markw10 Posted February 18, 2010 Share Posted February 18, 2010 I am working towards getting my website PCI Compliant. I know authorize.net and my merchant bank are both PCI Compliant. Also, I don't store credit cards on my website or office computer and I have a private SSL. I am using a shared plan with HostGator but am switching to a VPS hosting plan with HostGator. I have done a lot of research and have posted on here before and it seems a missing piece is I have to have a scan done of my website and also fill out a huge questionaire and then submit it along with my scan results to my merchant bank to become PCI Compliant. Am I correct about the above? What this comes back to is site scanning. I have looked at many services including McAfee, Security Metrics, ControlScan, and TrustWave. Most of my research so far has been with McAfee. They have a service for $319/yr which includes quarterly scans and manual scans as often as I desire. The are no logos with it for my website. They also offer a full service for $959/year or $1289/2 years for a discount. This full service includes their PCI Scanning but also it includes their McAfee Secure scanning. The scanning is done daily and also with the McAfee Secure scanning you get a McAfee trust logo for your website. With HostGator's shared plan for free I get the McAfee secure scanning with logo and it includes the PCI scanning but also once I change to VPS hosting I likely will lose this. I am interested in opinions of the various options for scanning, MCafee, Security Metrics, and ControlScan, and also Trustwave and also if I go with MCafee is their higher plan worth it? They claim I'll see an increase in sales but is that likely to be true? Thank you for your thoughts on the above. Link to comment Share on other sites More sharing options...
AlanR Posted February 18, 2010 Share Posted February 18, 2010 They claim I'll see an increase in sales but is that likely to be true? Thank you for your thoughts on the above. Of course they'll claim you'll see an increase in sales, that's how they sell their stuff. I don't think many people who don't run ecommerce sites even know what a McAfee scan is. I very much doubt it influences their buying decisions. I'd go with the most economical solution which satisfies YOUR needs. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
longhorn1999 Posted February 20, 2010 Share Posted February 20, 2010 I am working towards getting my website PCI Compliant. I know authorize.net and my merchant bank are both PCI Compliant. Also, I don't store credit cards on my website or office computer and I have a private SSL. I am using a shared plan with HostGator but am switching to a VPS hosting plan with HostGator. I have done a lot of research and have posted on here before and it seems a missing piece is I have to have a scan done of my website and also fill out a huge questionaire and then submit it along with my scan results to my merchant bank to become PCI Compliant. Am I correct about the above? What this comes back to is site scanning. I have looked at many services including McAfee, Security Metrics, ControlScan, and TrustWave. Most of my research so far has been with McAfee. They have a service for $319/yr which includes quarterly scans and manual scans as often as I desire. The are no logos with it for my website. They also offer a full service for $959/year or $1289/2 years for a discount. This full service includes their PCI Scanning but also it includes their McAfee Secure scanning. The scanning is done daily and also with the McAfee Secure scanning you get a McAfee trust logo for your website. With HostGator's shared plan for free I get the McAfee secure scanning with logo and it includes the PCI scanning but also once I change to VPS hosting I likely will lose this. I am interested in opinions of the various options for scanning, MCafee, Security Metrics, and ControlScan, and also Trustwave and also if I go with MCafee is their higher plan worth it? They claim I'll see an increase in sales but is that likely to be true? Thank you for your thoughts on the above. The HostGator shared business plan gives you a year of include PCI scanning, but you don't get to put the McAfee secure logo on your site with that. That's a better quote that you're getting than what I got. Their sales guy told me it was 1500/yr, not 959 (to display the Secure logo). Either way it's pretty damn expensive, especially for a startup. You have to get PCI certified if you want to accept credit cards on your site with Authorize.net or PayPal pro, so the included scanning is useful. But in informal surveys of some of my friends who are quite tech-savvy and big e-commerce users, they don't even notice logos like the McAfee Secure one. I think that at least to start, the thousand bucks would be better spent on advertising. Use the scanning you already have with HostGator to get PCI certified. And double check that the VPS plans from HostGator include McAfee scans. I'm not sure that they wouldn't include that in the price. Even PayPal Pro gives you a year of McAfee PCI scans that's included in the $30/month. No point paying extra for no reason... Link to comment Share on other sites More sharing options...
AlanR Posted February 20, 2010 Share Posted February 20, 2010 Seems to me that many more people will be going with PayPal (non pro) or Amazon Payments to avoid the extra expense. All these added expenses need to be considered when calculating total transaction costs. Also seems to me that McAfee is making a boatload of money. I wonder if competition will emerge and drive prices down. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
Dennisra Posted February 20, 2010 Share Posted February 20, 2010 Am I correct about the above? Yes, you are correct. A few years ago I tried McAfee Scan. I found them to be pretty much useless to me. Finally my card processor (Elavon) told me they preferred I use TrustWave at $175.00 per year. After a few server modifications I have been PCI compliant ever since and my card processor is satisfied. Link to comment Share on other sites More sharing options...
longhorn1999 Posted February 25, 2010 Share Posted February 25, 2010 http://arstechnica.com/business/news/2006/09/7857.ars Looks like at least one of these seals, TRUSTe, is worse than useless. http://arstechnica.com/security/news/2010/02/verisign-to-offer-trust-seal-certification-for-web-sites.ars And Verisign is coming out with their own seal for $299/year. A lot cheaper than the 959-1500/yr McAfee is charging, but still overpriced. Link to comment Share on other sites More sharing options...
