Do the developers of CRE Loaded understand PCI Compliance?

August 19, 2009 in eCommerce by SupremeCenterHosting  |  2 Comments

The CRE developers recently released their CRE Loaded 6.4 PCI edition, touting full compliance with the Payment Card Industry (PCI) security rules. I won’t discuss the fact that v6.4 was released unfinished with bugs, and in fact, security issues. I do however want to focus on their lack of knowledge of the PCI security rules, or their inability to properly educate their customers on compliance.

A customer recently spoke with Michael Miller, head of CRE Developement, and was told that she needed to be PCI compliant and suggested she use CRE Secure. He also stated that she needed to use a host that was also PCI Compliant and recommended that she use their PCI compliant hosting partner – at a cost of $500/month. This customer explained to Mr. Miller that she does not collect credit cardholder data on her site and uses third-party payment gateway Authorize.Net to process payments. Mr. Miller stated that Authorize.Net is Not PCI compliant. Six days later, CRE made an about face and released a newsletter titled “CRE Loaded Announces PCI Compliance Connection to Authorize.Net.” Within the newsletter, CRE writes:

“CRE now connects directly to Chase Orbital and Authorize.Net If your current gateway is not listed above, ask your current merchant bank provider how you can easily make the switch over to Authorize.Net.”

I’m confused. CRE is creating a “PCI Compliance Connection” with, according to Michael Miller of CRE, a third-party payment gateway that is Not PCI Compliant? It is clear to me that Mr. Miller wanted my customer to use their CRE Secure for credit card processing. Suggesting that Authorize.Net is not PCI Compliant is a disingenuous way of drumming up business for the “Evil Overlord.” Fact is, Authorize.Net is PCI Compliant:

“Authorize.Net also complies with payment industry-specific requirements known as the Payment Card Industry Data Security Standard (PCI DSS v1.1). Our Qualified Security Assessor is Trustwave and we completed our most recent audit in May 2008.”

Visiting the Authorize.Net website and verifying their compliance is so easy, even a money can do it.

PCI Compliance Myths

One myth about PCI Compliance is that every merchant must be PCI Compliant. Fact is, if you use a third-party payment gateway such as Authorize.Net or PayPal, then you are not required to be PCI Compliant – the third-party processor is.

Another myth is you, not only are you required to be be PCI Compliant, but you must also use a PCI Compliant hosting provider. Again, if you use a third-party payment gateway such as Authorize.Net or PayPal then you, and your hosting provider, are not required to be PCI Compliant.

What is required?

As described in PCI Data Security Standard Requirements and Security Assessment Procedures (available at, the PCI Data Security Standard is intended to protect cardholder data and sensitive authentication data. As described on page 4 of that document, cardholder data includes the primary account number, cardholder name, service code and expiration date, while sensitive authentication data includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, and the PIN/PIN Block.

In short, if you and your hosting provider collect, store, process and transmit cardholder data and sensitive authentication data, then you and your hosting provider are must be PCI Compliant.

PCI Compliance does not mean Breach-Free. “It’s a mistake for anyone to equate compliant with impossible to breach,” says David Taylor, CISSP and founder of the PCI Knowledge Base. “There is no way that a committee that has to consider what is “reasonable” and “affordable” to its members and the industry as a whole can possibly design a set of standards that can prevent one clever hacker from figuring out a way to break in, then sharing his/her hack with millions via the Internet,” Taylor says.

If a hosting provider, and merchant using that hosting provider, does not collect, store, process, and transmit any data that falls under the requirements of PCI, then neither host or merchant must comply with the PCI Data Security Standard Requirements and Security Assessment Procedures.

Don’t let anyone sell you on the idea of PCI Compliance. If you use a third-party payment gateway, and are happy with the service they provide, then you do not need to do anything. That being said, there is no reason why you should not ask your hosting provider if they collect, store, process, and transmit any data that falls under the requirements of PCI, and if they do, are they PCI Compliant? There is always that chance that a hacker can break in and steal credit card data. If the hosting provider is not PCI Compliant, the hosting provider could be fined – causing the provider to shut down, leaving you and your business in limbo.

