By Philbert Shih, theWHIR.com
August 24, 2005 — (WEB HOST INDUSTRY REVIEW) — Credit card companies have instituted new security regulations on both merchants and service providers in an attempt to ease customer concerns about identify theft and fraud. The CISP/PCI standard, which comprises Visa’s Cardholder Information Security Program and MasterCard’s Site Data Protection Program, mandates minimum encryption standards, periodic scanning, active monitoring and implementation of access controls.
The deadline for compliance passed on June 30. But many hosts have been slow to jump on board, says Brad Bialas, president of BluePay (bluepay.com), a provider of online payment processing solutions for online merchants and Web hosts. “Hosting companies are well behind the curve the compliance date has already gone by and they haven’t done anything to be compliant.”
Being compliant with the PCI standards can be a matter of life or death for hosts, says Bialas, with the fines high enough to cripple a company or put it out of business. If, for example, security is breached and sensitive data stolen, fines can start as high as $100,000 per incident if a company is not in compliance when the incident takes place. Obviously the only way to avoid those penalties is to meet the requirements.”If you are in compliance and have gone through the process, there will be no fines, you are considered in the safe harbor,” says Bialas.
BluePay, which has a very large Web host user and reseller base, is helping make it easier for hosts and their customers to get in compliance. The company recently announced that it would offer CISP/PCI compliance services in partnership with AmbironTrustWave (atwcorp.com), a provider of information security and compliance management solutions.
Visa has classified companies into categories, each with its own set of compliance requirements. A Group 1 merchant processes over 6,000,000 transactions a year, a Group 2 merchant processes anywhere between 150,000 and 6,000,000 transactions, while a Group 3 merchant covers 20,000 to 150,000 transactions. Most of BluePay’s hosts, says Bialas, fall into the third group. And by the recently passed June 30, 2005 deadline, these companies were required to meet two stipulations: completing an annual CISP/PCI questionnaire and having scheduled quarterly network scans conducted by an approved Quality Data Security Company provider.
Bialas says BluePay looked to partner with Ambiron because it wanted to support its Web hosting partners and educate them about the liabilities they face. “We have so many customers that … weren’t aware of what they needed to do,” he says.
With the Ambiron partnership in place, says BluePay, the company can help hosts and their merchant customers complete the compliance process. The companies will assist with the questionnaire and QDSC-approved Ambiron will undertake the mandatory quarterly network scans.
BluePay and Ambiron will also help hosts determine in what category they belong. This can be a tricky issue for hosts, says Bialas, because hosts can be considered both merchants and service providers. The level of transactions conducted by the merchant a Web host provides hosting services for could increase a host’s classification, Bialas says. So if a company hosts a Group 1 merchant, it would change the hosts classification to a Group 1 service provider, which brings with it a different set of compliance requirements.
“Hosting companies really need to be aware who they are hosting,” says Bialas. “The aggregate amount of e-commerce transactions going through the companies you host, if that reaches a certain level, in an aggregate form, then you are also going to be moved up the standards.”
The service also presents a marketing opportunity for hosts, Bialas says, because the credit card companies are going to start advising companies like BluePay to only do business with those organizations that have been certified and are in compliance.”The guys who jump on this first,” he says, “can really do a good job of marketing themselves as one of the certified providers, [and will] get a big jump in business.”
In the end, compliance is a matter that must be addressed, Bialas says. “You’d hate to lose your business over something like this.”
About theWHIR.com
Since 2000, The Web Host Industry Review has made a name for itself as the foremost authority of the Web hosting industry providing reliable, insightful and comprehensive news, interviews and resources to the hosting community. TheWHIR is an iNET Interactive property. For more information on iNET Interactive, visit http://www.inetinteractive.com
No related posts.
