Questions? Contact Us


Latest News

Featured News & Events

PCI Compliant Hosting - Are you sure your host knows what PCI is and what they are selling?

I recently had a discussion with a potential customer on why they should work with ZZ Servers instead of one of the now hundreds of other hosting providers offering PCI "compliant" hosting services. After spending the last 5 years doing PCI Level 1 validations I have run into many areas that hosting providers just do not get PCI and what hosting providers need to know to provide secure & compliant hosting. I have also been able to compile a list of questions that I can use to determine if they are just trying to sell a service or really provide a PCI solution.

I was able to spend a good 1/2 an hour with the now new customer and help them understand how our approach meets the intent of PCI and is not focused only on trying to "make the sale."  However, for those that we do not know what questions to ask of a hosting provider I have started a new project where I will be "shopping" for a new hosting provider and will post the communications I have with them, along with some additional comments on what their answers would mean to me if I was in my QSA role evaluating their solutions.  I will keep the communications anonymous to prevent any liability issues, but feel free to use any of the questions or comments I have when discussing hosting solutions with any providers you may be examining; and feel free to use my questions against us when you call and ask about PCI or Compliant based hosting with ZZ Servers.

With that in mind, here is the first discussion with a decent data-center with multiple data-centers fully owned and operated by their staff in the northern midwest.  I have highlighted items that caused me to be concerned about their understanding of PCI and what it takes for merchants or service providers to be hosted with managed PCI solutions.  Please note, anyone can take a rack of hardware and managed / deploy it in a compliant manor.  But that is not what these hosting providers are selling.  They are selling compliant solutions, leading customers who do not fully undersand the requirements to think they are meeting all of the requirements.

***Chat Information*You are now chatting with 'Paul'
*Paul: *Greetings, my name is Paul. Welcome to <HOSTING PROVIDER> Sales. With
whom am I speaking? How may I be of assistance?
*you: *Hello, i saw your VPS servers have a $50/mo PCI certification?
what does that provide? Does that mean i'll be compliant? do i need
anything else? does that include my scanning, pen test,
internal/external? log monitoring?
*you: *hello?
*Paul: *Hello, sorry about that
*Paul: *the PCI certification will include all scans for your server to
be entirely compliant

-- This is common, many people belive that if you get your ASV scanning & answer questionairre you are compliant..if it was only that simple
*you: *so it is only the scans?
*you: *not the rest of the compliance needs?
*you: *internal & external scans then?
*Paul: *it covers all services needed
*you: *external logging/monitoring, firewalls, IDS, 2 factor remote
access, pen-testing (internal/eternal), asv scanning & internal scanning
(& other stuff i can't remember atm)??
*Paul: *Yes, it is the complete service
-- how can he say it's scanning, then a complete service? At this point I really believe the sales guy does not know what he is selling
*you: *applicatoin & network penetration testing? how do you have that
for $50/mo? the best quote I have from a professional pen-testing
company is 5000/year
*Paul: *let me double check
*Paul: *yes, it does, I have confirmed
-- confirmed? if you can't tell by now that I am asking questions above his knowledge level; why not conference in someone who knows the answer..
-- Many hosting providers want you to email or fill in a form so they can manage their response, if they can't answer your quetions at all hours
-- then are you sure they can manage your compliance needs at any hour?? Get them to bring the expert on the phone while you are asking questions!

*you: *interesting, do you have a detailed whitepaper or pdf on the
complete services offereed?
*you: *and i assume i'll have to get more than 1 server
*Paul: *No, you can have PCIC with one server
-- big big red flag!! If you are only using paypal/google for payments then yes this is right but if you are not then the requirement for "single use" is pretty important
*you: *and that includes firewalls too right? do i have a dedicated
rfc1918 address space?
*you: *you can?
*you: *how do you satisfy the "single purpose" requirement?
*you: *where a server can not be a web & database server
*Paul: *we do not require a cluster for pcic
I wasn't asking about a cluster. This is a typical issue, the sales team is use to selling hosting of servers but does not understand PCI. I guess they have not had
-- any PCI training (which you merchants & service providers are required to have annually)
*you: *you do not, but PCI requires that
*you: *pci has something somewhere that requires each server have a
single function
*you: *do you have any documentation? or details about what is included
in your PCI services?
*Paul: *I do not have a detailed outline, but I know these are the
standards we follow

