{"id":1836,"date":"2010-05-21T14:47:02","date_gmt":"2010-05-21T21:47:02","guid":{"rendered":"http:\/\/www.pdxtc.com\/wpblog\/?p=1836"},"modified":"2014-12-04T13:16:32","modified_gmt":"2014-12-04T20:16:32","slug":"pci-compliant-web-hosting","status":"publish","type":"post","link":"https:\/\/www.pdxtc.com\/wpblog\/web-hosting\/pci-compliant-web-hosting\/","title":{"rendered":"PCI Compliant Web Hosting"},"content":{"rendered":"

There’s a set of “requirements” called Payment Card Industry Data Security Standards (PCI DSS) that was developed by the PCISSC\u00a0 Payment Card Industry Security Standards Council.<\/p>\n

I first heard of these “requirements” in the bar on the last day at Pubcon Vegas 2008, where someone said “Trust me, you’d BETTER learn about it, because they’ll make your life miserable if you don’t…”, and they were sure right.<\/p>\n

In 2009 one of my long time consulting clients actually began GETTING FINED by their processor for not being PCI compliant.<\/p>\n

At first the fine was about $40 monthly, but that quickly mushroomed, and all of a sudden, they were told that it was several hundred dollars a month.<\/p>\n

We changed shopping carts, then worked with the web host, and all was finally resolved, but it took four months and several thousand dollars. Can you afford that unexpectedly?<\/p>\n

Before you ask “who has the authority to fine them?” you should know that in their case it was called a “fee” and not a “fine” and it was imposed by their middleman transaction processor, not Authorize.net or their bank.<\/p>\n

The official “power” to impose that fee is actually non-existent and totally arbitrary, sort of like blockbuster charging a late fee – because they can.<\/p>\n

Get On Top of PCI Compliance NOW<\/strong>
\nIt likely won’t be long before EVERYONE that will process the credit card you take on your website will have to decline your business transactions, and this will put you out of business.<\/p>\n

This simply designed to provide a standardized set of consistent security measures for merchants to follow that are handling credit card transactions. – i.e. it’s for our own good.<\/p>\n

Yes it’s going to be a pain in the ass to get compliant, but it’s not nearly as bad as trying to recover fraudulent funds that get their transactions reversed after you have shipped or delivered your product, is it?<\/p>\n

Worse, will it be as bad as finding out that not only are you being charged a “fee” but in fact, your bank will no longer accept your transactions?<\/p>\n

All you have to do is check your site with a vulnerability scanner for PCI Compliance. There are a number of them out there, and your bank should offer one to you soon, if they haven’t already.<\/p>\n

In some situations, you may find the need to move to web hosting platform that is claiming compliance that is willing to offer a statement about their compliance, and here’s our statement…<\/p>\n

We are not PCI compliant.<\/h5>\n

 <\/p>\n

There – do you you like that? We also have NO INTENTION of becoming a PCI compliant web host, because in doing so, we’d open ourselves to liability just by claiming we are.<\/p>\n

I just completed an evaluation, and while I won’t go into the specifics, even though they may be fixable, they are going to be consuming, and we probably won’t be\u00a0 compliant\u00a0 in 2010.<\/p>\n

The most frustrating thing is that the last time we scanned for this, nearly 8 months ago, we DID pass the test, although the test was from a a different source.<\/p>\n

Also, note that I’ve yet to run an audit anywhere recently (6 hosts in the past month) and find a perfect report, so I think the entire industry has some work to do.<\/p>\n

If any web hosts want to leave links to their PCI compliance statements as comments, please do!<\/p>\n

What EXACTLY is the Standard? <\/strong>
\nThe standard includes these 12 requirements for maintaining a secure operation:<\/p>\n

Build and Maintain a Secure Network<\/strong><\/p>\n