Evil Overlord

Do the developers of CRE Loaded understand PCI Compliance?

August 19, 2009 in eCommerce by CEO/Founder, Supreme Center Hosting  |  2 Comments

The CRE developers recently released their CRE Loaded 6.4 PCI edition, touting full compliance with the Payment Card Industry (PCI) security rules. I won’t discuss the fact that v6.4 was released unfinished with bugs, and in fact, security issues. I do however want to focus on their lack of knowledge of the PCI security rules, or their inability to properly educate their customers on compliance.

A customer recently spoke with Michael Miller, head of CRE Developement, and was told that she needed to be PCI compliant and suggested she use CRE Secure. He also stated that she needed to use a host that was also PCI Compliant and recommended that she use their PCI compliant hosting partner – at a cost of $500/month. This customer explained to Mr. Miller that she does not collect credit cardholder data on her site and uses third-party payment gateway Authorize.Net to process payments. Mr. Miller stated that Authorize.Net is Not PCI compliant. Six days later, CRE made an about face and released a newsletter titled “CRE Loaded Announces PCI Compliance Connection to Authorize.Net.” Within the newsletter, CRE writes:

“CRE now connects directly to Chase Orbital and Authorize.Net If your current gateway is not listed above, ask your current merchant bank provider how you can easily make the switch over to Authorize.Net.”

I’m confused. CRE is creating a “PCI Compliance Connection” with, according to Michael Miller of CRE, a third-party payment gateway that is Not PCI Compliant? It is clear to me that Mr. Miller wanted my customer to use their CRE Secure for credit card processing. Suggesting that Authorize.Net is not PCI Compliant is a disingenuous way of drumming up business for the “Evil Overlord.” Fact is, Authorize.Net is PCI Compliant:

“Authorize.Net also complies with payment industry-specific requirements known as the Payment Card Industry Data Security Standard (PCI DSS v1.1). Our Qualified Security Assessor is Trustwave and we completed our most recent audit in May 2008.”

Visiting the Authorize.Net website and verifying their compliance is so easy, even a money can do it.

PCI Compliance Myths

One myth about PCI Compliance is that every merchant must be PCI Compliant. Fact is, if you use a third-party payment gateway such as Authorize.Net or PayPal, then you are not required to be PCI Compliant – the third-party processor is.

Another myth is you, not only are you required to be be PCI Compliant, but you must also use a PCI Compliant hosting provider. Again, if you use a third-party payment gateway such as Authorize.Net or PayPal then you, and your hosting provider, are not required to be PCI Compliant.

What is required?

As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at https://www.pcisecuritystandards.org), the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document, cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.

In short, if you and your hosting provider collect, store, process and transmit cardholder data and sensitive authentication data, then you and your hosting provider are must be PCI Compliant.

PCI Compliance does not mean Breach-Free. “It’s a mistake for anyone to equate compliant with impossible to breach,” says David Taylor, CISSP and founder of the PCI Knowledge Base. “There is no way that a committee that has to consider what is “reasonable” and “affordable” to its members and the industry as a whole can possibly design a set of standards that can prevent one clever hacker from figuring out a way to break in, then sharing his/her hack with millions via the Internet,” Taylor says.

If a hosting provider, and merchant using that hosting provider, does not collect, store, process, and transmit any data that falls under the requirements of PCI, then neither host or merchant must comply with the PCI Data Security Standard Requirements and Security Assessment Procedures.

Don’t let anyone sell you on the idea of PCI Compliance. If you use a third-party payment gateway, and are happy with the service they provide, then you do not need to do anything. That being said, there is no reason why you should not ask your hosting provider if they collect, store, process, and transmit any data that falls under the requirements of PCI, and if they do, are they PCI Compliant? There is always that chance that a hacker can break in and steal credit card data. If the hosting provider is not PCI Compliant, the hosting provider could be fined – causing the provider to shut down, leaving you and your business in limbo.

The majority of our customers prefer to use PayPal as their preferred payment processor. Therefore, we do not collect, store, process, or transmit cardholder data or sensitive authentication data. All merchants using our shared hosting services also use third-party payment gateways. What does this mean? Our shared hosting services will continue to be affordable. Within the next 30-days or so, we will start offering PCI Compliant dedicated solutions. However, we will continue to offer affordable dedicated solutions to those customers who prefer to use a third-party payment gateway. Hosting your eCommerce website does not have to be an expensive process. Shelling out $500/month for a PCI compliant hosting provider is unnecessary.

