PCI Compliance and certification...

Discussion in 'TechTalk' started by wcbassman, Nov 17, 2009.

  1. wcbassman

    wcbassman Guppy

    I'm trying to locate any definite information from Jodohost regarding the servers and PCI compliance. I just launched an osCommerce site for a customer, and in an effort to tighten up security (beyond the standard SSL), I've become knee deep in the rules and regs of PCI compliance. So, what I'm looking for is:

    Which, if any, JH servers are PCI compliant?
    If not, do you have a recommended gateway so I can configure this install to be PCI compliant?
    Is there a JH PCI compliance FAQ somewhere that I can access for more info?

    Anything you can provide would be great.

    Thanks,

    Gene Crawford
    Emedia
  2. Stephen

    Stephen US Operations Staff Member

    no shared server is PCI compliant. it doesn't mean one could not pass a quick scan, but they are not PCI Compliant.

    By no shared server, I mean no shared server anywhere. When you really get down to it PCI compliance is a big racket with smoke and mirrors as 'security' but it prevents shared hosting from being PCI Compliant. There may be some hosts that can get you past the scans, but that is not true security or preventing anything, we aren't going to manipulate the system and firewalls to make it pass to be honest.

    you can be PCI complaint on a winVPS, but you will save yourself a lot of headache in that if you manage it fully by hand without a control panel as well.
  3. wcbassman

    wcbassman Guppy

    I was wondering about that, because that's what I read as far as shared sites go, however, I see that some hosts (GoDaddy, for instance) say they are PCI compliant. Whether that's true or not, I don't know. But, with all the penalties that exist out there for not being compliant, if that's really the case, I have to do my due diligence and let my customer know what, if any, risks exist.

    Not risks to the site, per se, but risks being discovered by some PCI compliant nazi and end up being subject to penalties, etc. I'm just getting my feet wet with all this stuff, and it's a bit daunting.

    Gene
  4. Stephen

    Stephen US Operations Staff Member

    We've studied it extensively, we looked at offering PCI compliant shared hosting for a while, but after looking at the details and the penalties, it would be a nightmare. There would possibly be a few ways to be shared hosting pci compliant, but the site and servers woudl be near useless, HTML only etc, which doens't do much for selling via a cart :D It would have to be that locked down to be compliant on a shared level, and the penalties are STEEP.

    Even for access to the servers for our staff, we'd need PCI servers in a separate cage, with biometrics access, that auto logs it, everything would have to be EXTENSIVELY recorded etc, as physical access is one of the main points. The building and cage itself being like this is not enough, if you have someone in the cage just putting in a server for you, it could be in violation, that is why having a separate area becomes a requirement. I really doubt many of these matters are ever even considered by some advertising such compliance. in some ways it would be a liability for us to claim such even, as it could pressure audits. I am surprised to hear GoDaddy is saying this.
  5. wcbassman

    wcbassman Guppy

    I guess I'm looking for an answer that will provide me a panacea, but it appears that it doesn't exist.

    I think that I've also learned that PCI Compliance, in most states at the moment, isn't a set of laws you might violate as much as it is a violation of whatever agreements merchants may have with their credit card providers. So, if you get nailed, the CC company has some recourse to blame, then sue, you because you didn't meet their compliance standards.

    This is what I found on the GoDaddy site. http://help.godaddy.com/topic/268/article/4265. This cart may work just as you described.

    Of course, I want to continue using my osCommerce install. So. As a hosting provider, you understand my concerns. I don't expect you to alleviate them, but I'd appreciate some suggestions for what my next steps could/should be.

    Even if it's just 'keep using osCommerce, but go to the forums and make sure you install all their security mods, etc.' I'm really in the information gathering mode, and want to explore all my avenues.

    Thanks so much for your time.

    Gene
  6. Stephen

    Stephen US Operations Staff Member

    I don't know that you can get PCI compliance with simply editing code, I see what Godaddy has done is to make a special cart, on different servers, and it is not oscommerce, it is their own thing. they likely are doing something like what I mentioned above keeping it totally separate and have worked to custom develop this app to be somewhat functional, but limited enough to pass PCI. That si why they specifically say your website will fail but the 'cart' will not, as it is on different servers and sytems thant he website on normal shared hosting.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services