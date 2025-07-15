Has anyone created a website for a customer without a need for a "Security Incident Response Process" and "24/7 call center"? and NOT get fined doing so

General Web Dev
1

I have read in books and searched online and on AI like Gemini for information on how can I create a web application such as a E-Commerce site with out the need for a Security Incident Response Process or 24/7 call center? I have read and searched and I find it incredible that “ME” or “I” can’t create a web application that handles credit card information or any Personal Identifiable Information without having a SIRP… I’m not sure if it’s millions or hundreds of thousands of dollars on a “Security Incident Response Team” a year that has a lot of things they do to keep the web application from being breached and if the web application does get breached, the team notifies the stakeholders for further proceeding. Can anyone explain how this works? I am so confused and need help what is possible and what isn’t… If you can google what a “Security Incident Response Process” or more better find it on ChatGPT or Gemini or whatever AI you use before leaving a comment please. I have even looked into something called SOCaaS, which stands for Security Operations Center as a Service, but that still won’t do… So basically how can I make a web application that handles credit card info without having to spend millions so that I won’t be fined, or can it be done??? Or is this just the norm for every company that create web apps? How can I get around this???

I found this helpful ------> ask this question on Google Gemini “”“Can I get in trouble or face fines for handling credit card information and NOT have a computer incident response process that involves a 24/7 call center for security incidents?”“”

And this ------> “”“Can I create a e-commerce website with no “Computer incident response process” or “24/7 call center”?”“”

2

Have you read through the PCI (Payment Card Industry) requirements placed on businesses who implement e-commerce solutions? That’s where I’d start, specifically looking at the requirements for the more specific implementation you had in mind (e.g. handling credit cards yourself vs. using a payment processor) and the volume of business you do. The PCI, to my understanding, makes the requirements globally, for such things. It can be as simple as an annual self-assessment to make sure have key information documented and are you’re doing the right thing, all the way up to periodic external audits and such. I don’t remember (it’s been a long time) what they say specifically regarding incident response or 24/7 call centers, but while PCI is a “heavy” process to go through, it is pretty clearly documented.

The simplest solution of course is not to handle credit cards yourself, and let a PCI-compliant payment processor like PayPal or a bank do it for you, so that your business doesn’t see or store such info. That puts your business into “Level A” of the self-assessment, the lightest weight process. The questionnaire for it is at https://listings.pcisecuritystandards.org/documents/SAQ_A_v3.pdf and the requirements for such a business are I think quite minimal.

3

Well I read through the document. Much appreciated for your time! The document solves the PCI DSS issue if I use a third party payment provider which is fine and okay. But what about the incident response and 24/7 call center? I have read in a book ( the book is called “Hands on Security in DevOps” ) that Cyber Security Law requires a “Security Incident Response Process” and in this process falls the 3 teams, of a 24/7 call center which handles security incidents, a security administration which handles monitoring the system or uses tools such as the Hive, MISP, and Apache Metron which is a Security Incident Response Platform or at least the Hive is the two other tools are complementary, and a security engineering team that creates tools for the call center and admin team. The Security Incident Response Process also has four phases which are Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post Incident Activity. My book states that " A complete security incident response process involves the security incident handling team, human resources, the legal department, and external supervisory groups." The keyword in that sentence is “security incident handling team” because more over in my book it talks about what I mentioned before, about the 24/7 call center… So I’m not sure but I think just PCI DSS compliance isn’t enough because if you look up anywhere it will talk about the “Security Incident Response Team” which is also known as the “Computer Incident Response Team” or the “Security Operations Center” :frowning: … That’s where I am worried because even if I do use a third party payment provider like PayPal, where in the world would a client of mine find a amount of money that can afford a team to monitor the system, that’s like millions of dollars just in the first year… I can’t be over thinking this either… So how do I fix? I already looked into a SOCaaS ( Security Operations Center as a Service )… I’m just looking for a direct response that says “do xyz” when it comes to the SOC…

4

I just asked Google Gemini this question and this is what it gave me…

Does Cyber Security Law require an “Computer Incident Response Process” and if so what does that involve?

Yes, cybersecurity law very frequently requires an “Incident Response Process.” In fact, it’s becoming a near-universal expectation across various legal and regulatory frameworks, especially for organizations that handle any kind of personal data or operate in critical sectors.

The days of simply having “good security” are over. Regulators and legal frameworks now demand a proactive and reactive plan for when security inevitably fails, because breaches are a matter of “when,” not “if.”

