Free PCI Security Scan

[Matt]

Free PCI compliance account

GlowHost has partnered with ScanAlert and are pleased to announce FREE PCI security scanning and compliance services from Scan Alert.

PCI compliance is MANDATORY for those of you who accept credit cards online. New Data Security Standards are in effect for merchants that require compliance regardless of the dollar amount that they process online.

PCI compliance account FREE for GlowHost Customers. This is the same quarterly compliance scanning service that ScanAlert retails for $319 per year.

This new service is designed to allow all GLOWHOST customers to easily meet the requirements of Visa and MasterCard’s Payment Card Industry (PCI) Data Security Standard. Compliance with the PCI standards is required by all ecommerce merchants.

The ScanAlert program is a complete security auditing system with a breadth of features that far exceed the basic vulnerability scanning requirements of PCI, CISP and SDP which comprise the PCI Security Standards. A comprehensive security tool, it includes:

• Access to ScanAlert’s web-based Vulnerability Management Portal
• Scheduled quarterly automated vulnerability scans
• Unlimited on-demand manual scans to re-test systems whenever needed
• Detailed instructions to patch all vulnerabilities found during scans
• Easy-to-understand security self-assessment forms and online assistance
• Preparation of the Report on Compliance (ROC) documentation for submission to an online merchant’s acquiring bank

Click the link below to take advantage of this offer.

Free PCI compliance scan

Please see the below PDF for more information on the PCI scanning technology.

If you would like to use this PCI account in combination with GlowHost managed services for your dedicated server to ensure it is PCI compliant please see our managed PCI compliance service.

[andychev]

Free PCI compliance account
PCI compliance is MANDATORY for those of you who accept credit cards online. New Data Security Standards are in effect for merchants that require compliance regardless of the dollar amount that they process online.
...

Bargain service. Although a nighmare of a field to be in. The basics of pci compliance often arent made clear (hence it took me several days to dig through all the information a few months back when the pci compliance form was put on my desk) There are four levels and depending on where your company falls determines at what level you have to be 'pci compliant'

Level 1: Any merchent processing over 6,000,000 transactions a year, any merchant that has been subject to hacking. Or any merchant that visa says so.
Annual onsite security audit: Required
Quarterly system perimeter scan: Required
Annual compliance questionaire: Required

Level 2: Any merchent processing between 150,000 and 6,000,000 e-commerce transactions per year
Annual onsite security audit: Not Required
Quarterly system perimeter scan: Required
Annual compliance questionaire: Required

Level 3: Any merchent processing between 20,000 and 150,000 e-commerce transactions per year
Annual onsite security audit: Not Required
Quarterly system perimeter scan: Required
Annual compliance questionaire: Required

Level 4: Any merchent processing fewer than 20,000 e-commerce transactions per year and all merchents processing upto 6,000,000 transaction per year (offline)
Annual onsite security audit: Not Required
Quarterly system perimeter scan: Recommended
Annual compliance questionaire: Recommended

It also needs to be clear that pci compliance if for merchants ie you have a merchant number. This doesn not apply if you are using a third party payment system such as paypal, worldpay, etc etc because they are the mechant (they need to do it).

[Matt]

Your information above may be a bit outdated. Level 4 are now required to be PCI compliant. In the past it was simply a recommendation. I agree, there is a lot of grey area and the credit card companies are the ones to blame for that.

They want security but they do not clearly define how we (merchants and or hosts) are supposed to give it to them, and penalize us (merchants) when it is breached.

That is why it is important to have your PCI status up to date because that one item is in "black and white" and is an important factor in safeguarding your merchant status if they decide to do something nasty like sue you someday, or take away you ability to process credit cards, you stand a much better chance in court, and hopefully it would never get that far based on your PCI compliance.

[andychev]

Your information above may be a bit outdated. Level 4 are now required to be PCI compliant.

Arg i was having a good day aswell! I was so relived when i had this landed on my desk and found it wasnt relevent a few months back. What a pain that they have now changed the boundries. I am sweating just thinking of this being given to me again! Quick run away!

[Matt]

Well again it is all grey. But if you come across the new requirements for Level 1-4 as you are catching up on the new rules, it would certainly make for some good posting.

[kublaken]

with this statement:

"PCI states that a machine that holds, transmits, or stores sensitive data must be owned by a single entity, and that entity must only grant access to sensitive cardholder data on a "need to know" basis."

Is a VPS account for an e-com client needing to be PCI compliant good enough to pass the compliancy test?

also, could an e-com client be pci compliant in a shared web hosting environment?

Thanks,
Ken

[Matt]

In our assessment, the answer is NO, you need a dedicated server. PCI is a pretty grey area but I think erring on the side of caution and going with a dedicated server is the way to go. The new PCI DSS 1.2 has provisions in it for shared hosting but I do not see how it is possible to be compliant on a shared host and compliant with almost all the rest of the PCI DSS including your citation above.

PCI Is full of contradictions but I've found that a dedicated server option is the best way to to limit the number of contradictions and grey areas found in PCI DSS.

[charlesh]

What about if you do not store cc numbers, but just transmit them to a clearing house like Auth.net? Is any level of PCI compliance required then?

I had always thought the answer was not in that case...

[Matt]

It doesn't matter if they're not stored. Even if they are only transmitted, they say that in order for you to be compliant with PCI...

I’m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS? If so, what is the deadline?

All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance validation requirements and deadlines as well as compliance reporting requirements, we recommend that you contact your acquirer. For more information regarding the PCI security standards and supporting documentation, including the “Navigating the PCI DSS” as well as targeted Self Assessment Questionnaires to assist small and medium merchants, please visit the PCI SSC website at: www.pcisecuritystandards.org.

Source:
https://www.pcisecuritystandards.org/ > FAQ >
I’m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS? If so, what is the deadline?

Is every merchant in compliance? No. I'd say less than 10% based on what I see running on the shared servers.

[Websync]

Wow, thank you so much for posting this info. I had no idea about the PCI requirements. Doesn't effect me because I use PayPal, but it sure would effect other people that I design sites for.