PCI Compliance

[morty]

I need to know if Jaguar is PCI compliant, and if not, does Jaguar expect to be, and when.

[JPC-Les]

We do not have a current PCI compliance certificate nor do I have a time line for when we would although it is something we have on our list to accomplish.

[mattsiegman]

Your best bet for PCI compliance is to get a VPS and secure it yourself. It's not too incredibly hard, and for the most part you just have to make sure to keep updated.

Then again, I don't do any high level compliance--I try to touch CC data as little as possible and put all of the hard compliance on the gateway... If you want to store cardholder data, you're crazy.

[morty]

Your best bet for PCI compliance is to get a VPS and secure it yourself. It's not too incredibly hard, and for the most part you just have to make sure to keep updated.

Then again, I don't do any high level compliance--I try to touch CC data as little as possible and put all of the hard compliance on the gateway... If you want to store cardholder data, you're crazy.

currently i process transactions offline - cc data is stored only briefly, usually under an hour. Most often, it is less than ten minutes if I am at my computer which is most of the time unless I am sleeping.

I guess what I am going to end up having to do is go with a service lilke cre, since it doesn't appear that Jaguar will be PCI compliant anytime soon.

[JPC-Masood]

Whether JaguarPC is PCI compliance or not has no effect on your hosting plan. If you go through the check list of PCI compliance, no shared hosting plan can become PCI compliance by the very nature of "shared" hosting. You have to be on your own servers to lock them down to be PCI compliance. A lot of our clients go through PCI compliance without any problem. We are as much PCI compliance as it can be! You have to choose appropriate hosting plan that can become PCI compliance. VPS is a good starting point.

[the_ancient]

Whether JaguarPC is PCI compliance or not has no effect on your hosting plan. If you go through the check list of PCI compliance, no shared hosting plan can become PCI compliance by the very nature of "shared" hosting. You have to be on your own servers to lock them down to be PCI compliance. A lot of our clients go through PCI compliance without any problem. We are as much PCI compliance as it can be! You have to choose appropriate hosting plan that can become PCI compliance. VPS is a good starting point.

Unless that have changed it in the last 8 months, That is only true to Level 1-3 Merchants, Level 4 Merchants should have no problems on a Shared Host, provided the Shared hosts has the property libraries and passes the other Tests(none of which require dedicated hosting, just dedicated IP and SSL)

[mattsiegman]

I've read the thing, and while a shared host *should* be able to pass the level 4 compliance audit, they can't. It's stupid, but the reality is: shared hosting doesn't work for vendors taking credit card data. I can't remember exactly what it was that shared hosting violates, but it just one thing; however, the credit card companies aren't going to let you get away with it.

It's best just to get a VPS and make sure you keep it updated.

[the_ancient]

I've read the thing, and while a shared host *should* be able to pass the level 4 compliance audit, they can't. It's stupid, but the reality is: shared hosting doesn't work for vendors taking credit card data. I can't remember exactly what it was that shared hosting violates, but it just one thing; however, the credit card companies aren't going to let you get away with it.

It's best just to get a VPS and make sure you keep it updated.

I know of many Hosts, do a search, that offer PCI Shared Hosting, it is possible.

Most failures of PCI Compliance is not on the server anyway, but on the Application, or Handling of the data, i.e Emailing Card Numbers, Storing CVV, storing unencrypted personal data, storing data at all (if your level 4) etc

If your a Level 4 Merchant you should be just collecting the data, passing it via cURL to the gateway, deleting the data from ram and processing the result, the card data should never leave the server ram...

If you doing anything other than that, on a shared server, your not likely to pass.

At the server Level, they are looking for current SSL lib, App's have to run under user ID (i.e. no mod_php or other scripts that run as apache) current upto security lib's, log or audit trails, and a policy on forensic auditing

[ergophobe]

I'm not following -- TA, are you saying that a level 4 merchant should be able to be compliant on a Jag shared/SDX server, or that they can't, but that's not inherent in shared hosting?

I'm trying to build a shop for someone who is on a pretty tight budget and would like to use Paypal Website Payments Pro (b/c he's already doing a lot with Paypal).

I'm leery of being responsible for keeping a VPS up to date to maintain PCI compliance, because I'm still a little dizzied by the who PCI thing