[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Quoting Gordon Henderson <gordon+dcglug@xxxxxxxxxx>:
If you want to be compliant, then you will have to move to a dedicated server so you have complete control over the system and can adhere to the sections with DSS that relate to configuration management, systems access auditing and the other relevant areas.I don't actually care about being compliant, but my client appears to be. (It's actually a client of a client if you see what I mean - my client is the web design co, and it's one of their clients who has an online shop) They're using HSBC as the back-end payment processor and it's the HSBC that wants to see that the server is compliant - aparently the shop part of the site takes the credit card numbers in, passes them onto the HSBC to get yes/no and carries on ...The shop isn't actually storing CC numbers (although I guess they're stored somewhere in-transit)
No, they aren't store, but they are transmitting.OK, so there is a work-a-round here. If they switch to using PayPal or Google Checkout (amongst others) and then send the user to a google/paypal site to make the transaction, they are neither storing, processing or transmitting the data.
If you can find a shared hosting provider that claims that their hosting platform is PCI compliant (and I mean the platform, NOT the company's internal systems) then please let me know as I'd love to talk to them about how they did it!Well, I can easilly make this website pass their tests (3 lines of iptables and some apache tweaks) and unless they explicitly ask the question "is it on a shared server" they'll never know.
The problem with PCI is that it doesn't really apply to the website at all, it applies to the hardware and operating system that the website runs on. If that's not compliant, the company isn't. There is a PCI-DAS which is the Data Application Standard that will apply to any code that stores, transmits or processes credit card data and it's only a matter of time before that starts being enforced as well.
If it helps, there are a few companies out there that will perform a basic PCI compliance scan (I believe Comodo is one of them) and email you the results for about $15USD.
M. -- Matthew Macdonald-Wallace matthew@xxxxxxxxxxxxxxxxxxxxx http://www.truthisfreedom.org.uk/ -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html