PCI Compliance

To become a qualified AGC with NPC my company will need to be PCI compliant. There are two aspects to this, the business and the technology. The technology can be further divided in two halves, the software we've written, and the host (DiscountASP).

I have scanned your site for everything regarding PCI compliance and have sent them much applicable information about your servers. The compliance department at NPC is, however, asking this of us now:

"Thank you for the documentation. Additionally we need a copy of DiscountASP’s certificate of PCI compliance from a QSA."​

Can you provide this?

Victor

 

No we can't. I have to say I have never seen such a request before, and I deal with a lot of the PCI stuff here...

What or who is NPC?

 

NPC: http://www.npc.net/

Can you recommend a motion? We need to become a merchant reseller (AGC), whereas all of my customers will become merchants unto themselves (so that we do not become an aggregator). Any help you can provide to ensure DiscountASP's PCI compliance as far as servers and procedures is appreciated.

Victor

 

Well, that's just it - there is no such thing as a "certificate of PCI compliance" for each web server. Typically you apply for compliance and the QSA scans the server via your domain/IP. There is not blanket or global compliance for the server itself.

You said, "There are two aspects to this, the business and the technology," and that is true, but those are normally covered on the same application or self-assessment, not separately. So the request is unusual, and I'm not sure how to suggest you proceed.

Any DiscountASP.NET compliance information I could provide would be related to our corporate servers only - in other words our order taking and customer data systems. That is unrelated to the customer web servers.

 

Ok, thanks. I'll let them know that they need to scan my domain independently.

 

Hello again mjp,

I had a conference call with many of the people over at NPC and they were pretty insistent that not only does my company need to prove their PCI compliance, but also discountasp.net needs to as well.

They asked if someone from your team could have a telephone conference with all of us to hash this out.

Can you or someone from discountasp.net who can represent your company sit in on a call this week?

Victor

 

If I understand this correctly now, a shared server can NEVER be completely PCI compliant. I was told yesterday that if another company fails PCI compliance and shares a server with me, that my company also fails.

 

Shared Hosting is what it is and DiscountASP.NET is the best there is.

This thread is becoming very confusing.
Maybe it should be removed?

 

DiscountASP has been excellent for me for the last 10+ years as a shared server. I've sent many customers and will continue to do so.

For one of my domains I now believe that DiscountASP cannot provide the PCI compliance we need in a shared hosting environment. Am I wrong? Everyone I've spoken to tells me that a shared environment cannot ever be fully PCI compliant.

(ps: I had a duplicate post above, please delete that one, not the whole thread.)

 

That's not the case. Not sure where you're getting your information, but as Bruce mentioned, we host thousands of PCI compliant sites.

You may be trying to do something that goes beyond garden variety PCI compliance - "my customers will become merchants unto themselves" ? - so I really don't know what to tell you at this point.

 

Yes, one of my companies is going to resell NPC services as an ASG, creating merchants. The issue is, if another company on a shared network is non-PCI compliant, then the entire server is non-PCI compliant. I've been told that it is a necessity to use dedicated hosting for isolation. The standards are getting tougher all the time as they evolve, and the other merchants may not be pushing the envelope.

Even if a scan is performed and passes, there is still a huge legal liability on a shared server. If for instance another company is infiltrated by a hack, ALL companies sharing space on that server can and likely will be fined heavily, and subsequently pushed into a level 1 requirement, which is prohibitively expensive and difficult to attain.

 

I never received an answer as to whether someone would represent discountasp on a conference call with my card processor to determine if all the requirements could be met.

 

Here is what I learned:

Basic PCI compliance is easily achieved for merchants who are not storing account information like credit card numbers. For companies who want delayed processing like mine, storage of that data is necessary and an independent QSA is needed to assess the risk.

The cost of a QSA can range from about $20,000 to $50,000 for the first year. They are tasked with determining all of the risks throughout the money-flow and then report back to the credit card processors.

Here are a list of QSA companies: https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php

If any of the thousands of merchants on discountasp.com are storing user credit card or other account information, they are doing it in violation of their merchant agreement. A dedicated web server is the very first step a merchant must take in order to store this user account information. A second dedicated and isolated database server is needed as well. These basic steps are not only necessary, but it is a very expensive proposition for small companies. Dedicated server hosting can easily cost $3000 per month for that setup, and then add licensing of the software and labor.

A VPS (Virtual Private Server) is an option, and brings the costs way down. It's technically probably a violation of the PCI agreement, but probably something that a merchant could get away with. This may bring the total cost significantly down to the $200 - $500 per month range. Unfortunately with this option a QSA is still needed, and as previously mentioned could cost over $20,000.