AlanR Posted February 25, 2010 Share Posted February 25, 2010 http://arstechnica.com/business/news/2006/09/7857.ars Looks like at least one of these seals, TRUSTe, is worse than useless. I read that too. More and more this stuff looks like a way for big companies to squeeze money out of smaller ones. What's the actual cost for anyone to have a server scan a list of sites once the initial scanning software cost is amortized? Their “Secure” logo is more an advertisement than anything else. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
longhorn1999 Posted February 25, 2010 Share Posted February 25, 2010 I read that too. More and more this stuff looks like a way for big companies to squeeze money out of smaller ones. What's the actual cost for anyone to have a server scan a list of sites once the initial scanning software cost is amortized? Their “Secure” logo is more an advertisement than anything else. No doubt about that...If a company like AVG can offer personal virus-scans for free, McAfee and Verisign's margins on this stuff must be enormous. Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted February 25, 2010 Share Posted February 25, 2010 No doubt about that...If a company like AVG can offer personal virus-scans for free, McAfee and Verisign's margins on this stuff must be enormous. Are you kidding? Do you realize how many more man hours are consumed by developing and maintaining the programming for PCI scanning as opposed to virus scanning? How about the liability? Do you think McAfee carries a bit more liability insurance to protect themselves from the fines that could be imposed than does AVG? Not to mention the fact that AVG is installed on your computer, and PCI scanning uses server resources and bandwidth. There is really no comparison. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
AlanR Posted February 25, 2010 Share Posted February 25, 2010 Do you think McAfee carries a bit more liability insurance to protect themselves from the fines that could be imposed than does AVG? Can you give us some idea how much insurance they might carry against such “fines”? Seems to me that the merchant is fined, not McAfee. I visited their web site to try and get some idea and I can't find anything, maybe you can. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted February 25, 2010 Share Posted February 25, 2010 Can you give us some idea how much insurance they might carry against such “fines”? Seems to me that the merchant is fined, not McAfee. I visited their web site to try and get some idea and I can't find anything, maybe you can. PCI scan companies can be fined. A google search will reveal some instances where even McAfee has been fined. If the merchant is fined, and the merchant uses McAfee, and the fine resulted in McAfee's failure to perform as it should, don't you think the merchant is gong to go after McAfee? Liability insurance also covers losses due to lawsuits. McAfee does a little over a billion and a half a year. I wonder how much insurance I would carry if my gross was that high? Remember, that everyone (of McAfee's customers) uses the same scan engine. If one merchant is fined due to McAfee's negligence in the scan engine the likelihood of ALL of McAfee's customers are also experiencing the same vulnerabilities exists. The potential for multiple fines and lawsuits is enormous. The amount of insurance carried by McAfee is of no concern to us, I think. It is not there to cover us, but to cover them. I carry my own corporate liability insurance. Don't you? I would imagine that the only place you will find that information is in the investor relations section, as a disclosure to shareholders. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
longhorn1999 Posted February 25, 2010 Share Posted February 25, 2010 Are you kidding? Do you realize how many more man hours are consumed by developing and maintaining the programming for PCI scanning as opposed to virus scanning? How about the liability? Do you think McAfee carries a bit more liability insurance to protect themselves from the fines that could be imposed than does AVG? Not to mention the fact that AVG is installed on your computer, and PCI scanning uses server resources and bandwidth. There is really no comparison. That wasn't my point obviously. The point is that ultimately it's software, and so the margins on this particular service (McAfee Secure seal) must be ridiculously high. If it's worth 1500/yr for you or whatever they arbitrarily quote, go for it. Link to comment Share on other sites More sharing options...
AlanR Posted February 25, 2010 Share Posted February 25, 2010 I was pretty sure you wouldn't find anything which indicates that McAfee accepts any form of liability for a hacked site carrying their seal. I looked pretty hard and I couldn't find it. I'm also fairly sure that if McAfee did offer any financial guarantees they'd mention it in their marketing material. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
MAloha Posted February 26, 2010 Share Posted February 26, 2010 Don't get me wrong, Pal. McAfee secure is McAfee secure, not McAfee PCI. McAfee secure logo doesn't mean PCI compliant. There are 2 different kind of services, and I forget to mention that McAfee secure logo is waste of money and do nothing, just some APPs scan. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.