Is JAG PCI Compliant?

**mikedj** · 10-10-2008, 10:13 AM

Are JAG shared servers PCI compliant? If so, how do we verify it?

Thanks,
Mike

**the_ancient** · 10-10-2008, 04:32 PM

Originally Posted by mikedj

Are JAG shared servers PCI compliant? If so, how do we verify it?

Thanks,
Mike

PCI Compliance is mainly on the software side. I would recommend no storing the data period, why do you need to store it? If you do need to why no use a gateway vault? Most Internet Gateways services(authorize.net being the largest) offers Customer Vaults to store account data for you.

**mikedj** · 10-10-2008, 06:31 PM

I don't store the information and don't intend to. However, the requirements for compliance go beyond that. I have many more questions than answers, but here is what I understand, although I could be wrong.

I gather the credit card data on my web site and it is held briefly as session data. It is then transmitted to Linkpoint/YourPay for processing, then goes away when the session ends. The way I read the compliance requirements, the gathering and transmission of the data, and even the storing of the session data, puts me at a level of needing to verify compliance, even though I don't store it in a database. The "level" I'm referring to is the Self Assessment Questionnaire (A, B, C or D) that I'm required to fill out (https://www.pcisecuritystandards.org...ructions.shtml) to prove compliance. Questionnaire A is pretty easy, but the requirements are that I don't handle that cc data. The fact that I do puts me into Questionnaire C or D, which ask all kinds of questions about firewalls and antivirus software that I do not have answers to, since JAG handles all of that.

If, for a moment, I assume that I'm wrong about the session data, then I still need written verification from JAG that they are compliant since their servers handle the data, if only briefly. Once it gets to LinkPoint/YouPay, I'm good to go. It's that brief time that the data is being handled by my software on JAGs server that has me concerned.

Sorry to run on, but I'm trying to sort all of this out so I can gather the necessary info to verify compliance, and, as I'm sure you can tell, I don't totally understand the roles of all the players.

Thanks for listening.
Mike

**the_ancient** · 10-10-2008, 07:08 PM

This is the Biggest problem I have with this so called standard, talking to 10 people and you will get 10 different anwser as to what is or is not "compliant" with the "standard" it is poorly written excuse for a standard IMO....

But to my knowledge if you using a SSL cert for transmission to your site and then using a cURL to to trasmit the data to your gateways through an SSL connection, your fine as far as the PCI DSS.

Why are you concerned about it? I have gotten many many merchant accounts (just got another approved about 2 mos ago) PCI never comes up. The only thing they want to know is if I have a SSL...

**mikedj** · 10-11-2008, 06:42 AM

I have been informed by my bank, FirstData, that I must comply with the PCI DSS standards, and prove it via the Security Metrics procedure (questionnaire and site verification). If I don't have valid, passing test results by Nov. 1, they will start charging me $20/month for non-compliance.

Mike

**Connie** · 10-11-2008, 11:34 AM

There are several several levels of PCI compliance. Unless your doing several thousand cred card transactions per month you would be a level 4. Level 4 is not required to be PCI compliant at this time by the credit card companies.

If your merchant account provider decides to require PCI compliance they will notify you.

I suspect your cart software has as much to do with security, as Jags shared servers.

**mikedj** · 10-11-2008, 12:35 PM

That's my point. They have notified me. They say that all (their emphasis) merchants are required to maintain compliance. The letter says I must become compliant by November 1 and maintain compliance. If at any time thereafter I am not compliant they will charge me $20/month.

Mike

**the_ancient** · 10-11-2008, 03:12 PM

Originally Posted by mikedj

I have been informed by my bank, FirstData, that I must comply with the PCI DSS standards, and prove it via the Security Metrics procedure (questionnaire and site verification). If I don't have valid, passing test results by Nov. 1, they will start charging me $20/month for non-compliance.

Mike

Hmm are they Requiring you to use the "Security Metrics" company? if so it sounds like First Data has a litte Kick Back Scam going on it is time to Change Service providers

**the_ancient** · 10-11-2008, 03:16 PM

But if you really want to know you will need to email JAGS Sales Dept on get an offical Response on this. But like is said the DSS "standard" if you want to call it that is 90% related to YOUR software not the hardware...

**mikedj** · 10-11-2008, 06:04 PM

They do have an arrangement with Security Metrics, although it seems to benefit us. The rate card on Security Metrics site for quarterly service is $700/year. We pay $140. I haven't shopped around, so I don't really know if the $140 is good, but it's certainly better than $700.

Your suggestion about contacting sales sounds like a good one. I'll give that a shot next. I tried a support ticket, but I don't think they understand what I'm talking about.

Thanks,
Mike

**the_ancient** · 10-12-2008, 05:57 AM

Look like First Data Signed a Nice Little Kick Back Agreement in Sept
http://www.securitymetrics.com/docs/...l_20080916.pdf

Do you process more than 20,000 Transactions Annually?(54 Orders Per Day)

**mikedj** · 10-12-2008, 06:04 AM

Not even close.

**the_ancient** · 10-12-2008, 06:23 AM

Originally Posted by mikedj

Not even close.

Then, According to Visa, You only have to Complete the self Assessment you do not need the Network Scan as you are a Level 4 Merchant

http://usa.visa.com/merchants/risk_m...html|Merchants
Level 4:

Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year

From everything I read you dont need a Quarterly Network Scan unless your over that level of transactions OR your storing card data...

There are conflicting reports on if it is even possible for shared hosting to be in compliance, I have read many reports of people having to be on a Dedicated Server before they were validated as "compliant"

the DSS does have a Section on shared hosting but it reads as if Jag will need to have all of their servers Certified, which may be cost prohibited at the $10/mo price point for hosting.

**the_ancient** · 10-12-2008, 06:30 AM

COMODO offers PCI Complicance for $80/year and Free First Scan
http://www.hackerguardian.com/hacker...free_scan.html
http://www.hackerguardian.com/hacker...ompliancy.html

COMODO is a leader in SSL It is the same company Jag Uses for their SSL

**mikedj** · 10-12-2008, 06:44 AM

I read that, too. But this footnote adds some specific exceptions, both of which seem to apply to me:

*The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Apparently, my acquirer is behind the scan requirement, not Visa.

And I've been wrestling with the shared host issue. I have read, however (somewhere?), that there are shared hosts that claim compliance. I'll have to look into that further if it remains an issue. Not that I have any desire to leave JAG, but if it's true, maybe we an come up with a solution at JAG.

Mike

LinkBack

Thread Tools

Display

Is JAG PCI Compliant?

Bookmarks

Bookmarks

Posting Permissions