I have been going back and forth with rackspace and trustwave. Trustwave says that my site is not pci compliant. Here is how my site works: a user clicks to purchase an item, and then logs in securely via https. From there, they enter their credit card information. When they hit process, it sends to authorize.net to process the card, and the results come back to my website.
truswave says TOO BAD - that isn’t how it works. The entire site/server must be PCI compliant to do it this way. Rackspace says the absolute only way to do it is to either a) have the credit card info be input at authorize.net or b) get a dedicated server.
Is this your experience as well? I was not aware of this at all!
[QUOTE=ralph.m;5018489The site, or the server? Those are two different issues. There are many sites on shared hosting whose domain is SSL protected (https://) and they are supposed to be PCI complaint.[/QUOTE]
PCI is a compliance system but there are many different levels. https in and of its self doesn’t make a site compliant but rather how the site handles payment data and is configured in terms of access, web facing exposure, etc. is what counts [with ssl security obviously being a requirement for even a low level]. Far too many businesses skip over the program and end up doing high risk things like storing credit cards without anywhere near the right system in place or storing cvv codes which is never allowed. The fines for violations alone are reason to read the guidelines.
I’ve gone through a few full compliance builds but don’t understand each of the low levels enough to know why Rackspace would forbid behind-the-scenes-remote payments entirely on their shared solution but as a guess it could be that they don’t want the liability of cards being passed through [they don’t know who passes directly and who saves the card even briefly in a session or database].
You are probably right I would guess a huge portion of ecommerce sites are not pci compliant. Most merchants don’t understand the real requirements and they might think they are compliant or that it doesn’t matter. Even many of the scanning companies I have talked to didn’t quite know how to answer the merchants questions.
It’s not just ecommerce… few merchants read the rules they agreed too carefully. I’ve had enough clients to scan through the regulations a few times and while I still forget details, I’m amazed at how many stores try to write down my credit card on paper… uh no.
Still, if you’re not going to hold the data at all [i.e. it gets passed through over ssl in a single request, no sessions, no hidden forms to read] you’re probably talking about a low level PCI audit and nothing crazy to go through.
It’s not an issue of Rackspace forbidding anything, it’s that Rackspace’s cloud is not certified, so nothing running on it can be certified compliant. Compliance requires certain physical access control, logging and auditing procedures that you can’t comply with if you don’t physically control the server or know how it is controlled by your hosting company. The truth of the matter is that if you can’t afford your own server, you don’t have the resources to secure your business to the level the card issuers expect of someone handling customer payment data.
You can pass one of those automated audit scans with even shared hosting, but passing the scan doesn’t actually make you compliant if you’re lying about all the stuff on the self-assessment questionnaire. To pretend you’re actually meeting the requirements while you’re not opens you up to half a million dollars per incident of liability if you end up losing payment data to hackers and Visa or MasterCard finds out about it. Agreeing to their operating regulations, which include those penalties, is part of your merchant agreement. You should use a 3rd party processor (or Authorize.net SIM, the hosted payment form).
As far as I know, Amazon EC2 is the only PCIDSS certified cloud provider, though it’s not really something I try to keep up on.
The other truth of the matter is that most people ignore all this and just answer “yes” to everything on the questionnaire, have none of the actual security procedures required in place, meet few of the requirements for a secure system and network, and do the bare minimum to pass the automated screening every 3 months… For those, it’s just a matter of hope and luck… hoping that you’re not unlucky enough to be targeted by hackers and caught by a card network pinpointing the problem to you.