PDA

View Full Version : PCI compliance ?



jmelson
08-17-2009, 06:20 PM
I just got bugged to get into PCI compliance. I tried to do their questionnaire, but I ran into two problems right away. They need for the computer with osCMax to not be connected to any other computer in my network, which sounds pretty strange, and is going to be hard to do on my network connection. I don't believe it is even possible to get a second network connection at my residential location.

Second, they require me to keep NO ELECTRONIC RECORDS whatsoever on my customers. I assume exchanging emails with customers would even violate these rules. I can only keep paper records with any customer information, including name, address, phone #, etc.

Since I am using a payment gateway, I don't even see their credit card #.

Anybody figured out how to deal with this? If there's no way around it, I will have to shut down my store.

If this is the wrong place to ask, just point to the the right place.

Thanks,

Jon

jpf
08-18-2009, 11:44 AM
You failed with this line:

I don't believe it is even possible to get a second network connection at my residential location.

I would spend the $50/yr+ to host in a proper facility that has managed servers as that will harden your site much better.

Yes being PCI compliant using a self hosted would be difficult if not impossible.

You need to use a proper firewall and map incoming IP & port address to a specific internal IP address. Then be issued 2 or more IP addresses from your provider.


I would NEVER recommend self hosting on a NON-Business class line by a Novice user.

jmelson
08-18-2009, 05:25 PM
You failed with this line:

I don't believe it is even possible to get a second network connection at my residential location.

I would spend the $50/yr+ to host in a proper facility that has managed servers as that will harden your site much better.

Yes being PCI compliant using a self hosted would be difficult if not impossible.

You need to use a proper firewall and map incoming IP & port address to a specific internal IP address. Then be issued 2 or more IP addresses from your provider.


I would NEVER recommend self hosting on a NON-Business class line by a Novice user.
OK, false alarm! I didn't understand the terminology, and made a couple wrong selections when starting out on their PCI compliance questionnaire. Because I am using a payment gateway, I don't have to comply with the most severe requirements. I have a business-class cable modem ISP service with static IP, but they only give me one IP. It costs a LOT more to get the next tier, 5 static IPs. But, I don't need that. I have osCMax set up so only one specific node, only on my LAN, can even access the admin page. I also have a firewall with some some special settings of denyhosts to kick off all the hackers by putting them on the hosts.deny list on their second attempt. I used to have professional bank hackers trying to get in, now they can't even make an initial connection.

So, I am back to normal.

Thanks,

Jon

jpf
08-18-2009, 07:34 PM
Good to here that! Sound like you know what your doing. Proceed with caution if self hosting. I find a hosted solution is cheaper for most people - than self hosting with proper speed and H/W etc....

JohnW
08-30-2009, 11:00 AM
You can get a free PCI compliance scan from Commodo that you could do on your own in case you are interested. I went through this about a year ago but not storing CC data eliminates most of the concerns. Make sure customers can't establish a SSLv2 connection because that's a deal breaker for many.

I agree with jpf that a good hosting solution and eventually a dedicated server is money well spent for an online business.