Hosting Provider

Do the developers of CRE Loaded understand PCI Compliance?

August 19, 2009 in eCommerce by SupremeCenterHosting  |  2 Comments

The CRE developers recently released their CRE Loaded 6.4 PCI edition, touting full compliance with the Payment Card Industry (PCI) security rules. I won’t discuss the fact that v6.4 was released unfinished with bugs, and in fact, security issues. I do however want to focus on their lack of knowledge of the PCI security rules, or their inability to properly educate their customers on compliance.

A customer recently spoke with Michael Miller, head of CRE Developement, and was told that she needed to be PCI compliant and suggested she use CRE Secure. He also stated that she needed to use a host that was also PCI Compliant and recommended that she use their PCI compliant hosting partner – at a cost of $500/month. This customer explained to Mr. Miller that she does not collect credit cardholder data on her site and uses third-party payment gateway Authorize.Net to process payments. Mr. Miller stated that Authorize.Net is Not PCI compliant. Six days later, CRE made an about face and released a newsletter titled “CRE Loaded Announces PCI Compliance Connection to Authorize.Net.” Within the newsletter, CRE writes:

“CRE now connects directly to Chase Orbital and Authorize.Net If your current gateway is not listed above, ask your current merchant bank provider how you can easily make the switch over to Authorize.Net.”

I’m confused. CRE is creating a “PCI Compliance Connection” with, according to Michael Miller of CRE, a third-party payment gateway that is Not PCI Compliant? It is clear to me that Mr. Miller wanted my customer to use their CRE Secure for credit card processing. Suggesting that Authorize.Net is not PCI Compliant is a disingenuous way of drumming up business for the “Evil Overlord.” Fact is, Authorize.Net is PCI Compliant:

“Authorize.Net also complies with payment industry-specific requirements known as the Payment Card Industry Data Security Standard (PCI DSS v1.1). Our Qualified Security Assessor is Trustwave and we completed our most recent audit in May 2008.”

Visiting the Authorize.Net website and verifying their compliance is so easy, even a money can do it.

PCI Compliance Myths

One myth about PCI Compliance is that every merchant must be PCI Compliant. Fact is, if you use a third-party payment gateway such as Authorize.Net or PayPal, then you are not required to be PCI Compliant – the third-party processor is.

Another myth is you, not only are you required to be be PCI Compliant, but you must also use a PCI Compliant hosting provider. Again, if you use a third-party payment gateway such as Authorize.Net or PayPal then you, and your hosting provider, are not required to be PCI Compliant.

What is required?

As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at https://www.pcisecuritystandards.org), the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document, cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.

In short, if you and your hosting provider collect, store, process and transmit cardholder data and sensitive authentication data, then you and your hosting provider are must be PCI Compliant.

PCI Compliance does not mean Breach-Free. “It’s a mistake for anyone to equate compliant with impossible to breach,” says David Taylor, CISSP and founder of the PCI Knowledge Base. “There is no way that a committee that has to consider what is “reasonable” and “affordable” to its members and the industry as a whole can possibly design a set of standards that can prevent one clever hacker from figuring out a way to break in, then sharing his/her hack with millions via the Internet,” Taylor says.

If a hosting provider, and merchant using that hosting provider, does not collect, store, process, and transmit any data that falls under the requirements of PCI, then neither host or merchant must comply with the PCI Data Security Standard Requirements and Security Assessment Procedures.

Don’t let anyone sell you on the idea of PCI Compliance. If you use a third-party payment gateway, and are happy with the service they provide, then you do not need to do anything. That being said, there is no reason why you should not ask your hosting provider if they collect, store, process, and transmit any data that falls under the requirements of PCI, and if they do, are they PCI Compliant? There is always that chance that a hacker can break in and steal credit card data. If the hosting provider is not PCI Compliant, the hosting provider could be fined – causing the provider to shut down, leaving you and your business in limbo.

The majority of our customers prefer to use PayPal as their preferred payment processor. Therefore, we do not collect, store, process, or transmit cardholder data or sensitive authentication data. All merchants using our shared hosting services also use third-party payment gateways. What does this mean? Our shared hosting services will continue to be affordable. Within the next 30-days or so, we will start offering PCI Compliant dedicated solutions. However, we will continue to offer affordable dedicated solutions to those customers who prefer to use a third-party payment gateway. Hosting your eCommerce website does not have to be an expensive process. Shelling out $500/month for a PCI compliant hosting provider is unnecessary.

What to look for in a hosting company

October 26, 2008 in Hosting by SupremeCenterHosting  |  No Comments

Type “hosting” at Google and you will find that there are currently 439,000,000 results for the search term … you should not have any trouble finding the perfect host for you and your website. However, its always best to start by asking friends or family who may already have a website who they recommend. A good review from someone you trust is far more valuable than reviews from people you don’t know. Visiting the countless hosting review sites can be a little daunting and the fact is, you will find that many of them “recommend” the same 5-10 hosting companies. The reason being is hosting companies pay for the reviews or for featured listings.

Before you decide on a host make sure that the host trustworthy and reliable, it is always worthwhile noting how long the company has been in business. Unfortunately anyone can set up a web hosting company, unless you ask the right questions you will not be able to judge the competence of any hosting company.

If you are new to websites and web hosting in general, it would be wise to host your sites with am established web hosting company. They are capable of dealing with less technically adept customers and are willing to go the extra mile. Due to their size, an established host is normally more flexible when it comes to upgrading your hosting plan, providing a payment plan of your choice and they have more servers available than the smaller hosting companies. It may also be wise to pick a host that may offer some support for the application that you may plan on using. Most hosts will not provide support for third party applications such as WordPress, Joomla or osCommerce, so you may not have them to rely on should something go wrong – Supreme Center Hosting is one of few hosting companies that provides limited support for many open source applications. Some hosts will even provide free professional installations of popular applications. Another suggestion would be to choose a host that may offer additional products and services such as SSL certificates, website programming or even managed services – you never know when you might need additional services and your host will normally give discounts to their customers for additional products or services they might need.

When looking for a host, first decide how much disk space and bandwidth you might need. Although this is not normally a deal breaker as you can always upgrade your plan should the need for more space or transfer arise. However, you do want to make sure that the host you plan to use and the plan you choose has the correct specs for the application you plan to use – you don’t want to choose a unix host when you plan on using an application that is coded in ASP.

If you are currently hosting a website and are planning on moving to a new hosting provider, it might be wise to look for a host that can help you with the transition. Many hosting companies, such as Supreme Center Hosting, provide free transfer services for customers who are using cPanel. This makes the transition that much easier and you will have less to do in order to get your site up and going with your new host.

  • Authorize.Net Reseller

    Authorize.Net Logo