Why Cybersecurity Law Requires It:

  1. Data Breach Notification Laws: Almost all major data privacy laws (like GDPR, CCPA/CPRA, HIPAA, and most state-level breach notification laws in the U.S.) mandate timely notification of data breaches to affected individuals and/or regulatory authorities. You simply cannot comply with these tight notification deadlines (e.g., 72 hours for GDPR, varying for others) without a predefined and well-practiced incident response process.
  2. Due Diligence and Reasonable Security: Many laws don’t explicitly list “incident response” but rather require organizations to implement “reasonable security measures” to protect data. In today’s cybersecurity landscape, a comprehensive incident response plan is considered a fundamental and indispensable component of reasonable security. Failure to have one could be interpreted as negligence.
  3. Industry-Specific Regulations: Many sectors have specific cybersecurity requirements that directly mandate incident response:
  • PCI DSS (Payment Card Industry Data Security Standard): As discussed, it explicitly requires an incident response plan (Requirement 12.10) with 24/7 availability for response.
  • HIPAA (Health Insurance Portability and Accountability Act): For healthcare entities and their business associates, HIPAA requires a robust incident response plan for Protected Health Information (PHI) breaches.
  • FISMA (Federal Information Security Modernization Act): Requires federal agencies to have robust incident response capabilities.
  • NYDFS Cybersecurity Regulation (23 NYCRR 500): For financial services companies in New York, it’s quite prescriptive about incident response, including notification procedures for ransomware.
  • Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA): Requires covered entities in critical infrastructure sectors to report certain cyber incidents and ransomware payments to CISA within very specific timelines (e.g., 72 hours for covered cyber incidents, 24 hours for ransom payments). This absolutely necessitates an incident response process.
  • SEC Incident Disclosure Rules: Publicly traded companies in the U.S. now have specific requirements from the Securities and Exchange Commission (SEC) to disclose “material” cybersecurity incidents within four business days. This requires a rapid, defined process to determine materiality and report.
  1. Contractual Obligations: Beyond direct laws, many contracts with vendors, partners, or clients will include clauses requiring specific cybersecurity measures, including incident response capabilities, especially if you handle their data.

What Does a Computer Incident Response Process Involve?

A robust Computer Incident Response Process (CIRP) typically follows a structured framework to ensure an effective and efficient response. The most widely recognized framework comes from the National Institute of Standards and Technology (NIST Special Publication 800-61, “Computer Security Incident Handling Guide”) , which outlines four key phases:

1. Preparation: This is the most crucial phase, done before any incident occurs. * Policy and Plan Development: Creating formal, documented incident response policies, plans, and procedures (often called playbooks or runbooks) for various incident types. * Incident Response Team (IRT) / Computer Security Incident Response Team (CSIRT) Formation: Defining roles, responsibilities, and clear lines of authority for all team members (technical, legal, HR, PR, management). * Tooling and Infrastructure: Acquiring and configuring security tools (SIEM, EDR, network monitoring, forensic tools), secure communication channels (out-of-band communication), and incident management platforms. * Training and Awareness: Training the IRT members on their roles, tools, and procedures. Training all employees on how to identify and report suspicious activity. * Risk Assessment: Identifying critical assets, potential vulnerabilities, and likely threats to prioritize response efforts. * Legal Counsel Engagement: Establishing relationships with external legal counsel specializing in cybersecurity law to advise during a breach. * Vendor Assessment: Understanding incident response capabilities of third-party vendors who handle your data. * Tabletop Exercises/Drills: Regularly testing the plan through simulated incidents to identify gaps and ensure the team is prepared.

2. Detection and Analysis: This phase focuses on identifying and understanding the scope of an incident. * Monitoring: Continuous monitoring of systems, networks, logs, and security alerts (e.g., from SIEM, EDR, firewalls, IDS/IPS). This is where the 24/7 capability comes in, as alerts can occur at any time. * Alert Triage: Filtering out false positives and prioritizing genuine security alerts based on severity and potential impact. * Investigation: Collecting evidence (logs, memory dumps, network traffic), interviewing personnel, and analyzing data to confirm the incident, determine its nature, scope, cause, and impact (e.g., what data was accessed, how many systems affected). * Documentation: Meticulously documenting all findings, actions taken, and timelines.

3. Containment, Eradication, and Recovery: This is where the active response takes place. * Containment: Taking immediate steps to stop the spread of the incident and minimize damage (e.g., isolating compromised systems, disconnecting networks, blocking malicious IPs, disabling compromised accounts). * Eradication: Removing the root cause of the incident (e.g., patching vulnerabilities, removing malware, reconfiguring systems to eliminate backdoors). * Recovery: Restoring affected systems and services to normal operation. This often involves restoring from clean backups, verifying system integrity, and re-enabling services securely. * Lessons Learned (Integrated): While a distinct phase in some models, learning occurs throughout these steps, informing future improvements.

