Web Software Architecture and Engineering – Life on the Bleeding Edge

In this post, we’ll try to create a grading system for PCI Compliant Managed Hosts, which I’ll later
use to go over several hosts whom I’ve been interviewing and dealing
with over the past 3 months.
This is all new territory for me, and for the industry. There is no coherent grading system, and its hard to tell the newbies apart from the gurus.
So you’ve scoured the web, and looked at lists. By this time, your initial shock may have subsided. Shock? Yeah, you’ve had no need to narrow your list as the list is already small. Why in the world are the rest of the hosts so behind? Are those $9.95 e-Commerce plans PCI Compliant? Probably not. Does it seem like 95% of the world doing e-Commerce actually doesn’t meet most of the PCI specs? Yup. Should you be scared about where and whom you buy from online even more? Yes.
So let’s take a look at the hosts. They tend to fall into categories pretty easily.
Tier 4 (Highest) – These guys rock. The eat PCI Compliance for breakfast.

  • May belong to the PCI Security Standards Council
  • Should be able to provide a pretty detailed diagram of the setup
  • Should be able to provide a dedicated Account Exec, along with an in-house team of experts (Sys. Admins, DBAs, etc)
  • Should have certification with Visa for their Cardholder Information Security Practices (CISP) standard for compliance, along with experience with Sarbanes-Oxley, HIPAA, etc
  • Have expertise in other areas like SAS 70 Certification

Tier 3 (2nd Highest) – These guys have experience, but are far from experts.

  • These guys don’t have formal processes to handle new clients for PCI
  • They usually have done several clients in the past, and are “getting better” with each new client
  • They usually put more emphasis on the initial sales pitch, but drag their feet for details

Tier 2 (2nd Lowest) – These guys are new, and may actually be making stuff up along the way.

  • I know, my rating system is getting harsher, but these guys may advertise PCI, but aren’t prepared in the least.
  • They may offer some sort of PCI Toolkit, but their implementation (and/or understanding) of PCI is flawed.
  • They might think of PCI as a patch, or some extra hardware.
  • Their sales people (and/or tech reps) are barely trained to talk PCI.

Tier 1 (Lowest) – These guys advertise PCI, but wouldn’t know it if it stared them in the face.

  • Their sales process is extremely weak.
  • They have little to no understanding of PCI Compliance.
  • They bad mouth other host.
  • May offer “special” pricing to hook you.

Comments on: "Grading PCI Compliant Managed Hosts" (6)

  1. I have been trying to find a reasonable and reliable host that is PCI compliant for a while now.

    I am currently being hosted by BlueHost and my Merchant account is wit Elavon (formerly NOVA).

    Even-though Elavon is handling my transactions and they are of course compliant, they still require that I am also PCI compliant.

    The written questionnaire is no problem and passed. The scan is another story. BlueHost does not pass at all.

    They tried some rebuttals with TrustKeeper, who does the scan, to no avail.

    So I am looking for the true compliant host, before I have to just switch to paypal and google checkout.

    Thanks for your work.


  2. Wolfgang,

    I will be adding 6-8 additional hosts we went through to find the right one. Stay tuned. Maybe I can help.

  3. Cameron Miller said:

    We are conducting a similar analysis on PCI Certified Managed Hosts. I would be really interested in comparing notes, if you’re interested. Please send me a note at cameron at paytrace dot com.


  4. Hi there,

    Im on bluehost also and need to be PCI compliant and they are NOT passing the scan. My merchant provider will start charging me in March for every month I am not compliant….I need a new host also that is PCI compliant (SAQ C)…help!

  5. Sterg,

    I am still with bluehost, and after many trials and tribulations they got me trough. However there was another price tag to it.

    I got seduced into joining McAfee services and now have both McAffee and Trustkeeper.

    The price for McAffe was $850.00 a year, Trustkeeper charges another $135.00. But I resolved a lot of problems and have been compliant for the last eight months.

    Compliant hosts charge pretty large amounts for not so large storage space.

    Sorry I could not help.


  6. alfred Know said:

    So, question is, does anyone know or can verify ANYONE out there who is a genuine Tier 4 outfit?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: