# PCI Compliant Hosting



## shovenose (Nov 15, 2013)

Looking for a place where I can host a Point of Sale system that accepts credit cards without spending an arm and a leg. US Based only please.


----------



## XFS_Duke (Nov 15, 2013)

You need PCI compliant hosting? I can probably help you out with a few things. Do you have Skype? If so, add duke.xfs and we can talk about a few things.


----------



## zzrok (Nov 15, 2013)

A PCI compliant datacenter/host is only a small part of being PCI compliant.  Of course, what being PCI compliant requires depends on what you are planning to do.


----------



## concerto49 (Nov 15, 2013)

Our data center at Dallas has pci compliance. Have full report, but like others say that doesn't auto make you pci.


----------



## shovenose (Nov 15, 2013)

I understand that it's just one facet of a system being PCI compliant. But obviously the hosting service, hosting company, datacenter, and everybody in between has to be PCI compliant.


----------



## XFS_Duke (Nov 15, 2013)

Generally, datacenters are PCI compliant in a few factors. Main one is data access restrictions. Others are far more complex, but generally they are compliant. I think it has something more to do with the regulations regarding the datacenters actually... Not sure... Might want to contact the DC's and ask them if their infrastructure is in fact PCI compliant.


----------



## concerto49 (Nov 15, 2013)

XFS_Duke said:


> Generally, datacenters are PCI compliant in a few factors. Main one is data access restrictions. Others are far more complex, but generally they are compliant. I think it has something more to do with the regulations regarding the datacenters actually... Not sure... Might want to contact the DC's and ask them if their infrastructure is in fact PCI compliant.


You need an audit from a 3rd party to pass all the tests. I read the report we got earlier. Different rules depending if it's colo etc.


----------



## kaniini (Nov 16, 2013)

We can probably arrange a solution either in our public VM cluster, which is ISO 27017 and also PCI compliant, or on dedicated hardware.  Feel free to hit me up in a PM with your specific needs.


----------



## HDPIXEL (Nov 16, 2013)

I currently manage  several PC compliant servers with LiquidWeb (stormOnDemand.com). I had to make a lot of tweaks, and turned off many services  to the WHM/cPanel software.  The most expensive element of the PCI compliance process is to pass successfully and get the report title:  "ASV Scan Report Attestation of Scan Compliance "

See list of approved scanning vendors.

https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php#

Paypal always recommends https://pci.trustwave.com/paypal

One of my customer used McAfee service. I was please to use it as their software system tells you what to fix. And the end, you get the report already done that needs to be turned in to VISA/MC or gateway vendor/processor (e.g .PAYPAL).

My advise to you is negotiate the scanning price.   X-cart x-payment is PCI compliance, you can install it on your own server or use their subscription service.

Best of luck to you.


----------



## Slownode (Nov 16, 2013)

PCI/ISO compliance is a joke.


----------



## shovenose (Nov 16, 2013)

Thanks guys. I might just use Stripe.js though. But their fees suck


----------



## WebSearchingPro (Nov 16, 2013)

Slownode said:


> PCI/ISO compliance is a joke.


Whether its actually beneficial or not from a monetary standpoint isnt the point. If there was a PCI-DSS/HIPAA/ISO I would inherently trust that they know more and care about security more than the average kid that just ordered a piece of hardware from CC and throw a bunch of people on it.

Just my two cents.


----------



## shovenose (Nov 16, 2013)

WebSearchingPro said:


> Whether its actually beneficial or not from a monetary standpoint isnt the point. If there was a PCI-DSS/HIPAA/ISO I would inherently trust that they know more and care about security more than the average kid that just ordered a piece of hardware from CC and throw a bunch of people on it.
> 
> Just my two cents.


See, that's kinda my goal. But if I use Stripe.js I don't have to worry about it. But being PCI compliant shows that the company has spend time and money on securing their shit, if you know what I mean.


----------



## datarealm (Nov 20, 2013)

Slownode said:


> PCI/ISO compliance is a joke.


(rant)

We got to be their guinea pig about 12 or so years ago as they devised the standard.  We had a client on our shared hosting platform using a perl shopping cart system who's account got breached through a hole in the cart.  CC data he was storing was compromised but visa had NO clue about any of this.   Their first response was to disable our own merchant account.  Paypal was not really a big thing yet, about 80% of our revenue came through visa/mc at the time, which they held up for 12 straight days.  

There was also no approved security vendor list as they were just starting out here.  VISA named the security vendor that we had to use, and they required a complete on site audit before they would allow us to resume charging cards.  Again, our cc data was never in jeopardy (not even on the same servers).  But we had the pleasure to pay full travel expenses for someone to come down from colorado, hang out at a hotel for 2 days, make a couple visits to our data center, and meet the requirements they were coming up with.  For example, all services must be on physically separate servers. Onsite they made an audit of every system in our cluster and then told us things like mail had to be on a physically separate system than web services (it was, but it still irked us).

After the onsite audit the one saving item was supposed to be that visa was to place our company on their PCI site as the first fully approved PCI compliant hosting vendor.  Bragging rights to the first person who guesses if that ever happened...

a joke does not even begin to describe PCI compliance...

(/rant)


----------



## shovenose (Nov 20, 2013)

So stripe completely ignored my email so I will ask the community these questions. The system in question is for Renew Computers. (look it up in google) we sell refurbished computers, used parts and stuff, and provide local computer repair services.


we also sell other stuff like used cell phones for like $25. We don't provide onsite tech support just if people bring in their mac or PC to fix.


I read stripe terms of service it says no tech support or cell phones. But since we don't really do that in the sense of new/contract cell phones its ok? And since we don't provide tech support just repair, its ok? I am confused.


----------



## zzrok (Nov 20, 2013)

Only Stripe can answer your question.  All you are likely to get here is speculation.


----------



## shovenose (Nov 20, 2013)

zzrok said:


> Only Stripe can answer your question.  All you are likely to get here is speculation.


Well it would be a start.


----------



## Aldryic C'boas (Nov 20, 2013)

Or you can just go do your own research and stop trying to get other people to make your business decisions for you.


----------



## qps (Nov 20, 2013)

Are you going to be physically swiping people's cards?  If so, you need to get a real merchant account, the fees will be much lower.  CDGCommerce is a pretty good one.  We've had an account with them since 2004.  You might be able to find cheaper elsewhere.

https://www.cdgcommerce.com/retail-pc-mac.php


----------



## shovenose (Nov 21, 2013)

Aldryic C said:


> Or you can just go do your own research and stop trying to get other people to make your business decisions for you.


you know what? Fuck you fuck my project I am done.


----------



## Aldryic C'boas (Nov 21, 2013)

Well, I'd suggest trying again when you're older, then.  If this is your standard response to criticism, then you're going to be in for a nasty shock when you try to treat clients like that face-to-face.


----------



## Ruchirablog (Nov 21, 2013)

shovenose said:


> you know what? Fuck you fuck my project I am done.


buwahahah  :lol:


----------



## fisle (Nov 21, 2013)




----------