The only other option that I know of is basically out-sourcing the critical data to a Recurring Billing Storage Engine. This allows the merchant to continue hosting on a shared platform, and avoid the costly QSA. This is probably the best option for most small merchants who want to store credit card numbers or account information.

Victor

 

...You are correct about Dedicated servers, however, I believe the way DiscountASP.NET provides isolation with separate SQL Servers in a protected Data center is outstanding.

 

That won't be possible.

Well...technically they may be. In the past I've tried to explain why real PCI compliance is very difficult, and how most of the requirements are on the site operator. The technical requirements are only part of it.

But PCI is a lot like SSL. Technically most people who use SSL certs these days fall far short of the kind of security that SSL was created to enforce. But over the years those requirements have relaxed. All you need now is a domain name - you could be anyone and still buy a cert. It seems like the same thing is happening with PCI. People can say whatever they'd like on the questionnaire and it isn't really verified. You've seen the questionnaire - it would be impossible to verify all that stuff for most of these merchants.

So what you're saying is true, but it will not really apply to most of our customers. You're trying to do something beyond running an online store, so you are under much greater scrutiny than the average PCI applicant.

 

I work as a software developer for a PCI cleared payment processing software house. This is an organization that stores customer records and MTRs and they specialize in processing all types of electronic payments including micro, recurring, subscriptions, auto-renewed products, SMS payments etc. Because of our requirement to store customer data, there is a considerably large element of continual ongoing internal and external auditing throughout the year to maintain PCI compliance and as already mentioned, this does incur considerable financial and manpower costs.

The reason they've chosen to tackle and tame the compliance barrier is because it's prohibitively costly for large organizations to obtain PCI compliance themselves and it's these larger organizations that we go after as clients. In the simplest terms this is a company that makes themselves attractive by offering a PCI compliant flexible payment processing platform for companies that are unable to go through the pain and cost of PCI compliance themselves.

Part of this is that do we have to manage multiple dedicated servers across multiple data centres for redundancy / fail over purposes but that's only a small part of the story because there's really a hell of a lot of effort required on many levels to achieve and maintain compliance with a payments system like this. For me as a developer, every part of the SDLC is affected by PCI and security is constantly important and needs to be considered for all of the customer facing work I do.

I don't intend for any of this to sound like some sort of sales pitch because it really isn't; it's just a snip of my own recent close encounters with PCI.

 

That's a good market to target, and your story makes my point that true PCI compliance is quite difficult. Even in your case, you can offer services that meet all the technical requirements, but then there are other requirements dealing with staff and users of the data. It's really a mind-boggling set of protections, and if in your PCI assessment you say 'no' to any one of the 75 or 80 questions, you fail. Period.

Then there are other requirements for medical data, SAS No. 70 (which I assume you're familiar with in your line of work, Joe), and a myriad of other regulatory rules and requirements.

That's why I found it strange that starting a few years ago small sites were able to become "compliant." But as I've said, I think there is a good deal of checking all the boxes yes as far as that's concerned, whether you comply with each item or not.

But as Bruce pointed out, we do offer a McAfee PCI solution. So it's certainly possible if you need it on your shared hosting site. I don't mean to make it sound like it isn't.

 

...This thread has my head spinning like a Road Runner cartoon.

 

Be thankful that you don't need to know anything about PCI. That's a good thing.

 

Here is the conclusion from all of my research:

Because there are different levels of PCI compliance, the McAfee scan will not help our company one bit because our software that resides on discountasp has been designed to store credit card numbers. There is no amount of scanning utility that McAfee can do to help, it's just not possible to store credit card data on a shared host all while remaining PCI compliant.

Therefore we are going to outsource the critical security data to a PCI compliant data store. The payment gateway companies usually offer this, and I have interviewed the leaders in this field (authorize.net, trustcommerce, braintree). All of the rest of our data and the application is all clear to stay on discountasp.net.

I hope my documented research helps other companies who may face a similar situation in the future.

 

Interesting

I'm glad I ran into this thread. I've recently ran into this after being on a different host with one or our business clients I manage, where they wanted $800+ more per month to be on their "PCI Solution Package", even though we don't store credit cards.

Our ecommerce site is secure and handles the temporary entry of the credit cards securely, but the storing and processing is done all through a gateway processor, so I had a real hard time with that kind of extra montly cost to be "PCI Compliant".

This was all in regards to passing the scan, but when I asked the host to answer the questions, they said they can't because we aren't on that PCI package.

That site is on a virtual site setup, and so I came to my trusty DiscountASP.net site to see if I was going to move the site here with my other sites. I just may still do that...

Anyway, so am I correct that if we don't store cards on the virtual website server, we don't have to worry about full PCI compliance?

 

If you do not store payment data then PCI doesn't really apply to you. In that case the responsibility would lie with the processor.