Considering it’s almost impoosible to demystify it for web hosts themselves this may be a tall order. But I’ll try…
First thing first, the difference between PA-DSS and PCI-DSS. These two things have exactly two things in common.
1. They are both Digital Security Standards (thus the DSS in their names)
2. They are both overseen by the PCI Security Council
Second, a website and/or webhost can not be PA-DSS compliant. PA-DSS compliance is only for software providers that make Payment Applications (the PA in the name) that are online and exposed to the credit card number. For the webhosting world this primarily includes Shopping Cart providers but also includes terminals and other payment apps where they’re exposed to credit card numbers.
Third, PA-DSS is coming up upon it’s mandatory deadline, all related software providers must be PA-DSS compliant no later than July 1, 2010. This date has no relation to PCI Compliance. Technically anyone accepting credit cards online ALREADY has to be PCI Compliant.
Fourth, being PCI-Compliant has almost nothing to do with passing a scan. Yes most online merchant are Level 4 merchants from a PCI perspective and most of them only need to fill out the SAQ and pass a quarterly scan. What I normally see is that most business owners fill out the SAQ and don’t take it seriously, they routinely just answer everything yes and then assume because they pass a scan that they’re good to go. This is something like casually filling out your income tax forms and assuming you’re good to go. You’re only good to go until the trouble begins.
Part of filling out the SAQ is being an officer of the company and verifying your company is following these proceedures and that it’s network architecture is as described. If there’s a breach it’s the officer and the company who are going to be in a very tough spot as the responsibilities for the breach fall on to them and can easily put them out of business.
So what do you have to do to be PCI Compliant even if I’m a small company? I’m not a QSA (Qualifed Security Assesor, essentially an approved PCI auditor) so this advice should all be gone over with your QSA, but I’ve been going through this process long enough to know a little bit and here’s what I know are must haves thus far:
- From a hosting perspective your network needs to have a minimum of three separate machines.
- Your webserver which needs to (obviously) sit behind a secure firewall
- Your transaction database server which needs to be a different machine and it must be on the otherside of another firewall from the webserver
- Your encryption keys database server which needs to be on a different machine than your transactions and also through a different firewall.
- Your machines need to have their security patches kept up to date
There’s a whole lot more to PCI compliance than just those two items, but these two items when it comes to hosting are must haves, what probably goes without saying is you really can’t get all the moving parts you need to be PCI compliant and pay only $10 a month for it.
It’s time to really reset the market’s perspective on what it costs to securely host a website as ecommerce becomes completely intertwined into our daily lives. From everything I can tell, the low end of pricing on PCI capable hosting is going to be in the $50 a month range and easily goes up from there. This may seem like a lot but it’s really very low cost when it comes to properly protecting credit card data and offering a more secure online shopping experience.
About Rick Wilson
Rick Wilson is the Executive Vice President for Miva Merchant a popular online shopping cart software.
Rick has been with Miva Merchant since 1999 when he began at the original Miva Corporation as an outside sales representative and took over as Vice President of Sales in 2002 and ultimately as Executive Vice President in 2007.
Rick's more than 12 years of executive-level sales and marketing experience also includes his tenure as Vice President of Sales and Marketing for Providence Systems, a privately held sales training company. At Providence Systems, Rick developed and executed the sales and marketing strategies that helped lead a successful corporate turnaround between 1998 and 2002.
Through his WHIR blog, Rick will cover ecommerce trends, products and services from the perspective of the online merchant. He will focus on best practice thinking, tools that help them improve their business and be on the look-out for the information that provides merchants the competitive edge to be successful.
No related posts.