4. Post-Incident Activity (Lessons Learned and Improvement): This critical phase focuses on improving future response. * Post-Mortem Analysis: Conducting a thorough review of the incident, including what happened, how it was handled, what worked well, and what could be improved. * Lessons Learned Meeting: Sharing insights with relevant stakeholders and identifying actionable recommendations. * Plan Updates: Revising and updating the incident response plan, policies, and procedures based on lessons learned. * Security Control Enhancements: Implementing new security controls or strengthening existing ones to prevent similar incidents. * Training Refinement: Updating training programs for employees and IRT members. * Evidence Retention: Securely storing evidence for potential legal action or compliance audits.

The “24/7 Call Center” Aspect:

While the term “24/7 call center” might conjure images of customer support, in cybersecurity, it refers to the 24/7 availability of designated security personnel or an automated system with human oversight to receive, triage, and initiate response to critical security alerts.

  • Necessity: Cyberattacks don’t adhere to business hours. A breach can start on a Friday night and cause catastrophic damage by Monday morning if no one is monitoring or capable of responding.
  • How it’s Achieved:
    • In-house: An organization might have an on-call rotation for its internal security team.
    • Outsourced (SOCaaS/MSSP): Many organizations, especially small to medium-sized businesses, rely on Security Operations Center as a Service (SOCaaS) or Managed Security Service Providers (MSSP) to provide this 24/7 monitoring and initial response capability.

In conclusion, yes, cybersecurity law (in its various forms) increasingly requires an incident response process. It’s not just a technical best practice; it’s a legal and regulatory imperative to minimize harm, comply with breach notification duties, and avoid significant penalties and reputational damage.

5

Also If you look at the section of PCI DSS in the answer I was given from Google Gemini, you will see that PCI DSS now requires a FULL incident response process( that means a lot of team members ) it’s not just make me a website full stack web developer, and I’ll hire a pen tester once in a while to test my security, and maybe update my framework when needed. Sooooo. WTH.

6

note - I am guessing at the following, I have no current experience.

I think it largely depends on the size of the business you’re talking about, and your reasonable expectation of having security incidents. I was part of an SOC and was a Security Incident Manager for a couple years, but it was for a billion dollar company that had reasonable expectation and experience of security penetrations, thefts and attacks, from both internal and external sources. So we had money allocated for such things (It was a horrible job, by the way). By contrast more recently I ran a small company with a couple employees and we did at most $250K of business in a year, and had no such security team, and just used paypal or receipt of checks for all our payments. We never expected or received any calls from anyone regarding our security.

You’re using the term “Cyber Security Law” pretty loosely here, as it is not A Law, but just a term relating to various laws that might be of interest to the topic. I would tend to 1) make yourself generally aware of the specific laws, then 2) decide which ones apply to your particular business, then 3) decide how you are going to handle being in compliance with that list. It will not be a list including every legal requirement your AI is giving you, it will likely be a pretty narrow subset. If YOU decide that to handle compliance you need an Incident Commander and a SOC, then you need one.

7

Your AI is shit. Stop reading it if that’s what it’s telling you.

1 Like
8

I have a book ( physical ) that says the same thing though about cyber security law, I believe my book isn’t wrong its by packt and also says over articles and through AI, so how is that wrong. And I think it would make a difference if I mentioned I want to create systems for $50k-$500k let’s just say. I also have read this in books, I have also skimmed though law libraries and have found that owners have counter sued companies because they paid the developers up to $2m dollars and for breach of service level agreements( performance problems[latency, throughput] that was promised, or scalability problems ) and contracts. I don’t know to each their own.

9

I don’t find your comments of much use, and you say you have no experience, and say you worked as a Security Incident Manager… I’m confused. And you worked for a billion dollar company.

10

My experience was in early 2000’s, as I said it’s not current.

But yes, if you’re dealing with large $ amounts, then the security levels that PCI and others will dictate will grow. I’m pretty sure I said that earlier. There is no general/overall requirement that every e-business company MUST have an incident response process and all the things you reference. Nobody would be able to set up a small store if that were the case.

