In this post, we’ll try to create a grading system for PCI Compliant Managed Hosts, which I’ll later
use to go over several hosts whom I’ve been interviewing and dealing
with over the past 3 months.
This is all new territory for me, and for the industry. There is no coherent grading system, and its hard to tell the newbies apart from the gurus.
So you’ve scoured the web, and looked at lists. By this time, your initial shock may have subsided. Shock? Yeah, you’ve had no need to narrow your list as the list is already small. Why in the world are the rest of the hosts so behind? Are those $9.95 e-Commerce plans PCI Compliant? Probably not. Does it seem like 95% of the world doing e-Commerce actually doesn’t meet most of the PCI specs? Yup. Should you be scared about where and whom you buy from online even more? Yes.
So let’s take a look at the hosts. They tend to fall into categories pretty easily.
Tier 4 (Highest) – These guys rock. The eat PCI Compliance for breakfast.
- May belong to the PCI Security Standards Council
- Should be able to provide a pretty detailed diagram of the setup
- Should be able to provide a dedicated Account Exec, along with an in-house team of experts (Sys. Admins, DBAs, etc)
- Should have certification with Visa for their Cardholder Information Security Practices (CISP) standard for compliance, along with experience with Sarbanes-Oxley, HIPAA, etc
- Have expertise in other areas like SAS 70 Certification
Tier 3 (2nd Highest) – These guys have experience, but are far from experts.
- These guys don’t have formal processes to handle new clients for PCI
- They usually have done several clients in the past, and are “getting better” with each new client
- They usually put more emphasis on the initial sales pitch, but drag their feet for details
Tier 2 (2nd Lowest) – These guys are new, and may actually be making stuff up along the way.
- I know, my rating system is getting harsher, but these guys may advertise PCI, but aren’t prepared in the least.
- They may offer some sort of PCI Toolkit, but their implementation (and/or understanding) of PCI is flawed.
- They might think of PCI as a patch, or some extra hardware.
- Their sales people (and/or tech reps) are barely trained to talk PCI.
Tier 1 (Lowest) – These guys advertise PCI, but wouldn’t know it if it stared them in the face.
- Their sales process is extremely weak.
- They have little to no understanding of PCI Compliance.
- They bad mouth other host.
- May offer “special” pricing to hook you.