The majority of our customers prefer to use PayPal as their preferred payment processor. Therefore, we do not collect, store, process, or transmit cardholder data or sensitive authentication data. All merchants using our shared hosting services also use third-party payment gateways. What does this mean? Our shared hosting services will continue to be affordable. Within the next 30-days or so, we will start offering PCI Compliant dedicated solutions. However, we will continue to offer affordable dedicated solutions to those customers who prefer to use a third-party payment gateway. Hosting your eCommerce website does not have to be an expensive process. Shelling out $500/month for a PCI compliant hosting provider is unnecessary.

Why it is important to backup your website data

November 10, 2008 in Hosting by SupremeCenterHosting  |  No Comments

We had a server outage last week that effected about 25 shared hosting customers due to a hard drive failure. Coincidentally, the Supreme Center Hosting corporate websites were also down when our drive failed as well. Anyone in this industry, or who has had a website for any length of time knows that hardware failures are as incalculable as is mother nature. We emailed updates to the effected customers almost daily and had suggested that, if any customer had a backup of their account, even a home directory and database backup, to please email us so that we could get their data restored on new servers. Needless to say, we here at Supreme Center hosting spent countless hours working to restore all effected customers, but our effort was ineffective. Fortunately, we had enough data in our office to restore 19 customer accounts – the remaining 6 were a total loss due to corrupt remote backups. Our corporate data, including site files and databases which included customer data, account info etc, was also lost.

Why tell everyone about the hard drive failures and loss of data? Are you trying to scare customers away? No. I say this simply because some lessons are better learned the hard way. The failure of hardware and loss of data was frustrating to me to say the least. What I found to be more frustrating was how many of the 25 effected customers that had absolutely no backups of any kind. There was one customer who was clever enough to backup his files, but failed to backup the databases for his dozen or so websites. Customer data is obviously important to any hosting provider. Important enough that we do daily backups and weekly remote backups of data. However, that can not in anyway be considered a fail-safe, anything can happen and in this case, it did.

Each effected customer who’s account we could not restore emailed and pleaded with us to restore their data. Each one seemed genuinely concerned about their website and obviously their data was important to them, but not important enough to take the time to backup do a full backup of their account. Not even a home directory or database backup was produced by the 6 customers who lost all their data. I am not about to suggest that a single one of them is unintelligent. I do have to ask how it is possible for someone to pay for shared hosting, create a website and then not do anything to protect their investment. I ask myself, “self, how is it possible that so many of your customers failed to backup their precious data?”

Some of you are probably asking yourself… “didn’t he say that Supreme Center Hosting lost their data as well?” Aahhh yes, it is true we were effected also. However, we do an additional account backup of our data which is stored separately from customer data. Therefore, we were able to restore our sites and get back on line without a hitch. Seeing as we offer our hosting customers cPanel, it is just as easy and painless for all our customers to backup their data too.

I kept asking myself, “why don’t these customers have backups of their data?” It occurred to me that website data is probably as important to most people as is other possessions you might have in your home. So, would you:

1. Go out of town on vacation and leave your door and windows open?
2. Place your important documents [insurance papers, will, stock certificates] in a cardboard shoe box and leave it next to your fireplace?
3. Store all your family heirlooms and photos next to your water heater?

I am willing to bet that most of you would lock up when leaving on vacation, would keep your important papers in a safe or something similar and would store your family heirlooms and photo’s in an area that is free from humidity and/or a water source. So, why is it that so many people don’t take the same precautions with their website data? Its hard to replace that one-of-a-kind photo. Costly to have your will rewritten or your furniture replaced. There is a reason we use the word “invaluable” when describing certain things we find important to us.

Lesson learned, we hope. In light of the recent loss of data we have implemented a mandatory, but unenforceable rule. All our customers are “required” to backup their data. The rate of backup should depend on how often you work on your site. Sites that are not modified often can probably get away with a monthly full backup. Sites where files are rarely modified, but a database is used, than a database backup should be taken at least weekly. If the database is updated frequently than the database backup should also be more frequent and it is suggested that it be done daily. However, you should still be doing a full account backup at least weekly.

What is the moral of this story? I have always said this to people in forums, email and even on the phone… backup, backup, backup. If you are not sure, backup. If you just did a backup, it does not hurt to backup again. One can never have enough backups.