11

Well again the book I’m reading, unless the web developers were on crack, explicitly state that even small business need a Security Incident Response Plan… And here we are, back to what I asked… How can I create a system that doesn’t involve a a Security Incident Response Process. But I guess their isn’t. That is if you want to do things the “right” way and not lead your client into doomsday. I don’t know… This is what I been trying to figure out since a long time ago, I have had it in my mind and decided to ask someone with experience in the field. But I don’t know. I guess like I said to each their own… The way I see it, is you can either follow the Cyber Law and lead your customer with assurance, confident in what is going to happen, or the ladder…

12

I did computer security for about 17 years, but retired about 15 years ago. Take it for whatever it’s worth to you, but I would guess that your book was either explicitly or implicitly talking about large companies when they discuss having a Security Incident Response Plan. If your software is going to do $50-$500K of payment transactions a year, I would chase that through the PCI process and see what level you end up at, and see what their maybe-self audit requirements require. At least that will get you started on the PCI part of it.

13

The only real solution I figure is find clients that have angel investors to start a small business. Case closed :slight_smile:

14

Nope I did not read wrong, the book says even “small businesses”…

15

And I was saying that me as a backend web developer would charge my clients $50k-$500k for a system, that is if you know what you are doing I suppose. Most likely on LinkedIn because Freelancer and Upwork are no good.

16

I asked Google Gemini again ----->

Can a web application that is a system be built for $500k from a backend developer that know what he is doing?

Yes, a complex, enterprise-level web application system absolutely can be built for $500,000 by a skilled backend developer (or, more realistically, a small, highly efficient team led by a backend expert).

However, it’s crucial to understand the nuances and what that $500k budget typically entails, as well as the significant factors that can push the cost above or below this figure.

What $500k Can Get You (and What it Implies):

A $500k budget generally places you in the realm of:

  • Medium to Large-Sized Applications: This isn’t a simple brochure site or a basic CRUD app. It suggests a system with multiple user roles, complex business logic, significant data management, and potentially integrations with other systems.
  • Custom CRM/ERP, E-commerce Platforms, SaaS MVPs: Websites and articles on software development costs often peg $150k - $500k for “Medium” projects like e-commerce platforms or custom CRM systems, and $500k+ for “Large” or “Enterprise” solutions. So $500k is a solid budget for a substantial system.
  • High-Quality, Scalable Backend: A competent backend developer will focus on building a robust, scalable, and secure foundation. This includes:
    • Well-Architected System: Likely a microservices architecture or a well-designed modular monolith.
    • Efficient Database Design: Optimized for performance and scalability.
    • Robust API Development: Clean, well-documented, and secure APIs.
    • Security Best Practices: Implementing authentication, authorization, data encryption, and input validation.
    • Scalability Features: Designed to handle growth in users and data from the outset (e.g., auto-scaling, load balancing considerations).
    • Observability: Integrated logging, monitoring, and alerting.
    • Deployment Automation: CI/CD pipelines, containerization (Docker, Kubernetes).
  • Focus on Core Functionality: At $500k, you’re likely getting a highly functional system but perhaps not an “extravagant” UI/UX or every single “nice-to-have” feature in version 1. The focus will be on the core business value and system reliability.

Key Factors Influencing the Cost and What $500k Suggests:

