The CRE developers recently released their CRE Loaded 6.4 PCI edition, touting full compliance with the Payment Card Industry (PCI) security rules. I won’t discuss the fact that v6.4 was released unfinished with bugs, and in fact, security issues. I do however want to focus on their lack of knowledge of the PCI security rules, or their inability to properly educate their customers on compliance.
A customer recently spoke with Michael Miller, head of CRE Developement, and was told that she needed to be PCI compliant and suggested she use CRE Secure. He also stated that she needed to use a host that was also PCI Compliant and recommended that she use their PCI compliant hosting partner – at a cost of $500/month. This customer explained to Mr. Miller that she does not collect credit cardholder data on her site and uses third-party payment gateway Authorize.Net to process payments. Mr. Miller stated that Authorize.Net is Not PCI compliant. Six days later, CRE made an about face and released a newsletter titled “CRE Loaded Announces PCI Compliance Connection to Authorize.Net.” Within the newsletter, CRE writes:
“CRE now connects directly to Chase Orbital and Authorize.Net If your current gateway is not listed above, ask your current merchant bank provider how you can easily make the switch over to Authorize.Net.”
I’m confused. CRE is creating a “PCI Compliance Connection” with, according to Michael Miller of CRE, a third-party payment gateway that is Not PCI Compliant? It is clear to me that Mr. Miller wanted my customer to use their CRE Secure for credit card processing. Suggesting that Authorize.Net is not PCI Compliant is a disingenuous way of drumming up business for the “Evil Overlord.” Fact is, Authorize.Net is PCI Compliant:
“Authorize.Net also complies with payment industry-specific requirements known as the Payment Card Industry Data Security Standard (PCI DSS v1.1). Our Qualified Security Assessor is Trustwave and we completed our most recent audit in May 2008.”
Visiting the Authorize.Net website and verifying their compliance is so easy, even a money can do it.
PCI Compliance Myths
One myth about PCI Compliance is that every merchant must be PCI Compliant. Fact is, if you use a third-party payment gateway such as Authorize.Net or PayPal, then you are not required to be PCI Compliant – the third-party processor is.
Another myth is you, not only are you required to be be PCI Compliant, but you must also use a PCI Compliant hosting provider. Again, if you use a third-party payment gateway such as Authorize.Net or PayPal then you, and your hosting provider, are not required to be PCI Compliant.
What is required?
As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at https://www.pcisecuritystandards.org), the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document, cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.
In short, if you and your hosting provider collect, store, process and transmit cardholder data and sensitive authentication data, then you and your hosting provider are must be PCI Compliant.
PCI Compliance does not mean Breach-Free. “It’s a mistake for anyone to equate compliant with impossible to breach,” says David Taylor, CISSP and founder of the PCI Knowledge Base. “There is no way that a committee that has to consider what is “reasonable” and “affordable” to its members and the industry as a whole can possibly design a set of standards that can prevent one clever hacker from figuring out a way to break in, then sharing his/her hack with millions via the Internet,” Taylor says.
If a hosting provider, and merchant using that hosting provider, does not collect, store, process, and transmit any data that falls under the requirements of PCI, then neither host or merchant must comply with the PCI Data Security Standard Requirements and Security Assessment Procedures.
Don’t let anyone sell you on the idea of PCI Compliance. If you use a third-party payment gateway, and are happy with the service they provide, then you do not need to do anything. That being said, there is no reason why you should not ask your hosting provider if they collect, store, process, and transmit any data that falls under the requirements of PCI, and if they do, are they PCI Compliant? There is always that chance that a hacker can break in and steal credit card data. If the hosting provider is not PCI Compliant, the hosting provider could be fined – causing the provider to shut down, leaving you and your business in limbo.
The majority of our customers prefer to use PayPal as their preferred payment processor. Therefore, we do not collect, store, process, or transmit cardholder data or sensitive authentication data. All merchants using our shared hosting services also use third-party payment gateways. What does this mean? Our shared hosting services will continue to be affordable. Within the next 30-days or so, we will start offering PCI Compliant dedicated solutions. However, we will continue to offer affordable dedicated solutions to those customers who prefer to use a third-party payment gateway. Hosting your eCommerce website does not have to be an expensive process. Shelling out $500/month for a PCI compliant hosting provider is unnecessary.