Real PCI Compliance

[kourou]

Hi there,

EUK seem to be very confident about their ability to provide PCI-compliance for merchants storing credit card details on their server (i.e. Sage Pay Direct or Paypal Website Payments Pro, as opposed to Pa.ypal Express Checkout/Sage Pay Form & Server), so I'm hoping you'll be able to clear this up for me.

I've taken a look at the thread on your forum at dub-dub-dub.eukhost.com/forums/f11/pci-dss-compliance-7882/, googled and spoken to BarclayCard's chosen security company SecurityMetrics (who didn't reassure me - they came across as not really understanding PCI!).

[it seems i cannot post links as a new member of this forum so I've just pasted them in

aaaargh no i haven't because the forum automatically tries to make them urls again - this is doing my nut! I can't even remove the http bit. Ok, I'll try and obfuscate them by replacing www with dub-dub-dub]

The issue is this:

Reading official PCI documents, PCI compliance is a complex process, a small part of which is a remote scan (to ensure ports are closed, software is up to date etc.). Merchants storing credit card details locally are required to complete SAQ-D (found here: dub-dub-dub.pcisecuritystandards.org/saq/instructions_dss.shtml), as are their Service Providers.

Listening to Security Metrics and reading the EUK forum, compliance appears to be about the scan only. However there is more to it than that as far as I can see. For example, web site and database must be on separate servers, secure processes and policies must be in place behind the scenes at the hosting provider as well as the merchant, down to the level of ensuring any relevant devices are labelled as to their owner and purpose! And merchants and their service providers must each make an 'Attestation of Compliance', essentially securing their liability should things go wrong.

To be fair there seems to be a lot of confusion around PCI - the official PCI informtion says one thing, and everyone else (even banks and security companies!) say another. Or perhaps I am missing something. For example, requirements are being phased in - are some people just behind the times? Do acquiring banks get to decide how rigourous they want to be, and are they currently being quite flexible and ignoring most of PCI? I find that hard to believe however.

PCI compliance is of course about passing the buck. My concern is that if I take everyone at their word, it is possible I will gain PCI compliance and be able to begin taking payments just by passing a scan. If my site is then somehow hacked, card details are compromised and my card services provider investigates, they may then find that one of the other PCI requirements (such as physical access to the servers in the EUK/web host's data centre) was not properly compliant. Cue immeasurable damage to and possible failure of my business

What about the rest of compliance beyond scanning? Are EUK and others 'PCI Compliant" service providers, capable of completing the appropriate forms (especially the SAQ-D linked to above), and do you have appropriate procedures/policies/measures in place?

For example, can you address the points made here: dub-dub-dub.outeredgeuk.com/pci-compliance-with-sage-pay-form-server-direct/?

[John]

Hello,

You are right, it is very complex and confusing, and that's before you get to the different levels of PCI Compliance.

Technically speaking, we will only help our customers pass a PCI Compliance scan. In order to do this, a customer needs to have a VPS or a Dedicated Server. When a customer has a VPS or Dedicated Server, they technically become their own ISP as far as PCI Compliance goes. This is because a PCI Compliance Certificate issued to eUKhost Ltd is completely worthless when you look at an individual VPS or Dedicated Server. It's not worth the paper it's printed on, to be honest.

Part of the process is also answering a self certification questionnaire BEFORE you are even allowed to do a scan. Many of the things they ask for will also show up in a scan, but many of them are based on a truth concept, that's for sure.

SecurityMetrics are pretty much the issuer of choice for most UK banks. Barclays recommend them wholeheartedly, and SecurityMetrics give a heavy discount to Barclays' customers.

SecurityMetrics reports back to Barclays with the certification, which in their eyes covers you against any breaches.

I should add, the breaches that have taken place all over the internet and are in the news, have been because of things that PCI Compliance doesn't cover.

Part of the PCI Compliance process is that you can also be audited at a given time. This can literally take the form of someone coming to your office and checking your processes, and even going to the DC to check the setup meets the requirements.

I hope that answers a few of your questions, but it probably created even more!