Help I am being charged for your non PCI Complicance

Discussion in 'Hosting Services / Control Panel' started by darryl, Jul 8, 2009.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. darryl

    darryl

    Can any one tell me of a hosting service that is PCI complicant I am being charged 150.00 month now because discountASP won't bring there network up to PCI complicance
     
    darryl, Jul 8, 2009
    #1
  2. raymondp

    raymondp

    Discountasp's network infracstruction is PCI compliant. Can you elaborate further on what made you believe that it is not PCI compliant?
     
    raymondp, Jul 8, 2009
    #2
  3. mjp

    mjp

    PCI compliance goes far beyond the server or the network. PCI, HIPAA, etc. are all about data integrity, and a shared host cannot guarantee the integrity of their customer's data because the customers control that data.

    In other words, a server (hardware) can comply with any number of security standards, but someone operating a site on that server can easily break that compliance intentionally or unintentionally.

    This may be a dirty little secret, and the marketing guys will probably come over and hit me over the head with a frying pan for saying this, but it is next to impossible for a site on a shared hosting server to really, honestly be PCI compliant.

    Can you pass the PCI compliance test? Sure. It's a self-assesment in most cases. Kind of like those "stated income" house loans they used to make where you could say you earned whatever amount was convenient in order to get he loan. Even if that amount was ridiculously false.

    A host that advertises "PCI compliant" services is only telling a half-truth. The other half of compliance is all on the site operator, and very, very difficult to adhere to at a shared host (I would say impossible, but then someone would cite some esoteric example and prove me wrong).
     
    mjp, Jul 8, 2009
    #3
  4. darryl

    darryl

    The PCI Complicance company that we are being force to go through is going to also do a network scan on our site and if it doesn't pass we won't pass
     
    darryl, Jul 9, 2009
    #4
  5. raymondp

    raymondp

    Let us know the results of the test without divulging too much information.
     
    raymondp, Jul 9, 2009
    #5
  6. mjp

    mjp

    If you aren't passing, it's likely due to SSL or "weak" encryption issues. If that's the case we can move you to a server that doesn't support the older version of SSL, and does not use encryption under 56 bit.
     
    mjp, Jul 9, 2009
    #6
  7. darryl

    darryl

    I will let you know. McAfee is in the process of doing a network scan now so I should know something more tomarrow
     
    darryl, Jul 9, 2009
    #7
  8. mjp

    mjp

    mjp, Jul 10, 2009
    #8
  9. Bruce

    Bruce DiscountASP.NET Staff

    McAfee is a pain in the butt. McAfee actually didn't start this service, they acquired HackerScan (which was by far a better company to work with).

    We used to use them ourselves and we later learnt from our processor that McAfee is no longer a "Qualified Security Assessors" and they are now only a "Approved Scanner". https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml

    We also found that their test result were sometime inaccurate and inconsistent.

    Per suggestion by our processor, we switched to TrustedWave and we had no problem since.
     
    Bruce, Jul 13, 2009
    #9
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page