Website Safety - PCI Compliance
We interrupt this fun family blog to bring you a bit of business info.
This tutorial was put together by my good friend and successful online business owner, Alicia Staz (check out the links to her gorgeous jewelry in her credits at the end!). It explains what everyone with an online store needs to understand about complying with the laws protecting consumers’ credit card information.
————————————
PCI Compliance is required…this is not an option. Anyone who accepts credit cards must comply with certain standards based on the number of transactions you complete each year. It doesn’t matter if you use a payment gateway to process your cards or do them manually. It doesn’t matter if you use a shopping cart or PayPal… you still must commit to keeping all data that is collected safe. The PCI Security Standards Council has all the information you will need. Personally I didn’t get into the technical aspect of it. I knew I needed it and so I set out to get it done.
Who does PCI scanning?
I happen to have the Hacker Safe certification through Scan Alert - this includes PCI scanning at no extra charge. Scan Alert also offers a PCI scan for $149 a la carte, so you don’t have to have buy the Hacker Safe certification to get it through them. That said, there are many organizations that offer a PCI scan, just Google it.
If you use PayPal, they have partnered with ScanAlert, a Visa and MasterCard-certified PCI vendor, to help their customers comply at no cost for the first year. Enroll online with ScanAlert at: https://www.scanalert.com
So what does PCI scanning entail?
When you have your domain scanned for PCI compliance it has nothing to do with PayPal, your shopping cart or anything else. That is a huge misconception! I left my host because she thought the PCI vulnerabilities had to do with my shopping cart, not her servers.
When a company scans your domain, they are scanning the servers that your domain resides on. They do all kinds of checks and challenges to try to “get into” the server - similar to what a hacker might do. It will completely mess up your website statistics… they are hitting pages randomly, every day. They are trying to find nonexistent pages so your “404 not founds” will be off the charts. I know someone said there is a way to block them from your stats program (not register any visits by scanalert.com) but I haven’t figured that out yet. If anyone else know how to do this, please let me know!
Which hosts are PCI compliant?
Not many that I know about. The only two options I considered seriously were Hand-On Webhosting and A2 Hosting. I Googled it and had to really search for hosts that were compliant. I emailed my list of questions to the ones I found, and surprisingly only a handful got back to me with answers.
Here is my personal checklist for a host:
1. Do they maintain their own servers? If not, can they tell me where they are physically located?
2. Do they allow spammers or adult sites to reside on their servers? If so, it could negatively affect my search engine ratings.
3. Are they Hacker Safe compliant?
4. Are they PCI Compliant? If they are PCI Compliant they are Hacker Safe compliant because PCI compliance is a step more intense than Hacker Safe.
5. Are their prices reasonable?
6. Are there any negative reports about them online? I Googled the names…
7. Have they been in business for several years? This is my business and I don’t want someone else’s hobby ruining my business because it goes under. That is why I want to be with a host that owns the physical servers. Chances are, if they have invested that kind of money in severs, they are in it for the long haul.
What are the next steps?
Once you choose a host that is compliant and get your site moved to their servers, you will still have vulnerabilities to address. A PCI scan generates vulnerabilities that may or may not be valid for your particular host. They are testing based on the worst case scenario and in many cases, there is a reason the host does things in a particular manner, and they have other measures in place to protect the data.
Once I had a PCI Compliance report that listed the vulnerabilities, I emailed it to A2 Hosting’s Technical Support and they typed up answers to address the issues. Once I had responded to the issues and completed the PCI Questionnaire, I was considered compliant. Since I have less than 20,000 transactions a year, I am only required to have quarterly scans to be in compliance. I printed my compliance report and don’t need to print another one for 3 months.
What is the PCI Questionnaire?
It is just a list of questions you need to answer that ensures that you personally (and any other people your company employs) are doing everything necessary to protect the cc data. Do you store it on a secure server, do you password protect the data, etc.
I think that about does it. If you have any other questions, I can try to answer them, but I am by no means an expert. I just did what I had to do to become compliant and I think I have detailed it all here. If any of you want to forward this to others I don’t mind… I only ask that you maintain my signature line as part of the article. : )
Alicia E StazOwner, Designer, Beaded Royalty
Visit my blog at:
A full-time RV family shares their adventures - homeschooling two kids, running a home business on the road, life in an RV, interesting travel and dining experiences, you name it...
(MUST have the Extended Edition and Widescreen!)
(fried hot dogs! Mmmm)
April 21st, 2008 at 3:17 pm
Thanks for the link and the great user-friendly information on PCI compliance. I would disagree with the idea that serious hosting companies always own their hardware, though. We actually owned our own hardware for years before moving to a managed center for many reasons — faster and more reliable networks, faster resolution to hardware issues, faster server setup time (both this and issue resolution being fast because they’ll always have extra hardware on hand), not to mention server rental, particularly with dedicated clients, being more cost effective in the long run. Anyway, hehe, hope you don’t mind me defending our reputation
We’re small, but it takes more than a hobby to be doing this for as long as we have. Thank you again for your very useful article!