Hi, I recently received a notice from my merchant card processor (for my ecoommerce website) about my need to compy with the Paymen Card Industry Data Security Standard (PCI DSS). They suggested that I contact a specific, third party PCI-council approved scanning vendor. The vendor will not give out pricing unless you register. etc., and I don't have time to do this right now, but it looks to be an expensive security scanning service. Has anyone done this, yet? It almost sounds like a scam they way they have set this up and the weasel words throughout the letter, but it is likely legit. Would appreciate any insight into this that you can provide. JR
PCI is a requirement. You can read about it here: https://www.pcisecuritystandards.org/ There are virtually hundreds of approved scanning vendors (ASV's) - https://www.pcisecuritystandards.org/pdfs/asv_report.html. You can use any one. You will need to fill out the nasty questionnaire and then sign up with a vendor to do quarterly scans. Some of them are as low as $50 - $100 per year. We use trustwave who is on the more expensive side, but are one of the most widely used vendors: https://www.trustwave.com/. I usually recommend this company: http://www.hackerguardian.com/ to my customers. They are one of the lowest cost ASV's that we've found. Whatever the case, you do not have to do it with the vendor they recommended. You can use any vendor on the list. They will provide you with a certificate of compliance one your have successfully validated.
i have spoken to my host (hostgator) about this before i signed up with them, they said all there servers are usually pci complient if there not you can request them make them complient for free
Jestep, thank you that was very helpful. 1-h8, are you saying that HG pays a service to scan their servers, anyway, and if my site is hosted on their servers I am automatically covered? That almost sounds too good/easy to be true.
i have the transcript somewhere i asked weather there servers where pci complient as i would be processing credit cards and they said most where and if mine wasnt i could request it would be made complient
You will still need to complete the self assessment questionaire in any case. There are 4 versions total. If you outsource everything, then I think you can complete version A, which is much shorter and easier. In this case the server would have to be fully managed, and they would need to have proof of PCI compliance themselves. I would ask these guys: http://pcianswers.com/ if you have any questions, or at least checkout their blog. They should be able to tell you the best / legal method for your situation.
On thing I cannot find on hostgator is the contract requirements. Web hosting companies are a 3rd party to the merchant and 3rd parties are required to have a contract with the merchant outlining responsibilities with regard to cardholder data.