In regards to PCI complaince, does anyone know how much bandwidth is used up doing a quarterly scan? MY site is medium size ecommerce with about 258 product pages and about 30 other pages. I just signed up with security metrics and noticed a big jump int he GB used for just 1/2 hour of the first scan. I shut it off until I figure this out. I get charged for going over bandwidth usage. SM told me it can take up to 24 hours to scan a site.
PCI compliance is only needed if you store or process the credit card data on your website, If you are using a payment gateway that handles the payment, then its not really an issue.
Sorry to answer with questions but,
Security Metrics is doing the scan. Are there alternatives?
Is the BW use consistant during the scan or does it fall off as it runs?
What’s more important, meeting PCI compliance or saving some money?
Is failing PCI compliance less expensive?
It certainly doesn’t seem fair. If Security Metrics is the best price and you need to accept credit cards, maybe you can ask that they run their scans less often?
Thanks for the answer. I found Security Metrics to be the best price wise. Others wanted over 1,000 to 1500 per year. For all the small mom and pop sites, its a bit much as profit margins and sales are not great enough to justify it. I do not store credit cards on my system. Also PCI is not a guarantee that your site will not get hacked. Its just a scanning mechanism not a guarantee you wont get hacked. And lets face it, you can everything right, get hacked, and the banks will still blame the merchants. Wonder what restaurants do and card present merchants do? Most of it is all a money making thing. If a hacker wants to get in they’ll find a way. Scanning still doesn’t stop a disgruntled fired host company employee from stealing CC numbers. If your using a PCI compliant software host company, a PCI compliant gateway, have SSL…what the hell more do they want…blood? Where is it in writing, that with all this and the money spent, neither the scanning companies the credit card companies or gateways assure a merchant they will not be fined if some crook decides to get in. Again, merchants get will get the blame. Washington state is the only state so far to make a state law to assure merchants will not be fined no matter what happens if they follow all the pci compliant rules. No other states have a law yet. Merchant 911 is fighting this and trying to take to congress and state law makers to stop harassing merchants about credit card fraud and give us a guarantee that following pci rules will abolish blame on merchants if a site gets hacked. Until then, I cant see spending a arm and a leg on scanning. Like paying the highest price for car insurance with no guarantee you are covered if you get in an accident.