Announcement

Collapse
No announcement yet.

PCI Hosting Compliance

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    PCI Hosting Compliance

    Hi,

    I have a strange predicament.

    I have recently completed designing an ecommerce website using Actinic Catalog V9, the site is up and running and orders are being taken.

    Now, my client is using Security Metrics for PCI scanning, we previously used an earlier version of actinic but decided to upgrade the program and website to be compliant PCI scanning.

    We are also using Actinic Payments for our PCI compliant secure payment system.

    Now the the site is finished we had hoped that the full site (http for the main site and https for the payment section) would be PCI compliant, but we have found out that the normal hosted part of the site (I will refer to this as http) is not PCI compliant. I have spoken with Security Metrics (SM) about this saying that this part of the site does not take any credit card details and that the payment section deals with all of this.

    SM do not agree, as far as they are concerned the entire site must be PCI compliant (http and https).

    I have asked our current hosting company about making their shared hosting PCI compliant and they are not interested, they keep on informing us to move to one of their dedicated hosting package, this is simply not economical as the site does not take that amount of money each month and then be profitable.

    I have spoken with Actinic about http hosting for the main part of the site and their hosting is also not PCI compliant (Actinic Payments is compliant).

    So where am I to go?
    Our hosting company won't help us, Actinic cannot either and SM still want the entire site to be PCI compliant.

    I am lost, I am interested to know what others are doing about this, how do you become fully PCI compliant and profitable with a site that takes a handful of orders per month?

    #2
    Search the forum for the threads about sm - they are a bunch of muppets

    Comment


      #3
      It may seem harsh but it appears you're falling foul of another online gimmick. Next time you're walking along the road, stop and ask a few random people in the streets a question. "Security Metrics? Who are they?" will be the answer

      As you say, the site doesn't justify the cost of a dedicated server - I wouldn't be going hell-bent on getting a site 100% completely PCI-Diss compliant until then. The money you're wasting on getting one of these gimmick certificates could go towards getting a better-secured dedicated server. All of these 'security certificates' on the internet mean absolutely nothing.

      If your http site isn't taking personal information I can't see why Security Metrics have an issue - although without a URL it's hard to say otherwise.

      Seems I just don't agree with 'online security'

      Comment


        #4
        Very simplistically PCI is all about keeping customers credit card detail secure.

        Thus all you need to be concerned about is how CC detail is processed on your website. You say you are using https - does this mean you are downloading CC detail to a pc?

        This will never pass.

        You need to be using a PSP, then you will be compliant - but you need to sack SM and go it alone ie self assessment.

        Comment


          #5
          Politely disagree with them and ask them to send you a copy of the self assessment documentation, which you can complete.

          I did this when being hassled by them about Actinic's site. They haven't got back to me, despite promises to do so.

          If they do get back to you, I would be interested in hearing what they say.

          Chris

          Comment


            #6
            HSBC have been sending everyone with one of their merchant accounts a nice little letter that says something along the lines of 'even level 4 merchants need to be assessed by an approved assessor' and 'we have a special deal for you with Security Metrics'.

            This is all nonsense. Level 4 merchants (i.e. less than 20,000 transactions per year) can achieve compliance by completeing a self assessment questionaire.

            Tell Security Metrics to go take a running jump.

            Mike
            -----------------------------------------

            First Tackle - Fly Fishing and Game Angling

            -----------------------------------------

            Comment


              #7
              I've had all kinds of fun and games with SM. As everyone has said, they are pretty much irrelevant here.

              Good Luck.

              Kevin
              KDM Digital Media - Actinic web design and hosting

              Comment


                #8
                Hi All,

                Thanks very much for your advice, I will look further in to SM on this site and further advise my client.

                Thanks everyone!
                Darren

                Comment

                Working...
                X