  1. Complexity and Features:
  • What $500k implies: A significant number of complex features, custom workflows, multiple integrations, and potentially real-time capabilities. If your system involves AI/ML, complex data analytics, or integrates with many external systems, $500k could be a starting point.
  • Less than $500k: Fewer features, simpler logic, less integration.
  • More than $500k: Highly complex enterprise systems with extensive custom development, advanced AI, large-scale data processing, or very specific, niche compliance requirements.
  1. Team Size and Composition:
  • One Backend Developer (as you asked): While a single highly experienced backend developer might be the lead or primary architect, building a full “system” for $500k usually requires more than just one person for the entire project lifecycle.
    • Backend Developer: (1-2 Senior) - Core coding, architecture.
    • Frontend Developer(s): (1-2) - For the user interface, which is crucial for any “web application system.”
    • UI/UX Designer: (Part-time or dedicated) - For a professional, user-friendly experience.
    • QA Engineer: (Part-time or dedicated) - For thorough testing.
    • Project Manager/Product Owner: (Part-time or dedicated) - To keep the project on track, manage scope, and communicate.
  • $500k suggests: A lean but highly skilled team working efficiently for a period of several months to a year.
    • Assuming a blended hourly rate of $100-$150 (which is reasonable for a mix of senior onshore/nearshore talent or a very efficient offshore team), $500,000 would cover 3,333 to 5,000 person-hours.
    • If a project takes, say, 6-12 months, this means a team of roughly 3-5 full-time equivalents (FTEs). A single backend developer alone would take years to build something of this scale.
  1. Location of Developers:
  • North America/Western Europe ($100-$300+/hour): $500k might get you a highly specialized portion of a larger system, or a smaller, very focused MVP developed by a small team. A full enterprise system is often $1M+ in these regions.
  • Eastern Europe ($40-$120/hour): $500k goes much further here, allowing for a more substantial team and project scope. This is often a sweet spot for quality and cost.
  • Asia-Pacific ($25-$100/hour): $500k can fund a very large and complex system, potentially with a larger team or longer development timeline.
  • $500k suggests: Either a very focused, highly efficient small team in a high-cost region, or a larger, more comprehensive team in a mid-cost region.
  1. Technology Stack:
  • Using established, open-source technologies (Python/Django, Node.js/Express, Ruby on Rails, PHP/Laravel, Go, Java/Spring Boot for backend; React, Angular, Vue for frontend) can be more cost-effective than niche or proprietary solutions.
  • The choice of database (SQL vs. NoSQL), cloud platform (AWS, Azure, GCP), and other tools impacts costs.
  1. Project Management and Process:
  • Clear Requirements: Well-defined requirements and scope upfront help prevent “scope creep,” which is a major budget killer.
  • Agile Methodology: Often favored for its flexibility and iterative approach, which can help manage costs by delivering value incrementally.
  • MVP Approach: Building a Minimum Viable Product first, then iterating, can help validate the concept and raise further funding, spreading the cost.
  1. Non-Functional Requirements:
  • Scalability: Designing for millions of users from day one costs more than designing for thousands.
  • Security: Robust security (encryption, compliance, regular audits) adds cost.
  • Performance: Optimizing for extremely low latency or high throughput.
  • High Availability/Disaster Recovery: Redundancy and backup systems.
  • Compliance: Meeting specific regulations (HIPAA, GDPR, etc.) can add 10-20% to the budget due to stricter requirements for security, auditing, and data handling.
  1. Post-Launch Costs:
  • Maintenance & Support: Often 10-25% of development cost annually. This isn’t included in the initial $500k build.
  • Hosting/Infrastructure: Cloud costs will be ongoing.
  • Ongoing Feature Development.

Conclusion:

Yes, a web application system can absolutely be built for $500,000. This budget would allow for a significant, custom-built application with robust backend functionality, often managed by a highly competent backend lead overseeing a small, efficient team.

However, it’s not a “one size fits all.” To stay within that budget and achieve a high-quality outcome, you’d need:

  • Clear, prioritized scope.
  • An efficient development process.
  • A strong, experienced team.
  • Realistic expectations about the scope and features that can be delivered for that amount, considering the talent’s location.

For many startups and mid-sized businesses, $500k is a substantial and realistic budget for launching a sophisticated, functional, and scalable web application system.

The description of how to architect the system is kind whack ( since I wear a DevOps Hat ) but yeah.. You can find people willing to pay for web apps at high amounts of money. Like I said on LinkedIn, I have met someone there before but I was only a noob back then, I am much more mature now.

17

This is how we handled it, back in the day when I developed a web site that needed to take payments. We used PayPal and another one that I think was called SecPay, our “buy” process handed over to either of those sites and got back a “yes” or “no” response to show whether the payment worked or not.

I’m not sure of the question you’re asking OP, though I must admit I haven’t read the massive long quotes from AI that you’ve posted. If you’re convinced that “the law” (in which country?) requires you to have a 24/7 incident response team and call centre, then that’s your answer. If you don’t have the resources for that (and who does, when starting up?) use someone else to handle payments and let them deal with it.

19

(Preface: I too have not read the walls of text you’re posting. Mass AI responses are meaningless.)

Well for starters PCI-DSS would only be applicable if you’re handling and processing the card data yourself. Which unless you’re a very large business… don’t. For this very reason. Arguably you’d be under PCI-SSF instead, but even then, if you’re not a large business… don’t. Let an external processor handle all of the transactional requirements.

Your book probably mentions small businesses, either in reference to an actual physical store, or is miscategorizing “small” as “add a couple of 0’s to the number you’re thinking of”. When “large” is measured in the hundreds of millions or billions… Small is quite a large category.

If you’re developing a website for a customer, you’re not the Incident Response Team unless you’ve also established a contract to do that. You develop the site, deliver the site. The customer is responsible for operations and operational compliance with the law.

1 Like
20

What @m_hutley said - don’t.

If you try to take on the payment processing yourself and the PCI compliance, then guess what? You become liable for PCI compliance. You become responsible for data breaches and stolen identities, credit card scams, etc.

Let the companies who have been in business for years handle that type of work. Build a passthrough environment to the service, but don’t hold anymore data than is strictly necessary for things like refunds and such.

The dollar amount needed to make it worth it’s while is not something an individual developer or even a small company is going to get to make it worth the effort and the risk it’s going to take to get it done.

1 Like