CRE Loaded just got worse

October 20, 2008 in CRE Loaded by CEO/Founder, Supreme Center Hosting  |  Comments Off

I could all out flame CRE Loaded and Salvatore Iozzia here today but what good would it do? I doubt very highly that it would make any real difference to the current CRE Loaded open source model. Fact is, I had plenty to say in the “Sal’s Message to the Community” thread at the CRE Loaded forums regarding past and current issues, and it seems Sal is oblivious to the opinion’s that were offered. He somehow managed to muster up enough backbone to to create the post, while flip flopping on the entire issue. The entire post looks like it was pulled out of a page from the past with many of the more well-known forum members taking a whack at Sal’s pride.

By know it is probably obvious that I am not new to CRE Loaded. I started using it back in 2003-2004 when it was still in [bug filled] version v6.15. I even did work for Sal [installations, contribution additions] while I was upstarting my hosting business. That was until he screwed me out of $500 for worked I performed and about the time that David Graham, of the osCommerce University, suggested that Sal start selling CRE Loaded. I remember having a chat conversation with David regarding sale of the open source application but was never aware that he suggested it [or I am getting too old to remember]. I gently poked David in the aforementioned thread by saying “If your suggesting that you persuaded Sal to sell CRE then, Shame on you! It was you sir who created the Ugly Monster!” His response clearly showed that he was as pissed as I… “Yeah, well, I never intended anyone to mislead the public about the GPL and its implications either. Which is why EOS itself is free and will remain so.” What? is it possible that Salvatore Iozzia could mislead the end user? Sure it is. I read posts by Sal, and his now world famous moderator Gerald, regarding the GPL license. It was clear to me that what they were trying to do was mislead the lesser informed end user that they really were not permitted to do anything with CRE… but pay for it.

Now this brings up a new question… what exactly was the end user paying for? That ultimately is a very good question. At this point, I have no idea. David Graham recently blogged about this in his post “CRE Launches New Open Source Model” and stated that “My original concept when proposing CRE Loaded commercialization was to charge a standard fee per copy distributed with a 30 to 90 day support window, following which support could be obtained on a contract basis.” Okay, so the end user was paying for support? Hmmm… having had conversations with owners of other companies that were using, or had clients using CRE Loaded, this was clearly not the case. Apparently, support was one thing that was missing from the $200 price tag for Pro and $300 price tag for B2B.

Okay, so what do I think about all of this? What was missing from the launch of the new model and CRE 6.2 was Value-Added Services. By definition, it would be the term for non-core services… services that add value to a standard service offering. This could be any number of things. Using CRE as an example, the value-added services could be Support, plugins, templates, etc. As an active supporter of Open Source applications since 2003, we offer web site hosting and hosting services for a variety of open source applications and provide value-added services such as free professional installation and free support for a variety of issues that a customer my experience while using the application. We also provide web site programming services for these applications at a nominal [and below industry standard] fee.

So my question is… why is it that Sal thought it a good idea to sell CRE when he could have offered additional value-added services at reasonable rates? These services could have been any or all of those mentioned above. Support/Maintenance contracts could have been offered to those who either do not have the experience necessary to modify code or just did not want to. Plugins, that could not be found for free at osCommerce.com, could have been developed in-house and sold in the CRE store. Same goes for custom templates. Any service or a combination of services could have been offered to the CRE end user, whom I might add would have been more than happy to pay for. However, the “Evil Greedy Overlord” could not help himself. He not only put unreasonable price tags on the open source application, he charged 2 arms and a leg for additional services that really should have been part of the “support” the end user was supposed to get.

So what have we learned from all this? Never, and I mean never pay for open source applications. The whole idea behind open source is that the source code should be free. This does not mean that everything should be free [contributions, support, templates, hosting, etc], but that the application itself should be free. Granted, the GPL license states that you can sell the code. That is correct, sir. Let’s use Linux as an example. Linus Torvalds wrote and released Linux as open source and it can be found everywhere for $0. Why is it that Red Hat is selling it then? Well, they are not selling the Linux source code. What they are selling is value-added services in the forum of features that can not be found in the original source, support and improved & robust versions.

Finally, we have also learned that you can’t trust anyone who calls themselves the “Evil Overlord.”

  • Domain Availability

    Domain Name: Choose Extension: