homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

Should I charge for time spent on PCI compliance?
PCI compliance Host Charging

 4:28 pm on Feb 8, 2013 (gmt 0)


I am a small-time developer webdesigner and have a client who needs PCI compliance.

I charge him 50 USD a month for a Amazon AWS micro instance which costs me about 15 USD. So I get 35 USD for patching and maintaing his virtual box.

Recently the PCI scanning company upped the stakes and the existing SSL cert that was installed then started to fail on SSL1 and SSL2 and I had to prevent the server negotiating on these protocols and only allow TLS 1.1 or SSL3

E.g. "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers
to only support cipher suites that do not use block ciphers."

Now if that looks like a load of gobbled-gook then your right. It was to me when I first looked at it. Anyway 1hr and 40mins later I had learned enough to block the weaker ciphers.

My question is to you other hosts, would you feel its right to charge the client for this kind of work (1hr 40mins time) or just absorb it?





 5:51 pm on Feb 8, 2013 (gmt 0)

You already got paid. $600 every year for, "patching and maintaining his virtual box".


 3:24 pm on Feb 12, 2013 (gmt 0)

I agree that since you are the "host" you sort of got paid for doing this. However, you might up your monthly fee just a bit, and cite the new "PCI requirements" for having increased your tasks.

I think that is justified - the PCI requirements demand a higher level of server security than a basic website. Since the scanning companies are getting more stringent, then I think a monthly increase is justified.

I helped a client recently with getting PCI compliant, and I charged my time, because I'm not the hosting provider.



 10:20 am on Feb 13, 2013 (gmt 0)

Thank you guys for your comments.


 12:27 am on Feb 14, 2013 (gmt 0)

the PCI requirements demand a higher level of server security than a basic website

The OP is hosting the site on an AWS micro-instance, with an SSL cert. What would qualify as a "higher level of server security"?

The storyline that a PCI "scan" can either pass or fail the security of a website is simply not true. Until a "scan" can detect a fired former employee with an axe to grind, a scan can do nothing more than flag SSL1/2 protocol support, and do some basic query-injection testing when their scanner detects a textbox.

PCI requirements are a great guideline, but that's all they are... a guideline for proper eStore design and implementation. But writing a bigger check to move from a "basic website" to a "higher level of security" based on a PCI "scan" is throwing good money after bad.

The OP's client needs to hire someone who didn't have SSL1/2 active in the first place, not prompted to disable it because a silly PCI scan told him to. How many other backdoors are on this site that a scan can't detect?

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved