PCI compliance and SSL

[will.n]

Hi

 

We are starting an osCommerce site and the person we bought the software / hosting from wants to charge £89.99 for SSL and £399.99 for PCI compliance.

 

My question is:

 

Are these prices fair or average?

 

Can I implement these two items myself at a reduced cost?

 

Thanks in advance.

 

Will.

[MrPhil]

You'll have to get a list of what exactly is included at those prices. The SSL price seems a bit steep to me -- does it include the certificate (good for how long) and installation? How much insurance is offered and/or maximum transaction value protected? What are they promising to do for "PCI Compliance"? What kind of experience do they have working with eCommerce sites, and specifically osCommerce? Are they just going to look it over, or do they have a specific checklist of things to look for? More importantly, do they offer any written guarantees, and pick up any fines or penalties if your site is found wanting? Does any official (industry-wide) certificate of compliance come for that price? Most of this you could probably do yourself for no cost (except your time). And don't forget -- if you use a third party payment service (e.g, PayPal) for credit cards and don't have a merchant account, you don't need any PCI compliance (unless you're handling credit card details on your site).

[nealc]

The price for your PCI compliance does seem a bit steep, but like MrPhil stated you should check into exactly what they are going to scan for you on your site. I just received my annual fee from my company that handles our merchant account, the cost is just $120.00. Now, I do have some questions that I need to ask them but I feel the price is fair, and it is only once a year.

[Jack_mcs]

We are starting an osCommerce site and the person we bought the software / hosting from wants to charge £89.99 for SSL and £399.99 for PCI compliance.

 

My question is:

 

Are these prices fair or average?

 

Can I implement these two items myself at a reduced cost?

Both of those are high. You can get an ssl from godaddy for $15/year (US). You would also have to pay your host for private IP which is usually $1 to $5 (US) per month. All that totals to about £46/year, if my conversion is correct. Some host won't allow you to buy your own cert though or they may charge for the installation. If yours does that, then the total price might approach their price, I suppose. As for the PCI compliance, that confuses me. A host doesn't usually get involved with making sure a site is compliant. And even if they do, I wonder if that would be accepted by the banks. Typically, the compliance is handled by a third-party. They tell you what conditions need to be fixed and you pass those along to your host, who should fix them for free. My guess is that your host is hiring the third-party (like McAfee or ControlScan) and then doubling the cost for you. You may want to check with them, or the financial institution that handles your charges, to see what they would charge. Although, again, if you give a list to your host they may charge you for the fixes anyway so you need to ask their policy before committing to anyone.

[cannuck1964]

A host doesn't usually get involved with making sure a site is compliant.

The host provider does need to make sure the server is compliant. There are several issues that the hosting provider must deal with, then a third party would scan the site and verify that the site is compliant. But without the server being compliant, the site will never attain compliance.

 

They tell you what conditions need to be fixed and you pass those along to your host, who should fix them for free.

This sometimes happends, when I went though PCI compliance on my servers, I had to disable several features and move around sites etc so that sites were not effected. Additional issues come about that PCI means that the PHP and MySQL versions have to be the most current, and this too can effect sites on a shared server for the host provider.

 

cheers,

[Jack_mcs]

The host provider does need to make sure the server is compliant. There are several issues that the hosting provider must deal with, then a third party would scan the site and verify that the site is compliant. But without the server being compliant, the site will never attain compliance.

No, there's nothing to cause a host to update a server on their own. Unless a hosting member brings up the point, some hosts won't upgrade. Many hosts do this automatically but are not required to do so. But what I was saying is that the host isn't usually the one that contacts the hosting member and tells them their site is not compliant. That's bordering on bad practice, in the least. For example, a host contacts one of their hosting members, tells them that their shop isn't PCI compliant but that they will fix that for them, then updates their server and charges for it. Seems underhanded at best.

[cannuck1964]

For example, a host contacts one of their hosting members, tells them that their shop isn't PCI compliant but that they will fix that for them, then updates their server and charges for it. Seems underhanded at best.

I agree 100%!

Hosting providers generally want to supply what the client both needs and wants. Sever related issues, the hosting provider supplies, the site software (ie issues with osC, forums etc) are dealt with via the client

 

 

cheers