Web Software Architecture and Engineering – Life on the Bleeding Edge

Ok, so we’re doing e-Commerce, and obviously we want our managed hosting environment to be PCI Compliant. For all the hoopla around PCI Compliance, I only found like a dozen or so hosts with PCI Compliance certification for creating, managing, and maintaining a PCI compliant environment. Given that 90%+ or more provide some sort of shopping cart/e-commerce lite functionality, this is pretty scary. And the more I dig in to this, the more scarier it becomes. Let’s face, your data is not secure. And those who are meeting PCI Compliance, have yet to meet the latest requirement, section 6.6 of the PCI DSS.
There are some hosts who even say they are PCI Compliant and advertise that, but they are NOT. What they mean, is that their own operations are PCI Compliant, but their hosting environment are not. Others say, you know what, this could mean a lot of things, referring to the vague and unclear PCI guidelines, which makes it even worse.
As a result, I’m doing a presentation internally on PCI DSS, and clearing some of the FUD surrounding it. Its a matter of how close can you get to being certified when pursuing the self-certification path. When you hire one expert, they will tell you something different from the 2nd, so the smart thing to do is to be tech-savvy, think like a hacker, and start doing a GAP analysis to see what and how you can slowly move towards compliance, given your budget constraints.
Anyone interested in me posting a primer on PCI Compliance that clears some of the FUD?


Comments on: "Finding a Good Managed Host with PCI Compliance Experience" (9)

  1. A primer would be very welcome!

  2. would love to have that

  3. Hey Sami,

    The primer would be great! I’ve been looking into this recently and it absolutely drives me nuts. I have a bunch of half written postings, but as far as I am concerned, the more noise about this – the better.

    The acquiring banks really need to step up and make this a priority for their merchants. Until they do, I can’t justify creating PCI compliant solutions as my clients are either uninterested or think that signing up for McAfee scanning will magically make them compliant (which is what the language on their website could well suggest to a casual reader).

    As you mentioned, most of the hosting operations that mention PCI compliance are saying that THEY are compliant. If you want to be PCI compliant you have to go through the whole pain of the process or you need to completely outsource the project to the hosting company. As soon as you even have access to the server the site is hosted on, you’re going to have to work up your security plan, do the background checks, confirm the security of the networks and the computers that you are connecting to the hosting environment with, etc. If you want to chat, I’d love to share some war stories 🙂

    Only really good host I’ve found is GSI Hosting, but the prices were a little impractical for our needs. We’re still without a compelling solution at the moment.

  4. Please I am in dire need of help so any information I can suck up is beneficial

  5. Chris, shoot me an e-mail. I would be happy to talk with you about your project. PCI compliant hosting is what we do and we feel that we do it better than anyone else in the market. The posts on here are spot on that we are NOT the cheapest hosting company out there but we do provide a premium service and compliance is the goal of everything that we do.

  6. By the way Chris I wanted to make sure everyone knew that I am an employee of GSI Hosting and my e-mail address is mfuqua@gsihosting.com. I have some documents that may help you in your quest for PCI compliance and I would be happy to share those with you if you feel that they would be a help.

  7. I am to submit a report on this niche your post has been very very helpfull

  8. I loved the way you exlpained things. Much better many here


  9. Well I sincerely enjoyed reading it. This information offered by you is very helpful for good planning.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: