markw10 — 2010-02-17T22:31:54-05:00 — #1
I am working towards getting my website PCI Compliant. I know authorize.net and my merchant bank are both PCI Compliant. Also, I don't store credit cards on my website or office computer and I have a private SSL.
I am using a shared plan with HostGator but am switching to a VPS hosting plan with HostGator.
I have done a lot of research and have posted on here before and it seems a missing piece is I have to have a scan done of my website and also fill out a huge questionaire and then submit it along with my scan results to my merchant bank to become PCI Compliant.
Am I correct about the above?
What this comes back to is site scanning. I have looked at many services including McAfee, Security Metrics, ControlScan, and TrustWave.
Most of my research so far has been with McAfee. They have a service for $319/yr which includes quarterly scans and manual scans as often as I desire. The are no logos with it for my website.
They also offer a full service for $959/year or $1289/2 years for a discount. This full service includes their PCI Scanning but also it includes their McAfee Secure scanning. The scanning is done daily and also with the McAfee Secure scanning you get a McAfee trust logo for your website.
With HostGator's shared plan for free I get the McAfee secure scanning with logo and it includes the PCI scanning but also once I change to VPS hosting I likely will lose this.
I am interested in opinions of the various options for scanning, MCafee, Security Metrics, and ControlScan, and also Trustwave and also if I go with MCafee is their higher plan worth it? They claim I'll see an increase in sales but is that likely to be true? Thank you for your thoughts on the above.
tigerstripes — 2010-02-17T23:10:36-05:00 — #2
Your systems will be different from mine, so your mileage may vary, but you'll see from my thread below that I've had serious issues with McAfee.
I'd suggest getting free trial scans, simultaneously, from each vendor you're considering. Add Qualys to your list, and if your SSL vendor or card processor recommends someone, or even better offers a discount, try them out too.
You should go with the vendor that finds the most real issues, after false positives have been accounted for. The aim of the game here is to be able to sleep at night, and not have nightmares about being pwned!
A VeriSign or TrustE seal is probably better known and better for conversion ratios than a "hacker proof" one - there lots of seals to choose from and only so many pixels to spare for these things before you end up looking like some guy at election time with too many buttons on his jacket.
Many people also know that sites with such seals have still been broken into, and there's always the chance that someone will your "hacker proof" button as a challenge and have a go at you on the strength of it.
markw10 — 2010-02-18T00:16:03-05:00 — #3
Thanks for the suggestions. I will add them to my list and call around and see if I can get test scans.
webwest — 2010-02-18T00:27:44-05:00 — #4
With no PCI "standards" in place yet the crappy part is that even if you had all the different scanning companies scan the same site, they'd all come up with different "vulnerabilities" even if they were false positives. It's great to feel warm and fuzzy that your site is secure but I have to agree with TigerStripes, a ton of medals suits war heroes better than websites. We run an eCommerce hosting company and without tooting any horns, we know our clients' sites are secure without having to be told by scanning companies - that's our business. But obviously the banks need to hear it from someone else no matter whether the scans are accurate or not.
votrechien1 — 2010-02-18T04:28:46-05:00 — #5
I went through PCI compliance a few months ago. Here are some observations:
1) We did the free scan through Hacker Guardian. There were tons of false positives and my webhost (Light Bound Hosting) responded to each false positive which I forwarded to Hacker Guardian and they corrected these false positives within hours. I think our webhost could have said any reasonable gibberish and Hacker Guardian would have ignored the false positives.
2) Our PCI Compliance was literally a 2 page pdf that I simply forwaded to our merchant bank. I think I could have sent a PDF with a picture of my dog with the caption "xxx is PCI Compliant" to our bank and they wouldn't have known any better (remember, most people at banks aren't IT people).
I believe we're supposed to send documents every 3 months showing on-going compliance. Unsurprisingly, I haven't heard from our bank in the last 6 months
So in conclusion, in my opinion, this whole PCI compliance deal is just something banks, credit card companies, etc. are formally instituting to cover their asses and they're quite liberal about compliance. Don't get too worked up about it. It seems like a lot at first, but you can get compliant within a few hours.
webwest — 2010-02-18T12:36:11-05:00 — #6
At this point in the whole PCI compliance game, I agree 100% with votrechien1