I would like to follow up on this question now that I am looking at PCI compliance issues myself.

PCI compliance involves a chain of providers, so according to my understanding, in order to be PCI-compliant on Slicehost, Slicehost itself must be PCI-compliant as a "service provider." (Slicehost must be PCI-compliant as a "merchant" as well in order accept credit cards from its customers. But from the perspective of a Slicehost customer wanting to be compliant, the "service provider" classification is what is relevant.) For service providers, there are some specific provisions pertaining to web hosts ("PCI DSS Applicability to Hosting Providers"). There are also requirements related to the data center such as the requirement that "cameras monitor sensitive areas" and "data from video cameras be stored for at least three months."

So, question #1 is: Is Slicehost a PCI DSS-compliant web host? And if so, how does one acquire documentation from Slicehost certifying this to be the case.

In addition, it is unclear if there is a distinction to be made between dedicated servers and virtual servers. Does anybody know?

And then there's the requirement that "only one primary function is implemented per server (for example, web servers and database servers are implemented on separate servers)." Which seems to imply that it is impossible to be PCI-compliant if you run your entire application stack on a single server (or slice).

This whole PCI DSS thing seems to get more complicated every time I look at it. For example, it looks to me like any provider of e-commerce-related services falls under the "SAQ D" heading, which requires the completion of the most complicated self-assessment questionnaire (37 pages and over 200 questions!)

I would love to hear from anybody who has gone through the PCI compliance process with hints, tips and answers to the above questions.

PCI-DSS does require anti-virus software be installed...

Would still like to hear from Matt re: my questions about PCI compliance on Slicehost (see above). Thanks.

Just out of curiosity, why not offload the PCI-DSS compliance to a gateway, e.g. Authorize.net?

@joek & depill:

My understanding: If you accept credit card info on your own server -- even if you don't store it and are just passing it to a gateway -- you have to be compliant. The only way to process payments and avoid dealing with PCI is to outsource your payment needs to a company with a fully hosted option (like PayPal etc.) so that no card info ever hits your server.

Visa sets a service provider limit of 300,000 transactions per year (not $ volume). Level 1 > 300k, Level 2 < 300k. Here's the link:

http://usa.visa.com/merchants/risk_management/cisp_service_providers.html

So for a service provider to be compliant, you must do a quarterly scan with Level 1 requiring validation by a 3rd party and Level 2 only requiring a self-assessment.

The AV software is required of merchants, not necessarily service providers, the way I read it.

Joe

I'd also like to learn more about this. It would probably be best if we heard from someone that has actually gone through the process of signing up with a payment gateway provider such as authorize.net, trustcommerce or braintree

I'm working through this PCI DSS compliance thing as well, and can confirm that, even if you aren't doing the payment processing and aren't storing any credit card data, if the payment information lands on your server before you pass it on to Authorize.net / Beanstream, you need to be PCI compliant. Makes sense, as (for example) if you don't use an encrypted connection on your server, customers will be sending their credit card information in the clear to your server, even if it travels encrypted to the payment gateway.

However, to me, PCI compliance should be fairly straightforward for someone who simply passes payment information on to the payment gateway and doesn't store credit card data (this makes you a "Level 4" merchant, if I'm right). For some reason, the Self-Assessment Questionnaire for Level 4 goes on and on about not storing credit card data unencrypted, protecting access to credit card information, having antivirus software installed to protect against credit-card-stealing viruses... Hey! Didn't you hear?? I'm NOT STORING CREDIT CARD INFORMATION.

Maybe I'll return and post a follow-up when this is all said and done.

ilikepi -- You and I both know the software firewall used by Slicehost is just as effective as a hardware firewall. Unfortunately I suspect the similarities are lost on the PCI DSS people. The requirements says hardware fire wall. Software firewall is not a hardware firewall so not good enough. End of story.

Having spent more time reading through the DSS spec, I see it is very focused on a particular model - a large company with an IT department which host its own server. The servers are on site controlled by the IT departement. Much of the document is about protecting the servers from the Internet and isolating from the rest of the company internal network. Anything outside this model is hard for companies which do audits to understand. My merchant account providers directed me to securitymetrics.com. They asked me I the server doing the processing was on site. I said no. They immediately said it was a third party processor. I tired to explain while the server was not on site it was still controlled by my company. They did not really understand. The guy thought I then belonged in the lowest category of SAQ-A evalutation. I think that is more for people who use something like Yahoo or PayPal for processing. More research required.

danielshorten - Levels 1 -4 are based on the number of transaction. A level 1 is Amazon with 6 million transactions per year. Level 2 is one to six million per year. Level three is 20,000 to one million transactions per year. Level 4 is less than 20,000 Visa or MasterCard e-commerce tranactions per year or less than 1 million tranactions total (e-commerce and brick and mortar). The storage of account numbers is independent of the level. Not storing number is suppose to make is much easier to get certification. I cannot figure out exactly what rules apply where. For example Requirement 1 talked about "The cardholder data environment" but does not help us out by defining. Specific example: Requirement 1.2.1.a states:

"Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented."

Does this only apply if you keep account numbers? I have no idea.

wcoolnet - Our company has gone though the process of signing up a gateway (authorize.net) and a merchant account (First Data). We have been up and running for about 5 months. Got a letter from first data a couple of weeks ago about rate increases and changes in our plan. In there was a notice about PCI compliance. So it is further down the road that the problem arises (at least for us).

