I need recommendations for a reliable web host for an ecommerce store (fashion related, big graphics, and will have flash elements along with PHP).
Im looking at shared services for now, but something which can grow the business (traffic spikes, peaks etc), and most importantly runs . Thus, not bothered with ‘unlimited’ this or that, what matters is the service is fast, authentic and good support…
I am actually with arvixe with their asp hosting, but changing over to a PHP website. I have found them pretty good, but as there are far more quality linux hosts than asp out there, makes sense to check em out!
You cannot use shared hosting then. There is no way to be PCIDSS compliant without your own server. Compliance is required for any merchant that accepts payment information through their own website.
If you don’t have a system administrator on staff, it’s unlikely you’ll be able to meet all of the requirements to accept payment information through your own website in compliance with your contract. If that’s the case, you should reconsider accepting payments through your site. Using the standard PayPal service, where payment takes place on PayPal’s domain, would alleviate this need, for example.
I have three domains on mochahost. Sometimes the tech support is hard to deal with because many of them are English-as-a-second-language people. And their interface panel, Plesk, is often slow.
But they are very cheap and have a lot of features. Once you get things running they are fine.
It seems like your site is going to spike at certain times during the day. I would recommend LiquidWeb as they seem to cater for websites like yours. I do not have any experience with them but have read some fantastic views on various forums.
I completely agree. If you wish to take and store credit card information directly from your website you will need a dedicated server and a highly skilled Linux Administrator. You will not be able to store payment details on a shared hosting account.
You are not only limited to PayPal however. There are many 3rd party payment gateways such as 2checkout, Google Checkout and Authorise.
You can still take payments on your website and NOT store the actual credit card information and still be compliant can’t you? Simply taking the info, connecting with a gateway, and then discarding it as long as you do it all through an SSL connection should be ok right?
No. You need to meet all the PCIDSS requirements just by having credit card data submitted to your server, even if you just pass it on to someone else. It’s moving through your computers, so your computers are a potential security vulnerability, and the requirements aim to make sure you run things right so that they’re not.
You can’t meet those requirements no shared hosting. Think about it. Large POSTed data ends up in a file in /tmp for the duration of the PHP script’s execution, that any other shared hosting client on the same server can read. Other people can read YOUR customers’ credit card data, without you explicitly storing it! And that’s just one obvious problem.
Fill out the PCIDSS self-assessment questionnaire. It asks you these things, and will tell you that you need to be compliant.
In light of all this, and the obvious cost and hassle to become compliant (with due justification), is there anyway of creating/designing your own ecommerce solution but you are PCIDSS compliant? I was hoping to use Magento but seems a little redundant if say, you have to still go through a payment processor and their own environment to complete the sale (plus the extra steps needed)…
PCI-DSS (last time I checked) isn’t a law in most places and those that it is require that you process so much revenue via credit cards monthly or annually. I know that PayPal does require PCI-DSS compliance but it’s not a law, just a requirement for their program.
The laws could have changed though, last time I really looked into it was around 2 years ago.
If you’re going to break your merchant agreement, all of which require PCIDSS compliance because Visa/MC mandated that every merchant processor require every merchant be compliant and only use PA-DSS approved software by June, then you’re committing the civil tort of breach of contract.
There is no minimum processing volume to require compliance. Processing volume is only used to determine to what level your company will be audited. If you do very low volume, then you basically have to attest to being compliant without anyone verifying it. If you do medium volume, you have to do a self-assessment and get annual or quarterly security scans of all servers payment information touches, and if you do high volume you need to have your processes and facilities audited.
Regardless of how much verification is required for you, you’re required to be compliant, and if you’re not and end up having payment information compromised, you’re liable for half a million dollars per incident.
More importantly, you’re putting your ability to accept payments at risk. You breach the contract, your processor finds out, your account gets closed. If you’re really unlucky, they add you to the TMF and MATCH lists and other processors and banks won’t open an account for you. Both your business and all its principles are added to the list, and you’re essentially blacklisted for life.
Being able to take payments is the core of doing business, it’s not something to take lightly.
I saw no mention of PCIDSS when we signed our merchant agreement but it’s likely things have changed since then. For the record (so nobody takes it incorrectly) MDDHosting is PCI-DSS so I’m not condoning not doing it, I was just speaking based upon my historical information (which I guess is now inaccurate)
Your agreement would have required you to agree to comply with all Visa and MasterCard Operating Regulations. That’s standard verbiage from well before PCIDSS. Those regulations are incorporated by reference into the contract. They are the ones that mandate the compliance, and it’s enforced through your processor.
I see - it has been a couple years since we actually went through that process and I don’t currently handle the PCI-DSS myself but I know that we do quarterly random scans
I do remember there being a lot of referenced reading that was required in the process. I know that PayPal at the time didn’t require a PCI-DSS report where as I do believe they do now.
At they state that.