Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PCI Compliant Host?


TracyS

Recommended Posts

It has recently come to my attention that all ecommerce websites will need to be PCI Compliant by October of this year.

 

Due to this - I had our website scanned to see where we were currently at and what would need to be done to become PCI Compliant.

 

It turned out that our hosting company would need to make some changes to their servers (only 2 changes) and so, I contacted our hosting company asking if they had any servers with these changes already in place or if we would need a dedicated server.

 

Our hosting company informed me that they have no immediate plans for getting their servers to be PCI Compliant and they suggested I find another host :blink:

 

Sooo - I am now looking for a reliable hosting company that provides PCI Compliant hosting. So far I have found A2 Web Hosting. They seem to be reputable - but figured I'd ask here before making any decisions :blush:

 

If anyone has any thoughts they would be greatly appreciated.

~Tracy
 

Link to comment
Share on other sites

I`m from UK but our servers are in the US provided by http://liquidweb.com/ who give excellent service.

 

:)

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

It has recently come to my attention that all ecommerce websites will need to be PCI Compliant by October of this year.

where did you read this? my understanding is (which may be incorrect.?) is that you need to be pci compliant in order to STORE or COLLECT the #s.

 

using paypal / authorize if you pass the processing work onto them pci is irrelevant.

and also, isn't one of the pci requirements that you be on a dedicated server? i find it hard to believe 100% of ecommerce websites nowadays can afford that, seeing as a new one seems to be popping up every half second :)

Link to comment
Share on other sites

1. If you wish to take cc payment on your own site you need to be PCI compliant. (typical examples is protx, paypal pro and authorize.net)

 

But using a payment gateway for the actual processing the part of the PCI you have to satisfy is not very difficult and most host companies should be willing and able to do the necessary changes to their set-up to be compliant.

 

Any host who are not willing is not concerned enough about security and you should then switch to another hosting company who is.

 

 

2. If you wish to take cc payment and also save the cc information, then you will need to comply to a more complete list to be PCI compliant, and you can not be on a shared hosting enviroment .. but will need to have your own dedicated server(s).

 

 

3. If you use a third party payment provider where the cc info is collected on the payment providers website , examples would be standard paypal, paypal ipn and 2checkout , then neighter you nor the hosting company is required to be PCI compliant.

Link to comment
Share on other sites

maybe i am reading into your post a bit much but these seem to be the same thing:

1. If you wish to take cc payment on your own site you need to be PCI compliant. (typical examples is protx, paypal pro and authorize.net)

 

3. If you use a third party payment provider where the cc info is collected on the payment providers website , examples would be standard paypal, paypal ipn and 2checkout , then neighter you nor the hosting company is required to be PCI compliant.

 

this confuses me a bit.. seems like 2 different answers?

Link to comment
Share on other sites

seems like 2 different answers?

 

NO...

 

1. Is for those who have the customer input the cc info on their web page and then its "invisibly" passed on for real time processing by the payment processor in the background. ie. customer does not "leave" your site... (As mentioned before typical examples of this is authorize.net, protx, paypal pro etc.)

 

2. Is for those who have the customer input the cc info on their web page and also stores it in their db. (For those who wish to store cc info for later manual offline processing)

 

3. Is for those who do not take any cc info at all on their own site, but redirects the customer to a separate payment page on the payment processors web server where the cc info is inputed and processed. ie. customer leaves your site to process the payment. (As mentioned before typical examples of this is 2checkout, paypal ipn, paypal standard, paypal express, google checkout ... etc.)

Link to comment
Share on other sites

Thank you - this information is very helpful! Being you appear to have a lot more knowledge in this area than I do (as I'm just learning about this) - maybe you would be willing to let me know if this is accurate:

 

I am thinking we would end up being in group 2 - although we don't save the CC#'s for very long. We collect the CC# with the order and then I print the orders off and they are manually entered into our system here at the office and the cc is processed through a gateway from here in the office at the time we enter their order. Then, when the order is shipped, it comes back to my desk so I can mark the online order as shipped, at which time I "Zap" the cc# so it only shows the last 4 digits. In between the customer entereing their number and me zapping it, their number is encrypted.

 

Would this put me into group 2?

 

Have you heard anything about A2 Hosting?

 

Thank you :blush:

 

1. If you wish to take cc payment on your own site you need to be PCI compliant. (typical examples is protx, paypal pro and authorize.net)

 

But using a payment gateway for the actual processing the part of the PCI you have to satisfy is not very difficult and most host companies should be willing and able to do the necessary changes to their set-up to be compliant.

 

Any host who are not willing is not concerned enough about security and you should then switch to another hosting company who is.

 

 

2. If you wish to take cc payment and also save the cc information, then you will need to comply to a more complete list to be PCI compliant, and you can not be on a shared hosting enviroment .. but will need to have your own dedicated server(s).

 

 

3. If you use a third party payment provider where the cc info is collected on the payment providers website , examples would be standard paypal, paypal ipn and 2checkout , then neighter you nor the hosting company is required to be PCI compliant.

~Tracy
 

Link to comment
Share on other sites

Thank you - this information is very helpful! Being you appear to have a lot more knowledge in this area than I do (as I'm just learning about this) - maybe you would be willing to let me know if this is accurate:

 

I am thinking we would end up being in group 2 - although we don't save the CC#'s for very long. We collect the CC# with the order and then I print the orders off and they are manually entered into our system here at the office and the cc is processed through a gateway from here in the office at the time we enter their order. Then, when the order is shipped, it comes back to my desk so I can mark the online order as shipped, at which time I "Zap" the cc# so it only shows the last 4 digits. In between the customer entereing their number and me zapping it, their number is encrypted.

 

Would this put me into group 2?

 

Have you heard anything about A2 Hosting?

 

Thank you :blush:

 

Saving a cc number just for 1 minute or 3 days it amounts to the same....

 

Doing it that way you can probably not use shared hosting at all, to be PCI compliant when storing cc numbers you will in most cases need atleast a dedicated server.

Link to comment
Share on other sites

Hi Tracy,

 

Just for the sake of an example, I have recently been through PCI compliance certification (see thread: http://www.oscommerce.com/forums/index.php?showtopic=300165 - read to the end ), and my situation makes me a #2 in Nick's list. We are collecting credit card info in a page on our web site, and when the customer hits "confirm", the info is passed securely to our payment gateway. With this method, the cc# never actually sits on the shared server that hosts our web site. For us to access the complete order info, including cc# if we need it, we must access our payment gateway's own server on the web. But we must never, never, record cc#s on our internet-connected or internally networked PCs.

 

This does not mean we don't need to be compliant, since problems with our SSL or malfunctions of the host server could allow security breaches. The PCI compliance certification package that we enrolled in includes quarterly remote scans of our system. Luckily, our hosting service was PCI-compliant (we are hosted with Bell Canada).

 

We also take telephone and fax orders, and we do store the cc# and other customer info from these orders, and potentially our web orders, on a stand-alone non-networked PC. This is a PCI-compliant procedure, as is paper storage, as long as due precautions are taken.

 

Still, it is likely that we will stop storing cc# altogether. Even paper and stand-alone PCs pose certain risks, and our customers deserve all possible precautions.

 

Hope this helps, :)

~Wendy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...