Anyone had any luck with finding an "approved scan vendor"? Any experiences to share?

Thanks for any help!

How is it that a ecommerce framework like Magento has an option to store CC info out of the box?

That FAQ is incorrect. Payment applications are subject to the PA-DSS which is, if anything, even more stringent than PCI-DSS.

http://www.magentocommerce.com/knowledge-base/entry/how-can-i-capture-credit-card-information-without-a-payment-gateway1

Strange that that is even close to legal?

Artagesw,

Your posts contradict themselves - you said:

That FAQ is incorrect. Payment applications are subject to the PA-DSS which is, if anything, even more stringent than PCI-DSS.

Then you said:

This is why we have started to see payment processing vendors sprouting up who will do this for you. They will collect and save the credit card information on their servers and return a token for your application's use in processing transactions against their gateway. The cost and burden of maintaining PCI-DSS and PA-DSS compliance then rests with them.

Is the difference that those payment gateways host the page?

@artagesw: Sorry, you can't scare people with that for people which have to store CC info they can expect bills for up to 6 figures ( I guess you are talking about US dollars ). I am going trought exactly this process, I will sadly probally have to leave Slicehost, since the agent which does the exam's for me want's me to be able to proof that my servers are in a secure environment so I am going to colo a server which I have at the local biggest local TelCo ( I will probally run VMware on it, so I don't have to rent a lot more rack space ( this way only 1U ) )

The whole process will cost me, SSL certificate $29 dollars, startup cost for CoLo 35.000 ISK, monthly cost for CoLo 20.000 ISK, outtake of credit card web ( more extensive than PCI-DSS ( it's basicly 4 man-hour labor cost, you pay extra if it need's more extensive exams, exam's are both for the hosting environment and the software it self) ) 25.000 ISK yearly, then I pay my processing partner a yearly fee of 3.000 ISK for the credit card processing account, which includes the fee for "Boðgreiðslur" ( 1.99% transaction fee ) via Web API. It's basicly an API thought out for monthly payment's but not single transaction.

So my total cost is
USD: $29 dollar yearly ( SSL )
ISK: 268.000 ISK yearly ( biggest part of the cost I will be able to share with multiple web sites ( CoLO cost ) ). At the current very weak Króna it is about $2233. At "normal" rate it is about $3350 yearly total cost.

I write the software my self ( I am a developer ) so I don't calculate the software cost....

So for storing CC's is no where near 6 figures.... But @ least for me here in Iceland with an Icelandic partner doing the PCI-DSS exam I seem to be not able to use Slicehost, since I don't control the physical server. And if I would go with an dedicated server some where else I would have to get a written statement from the hosting partner that they fufill all the requirements. ( My local TelCo fufills all the requirements. And it's much easier because it's an local company )

Authorize.net also provides a "vault" to store customer CC's. And their sign-up costs aren't nearly as high as Braintree's.

@depill: Not trying to scare anyone. I should clarify. If someone is going to use Magento (for example) to offer a hosted ecommerce service **to other merchants**, that use case classifies as a service provider/payment application. Getting and maintaining certification for a payment application (PA-DSS) is what I was referring to when I mentioned 6 figures. And it is not an exaggeration. You must have your source code constantly audited by a 3rd party, you must have a qualified assessor do regular **on-site** checks of your server infrastructure, etc. It is **very** expensive.

On the other hand, if you are a simple merchant and you only process credit cards on your own behalf, then you must comply with the PCI-DSS. The specific compliance requirements and associated costs will depend on what level of merchant you are (how many transactions you process per month), whether or not you store credit card data on your own servers, etc. Complying with PCI-DSS is typically less expensive than complying with PA-DSS.

As others have mentioned, the way to avoid most of this is to find a merchant processor or gateway provider that provides these services for you. For example, the Braintree solution (which I am not familiar with) sounds like a typical example of a hosted payment application. Braintree is shouldering the burden of complying with the PCI-DSS and PA-DSS requirements, and their business model will be structured to recover the associated costs from their customers.

the braintree's transparent redirect is so stupid simple i wonder why all the gateways don't offer it. Is there some technical difference between receiving a CURLed POST as opposed to a browser POST? Seems like it would be the same data.

I'm a little concerned with what braintree's pricing might be (supposed to meet with a rep tomorrow (4/20). I saw a good review online but in the comments someone mentioned needing to do at least $100k of biz per month to meet minimums.

So in an effort to figure out a way to avoid POSTing the CC info to my slice and then CURL posting that on to authorize.net and consequently mimic Braintree's functionality, i setup a test page on my SSL site that POSTed in Authorize.net's SIM payment page in an iframe. The thought being that i could wrap whatever I needed around it.

I thought this would bomb out and a get a browser warning, but neither FF3 nor IE7 seemed to care at all. Both displayed the locks with no warnings and click on the security info just showed the data for my site.

Seems a little shaky - can anyone comment on it?

Joe

Anyone hear of http://chargify.com/? Or can someone recommend a similar service?

Thanks for the Braintree recommendations! We'd love to talk to any dev using Slicehost. Much like Slicehost is server hosting "Built for Developers", we're a payment gateway that is built for developers. We make PCI compliance and integration as nice and easy as possible. Check out http://bit.ly/braintree-api and keep in mind when selecting a payments provider that not all providers will give your data back to you if you want to leave. We created a credit card data portability standard to start a movement to address this http://bit.ly/a2uEvm .