-- Another warning...PCI is documentation heavy, if they do not have documentation, have they really done all thats required?
*you: *yes i am familiar with that
*you: *our QSA has ingrained tht into us
*you: *i was just curious because some of your answers do not jibe with
what the PCI-DSS requires
*you: *ok i think i have enough for now; thank you for your time
*you: *Have a great night..oh one last question; where are your
data-centers located?
*Paul: *My pleasure, they are in <LOCATION>
*you: *any other geographic areas?
*Paul: *they are all located in <ONE LOCATION>
*you: *thank you have a great night
*you: *oh one other questoin
*you: *what technology do you use for your remote 2 factor auth & vpn
*you: *rsa/certificates/?
*Paul: *The only vendors I have info on at the moment are control scan,
security metrics, trustkeeper, and clone systems
*you: *so it's not included w/the pci service?
*you: *it's a 3rd party vendor we have to engage?
*Paul: *Send me an email to <SALES-EMAIL> and I will find out for sure
-- Remember earlier they said it included all required services? Again, lack of documentation & training lead me to think they just do not know what the requirements are or what they are selling
*you: *ok thank you, have a great night/morning
Create an SSL certificate with strong, 2048 bit en...
Allow Kerio Mail Server Support for Any ActiveSync...

Related Posts


Tag Cloud

Linux Health Care Cybersecurity log files computing in the cloud businesses Las Vegas Small Business two factor authentication TLS HIPAA Email embedded small business DRP physical cyber windows 7 ICANN protect data network shared folders lamp business community apache vps BSides Disaster Recovery Plan malicious software backup solutions health care providers Alarm IT security shared server intrusion detection business ZZ Servers kerio Control Panel security personal information Internet infrastructure smartphone eCommerce Business Solutions IT services pci complliant hosting education email accounts PCI Compliance credit card payment cyber monitoring vulnerability scanning video compliant hosting follow.The HIPAA Privacy Rule Compliance password credit card PCI Audit David Zendzian IT cyber liability insurance Online Business PCI compliance Debian Healthcare Records Accountability Act DEF CON INFOSEC physical security data protection logical security eCommerce Solutions IT Services Home Depot Breach Zendzian passwords blackberry InterWorx data breach QSA mail server Credit Cards Announcement National Cyber Security Awareness Month ipad change Assigned Names healthcare solutions dss Charleston sender policy Credit Card Security activesync business solitions Shmoocon Reports permissions computer networks anti virus Cybersecurity Business Solutions Information Technology computer security Medical Solutions Medical Records cloud infrastructure security circles assesment cyber protection IT solutions Interworx-CP Windows phishing attacks GDPR Cloud Computing credit cards stolen Hackers social engineering support iphone Domani Names amazon ec2 motivation Health Insurance Portability trends teensy cloud Car Hacking PCI cyber security Server Mangement recovering data openssl vyatta router firewall filter security PCI HIPAA cybersecurity phishing PCI DSS 3.2 bash PCI Hosting HIPPA Scalable Redundant Cloud Infrastructure Security Cybersecurity qsa Xen Hosting PCI Service Provider Sysadmin data privacy black friday Firetalk TiaraCon infrastructure Positive Customer Impact spam Ubuntu shared hosting multi-factor authentication PCI Data Security Standards SSL Internet Corporation Business Planning Web Hosting command line employee training compliance Vulnerability OSSEC hosting control panel Geekend search PCI Solutions IT Solutions HIPAA Solutions Presentation HIDS ZZ Servers Co-Founder management VPS Servers cyber monday business solutions shared secure hosting exchange arduino spf Internet Continuous Monitoring World Backup Day safe computing information technology dsbl members area HIPAA solutions spoofing caller-id Payment Card Industry cli CentOs cell phone email