaper

Check http://www.handsonwebhosting.com/ I think they offer PCI compliant web hosting plans.

[DATARTIM]

Quote:

Originally Posted by HostLeet

Check http://www.handsonwebhosting.com/ I think they offer PCI compliant web hosting plans.

Shared hosting is not suitable for his merchant level. It's not really suitable at all for what he wants to do anyway.

Unless you can run things yourself your best off finding a managed provider to help set it all up and then keep things running. That can cover the hosting side of things and making sure you stay compliant and advising going forward on your hosting needs and on the PCI, as your merchant level can change and so can the requirements.

[HostLeet]

Quote:

Originally Posted by DATARTIM

Shared hosting is not suitable for his merchant level. It's not really suitable at all for what he wants to do anyway.

Unless you can run things yourself your best off finding a managed provider to help set it all up and then keep things running. That can cover the hosting side of things and making sure you stay compliant and advising going forward on your hosting needs and on the PCI, as your merchant level can change and so can the requirements.

Hmmm..Who said I recommended shared hosting? Also, I believe they offer both PCI compliant dedicated servers and shared hosting.

[Spudstr]

PCI is only as good as whoever scans/audits you does it.

Example. Mcaffee's audit might pass you but securitymetrics will fail you.

[crazylane]

Be carefull selecting a shopping cart, come July 2010 it will have to be PA-DSS compliant. You will need more than one server to be truly PCI compliant.

[PCI-DSS] 2.2.1 Implement only one primary function per server.

2.2.1 For a sample of system components, verify that only one primary function is implemented per server. For example, web servers, database servers, and DNS should be implemented on separate servers.

[Reaperwebdesign]

For the software, we are using Xcart, which has proven to be working fine.

We are currently looking at a 2-3 server option, that should do what is needed hopefully, but the estimated cost could be £6k+ a year, so its something my friend will have to consider.

Reaper

[zendzipr]

Quote:

Originally Posted by crazylane

Be carefull selecting a shopping cart, come July 2010 it will have to be PA-DSS compliant. You will need more than one server to be truly PCI compliant.

[PCI-DSS] 2.2.1 Implement only one primary function per server.

2.2.1 For a sample of system components, verify that only one primary function is implemented per server. For example, web servers, database servers, and DNS should be implemented on separate servers.

This advice is one of the top 200 items on my list when dealing with PCI compliance. My recommendation for anyone who does not need to store credit cards is to not have anything to do with them.

Also depending on your level, ie how many credit cards you process per year, Master Card just started fining merchants for non-compliance.

http://blogs.verisign.com/securityco...erchants_f.php

$150-$350k per year in fines... Be careful who you choose to be your partner and do your research well.

#2 on your list after getting PA-DSS compliant or in house software is to ensure your service provider is PCI Level 2 Service Provider or higher and that they will sign a written agreement acknowledging responsibility for access to your cardholder data.

There have been many players who have jumped into the PCI hosting sphere but only a handful truly know what they are doing. It is and can be an expensive game, considering the first data breach can cost in excess of $1.5M, even for a small merchant.

If I were to recommend a host, go check out RackSpace or GSI hosting. They are the big players in the field but there are others.

The level merchant does not matter below 2. 1 & 2 require on site validation, 3 & 4 don't. What really matters is your Type 5 merchant category. This puts you into a completely different class of service requirements. Proper segmentation between application and database servers, firewalls, HIDS, Log monitoring, retention, internal network scanning, internal and external penetration testing, ASV scanning, application firewalls, etc, etc, etc.. Can't really say what something like this would cost but if it is less than $1-2K per month go somewhere else, esp considering the penetration test alone can cost anywhere from $4-30k per test from an ASV.

[zendzipr]

Quote:

Originally Posted by Reaperwebdesign

For the software, we are using Xcart, which has proven to be working fine.

We are currently looking at a 2-3 server option, that should do what is needed hopefully, but the estimated cost could be £6k+ a year, so its something my friend will have to consider.

Reaper

Since you are using XCart, here is a good thread dealing with their PA-DSS certification http://forum.x-cart.com/showthread.php?t=46073

Also, unless you are handling everything yourself, can host in house and have experience performing penetration tests, esp if you are a Level 3 Merchant, I would recommend increasing that budget a bit.

[crazylane]

Zendzipr,

I recently read that if you are using in house software(not PA-DSS) you may be treated as a level one merchant. Have you heard anything to this effect?

[zendzipr]

Quote:

Originally Posted by crazylane

I recently read that if you are using in house software(not PA-DSS) you may be treated as a level one merchant. Have you heard anything to this effect?

Hope that information came free.

No, a merchant will not be a Level 1 if using in house software. They are however be required to do code reviews which is just good programming practice anyway.

Merchant levels are determined by total number of transactions per year.

[crazylane]

I read this here:

http://www.thewhir.com/blog/Rick_Wil...ce_Web_Hosting

I also would like not what constitutes in-house software, if you mod oscommerce for example.

[magnafix]

zendzipr, have you heard of any other non-compliance fines such as the one mentioned in that Verisign blog? Or any other similar trends?