If you don't make enough profit, you can't pay for it.

The answer is to use applications that do not store credit card information. Use an integrated payment gateway provided by your processor to process cards, and do not store any of the cc information yourself.

You are a PCI Tier 4 merchant in Visa's eyes. Annual Self-Assesment Questionaires are optional, not required. Compliance validation requirements are set by your acquirer, but should not approach those costs.

Find a different acquirer, or verify that you were quoted fees for a Tier 4 merchant. Should be an hour's worth of paperwork, tops.

We only store the last 4 digits.

Then you should be fine with an annual SAQ. A quarterly scan (maybe $30 bucks a month if that) would be optional but an extra warm fuzzy.

My understanding is that the full dedicated server business is for businesses that are storing the whole works...full account numbers, expirations, magnetic stripe data etc.

My understanding is that the full dedicated server business is for businesses that are storing the whole works...full account numbers, expirations, magnetic stripe data etc.

Thats not true if you are on a shared server your next door neighbor might install some maleware on the server or exploit your script to save the credit card info just keep your imagination running

you need an isolated environment that can be accomplished by a dedi server or the likes of a dedi server thats a Vps or rackspace cloud service

if you save the cc info there is more things to do then just a dedicated server

If you only need the last 4 digits why not rely on your gateway supplier? We use Auth.net and they keep the last 4 in their database.

Thats not true if you are on a shared server your next door neighbor might install some maleware on the server or exploit your script to save the credit card info just keep your imagination running

This is true. I wasn't terribly clear...there is no need to pay 7k a month for dedicated server(s) (web server, separate sql server, etc etc). Shared hosting is never a good idea for ecommerce unless you are PayPal or other hosted form page only

We use dedicated now and we also use Authorize.net.

We only store last 4 of card. Period.

GaryBradshaw,

You aren't in the business of handling credit card data, so why are you doing it in the first place? That's just a rhetorical question, food for thought, you aren't a payment processor so stop processing payments! :)

The tried and true solution to this problem is to [b]offload your payment solution[/b]. Storage, transmission, and processing should all be moved off to a 3rd party payment gateway handler. This will greatly reduce your PCI-DSS footprint. There are tons of vendors out there that do this, but Braintree [url]http://www.braintreepaymentsolutions.com/services/pci-compliance[/url] is one of the best and is used by some big names on the web such as 37signals, admob, and Brightcove. I would strongly consider checking them out. I don't work for them, I just like what they offer.

Offloading your CC transactions is a given, so I really can't offer any further advice on the PCI end. Where I am concerned though is that you were quoted $7k on ANYTHING from Rackspace. If you're grossing less than $10k/mo in sales I can only assume that, unless you're doing microtransactions in great enough volume to require 48GHz of processing power on the SQL end, you don't need anything from Rackspace's Performance Series of dedicated servers.

With that in mind, maybe it's time to change up your infrastructure, or at least review it. I'll present both here:

Your first option is Cloud services. I know "Cloud" is the big gorilla term in the room but hear me out. With cloud offerings (from Rackspace, Joyent, Terramark, and others) you pay for resources as your eCommerce platform scales and you pay and at the end of month instead of up-front. Big difference from paying for dedicated environments that go largely unused - resource usage plummets at off-peak hours but you're still paying full price monthly which is such a waste.

The other option is reviewing your infrastructure. If Rackspace is quoting you $7-10k I assume that's for a bunch of Performance Series gear and it's probably completely overkill. Take some time to determine the actual resource requirements of your environment and scale [b]down[/b] appropriately. I don't know your resource requirements, so I won't assume much, but SQL (as well as MySQL, Oracle 10g, and other performance-minded database platforms) can crank out hundreds of thousands of transactions a day on only a couple of cores and a few gigs of RAM. Determine the [b]real[/b] resource needs of your eCommerce environment and scale back on the overhead appropriately.

Whatever you do, use the cost savings to pay for Braintree or another payment gateway handler. Get the darn CC data OFF your eCommerce platform and minimize your PCI footprint to near-zero. Seriously, you'll go from a 250-question SAQ to a 10-question one [i]as long as you aren't touching CC data[/i].

Best of luck,
Sean

I host at rackspace and was quoted $7,000 to $10,000 per MONTH for PCI Compliance.

<faints>

That's pretty much unrealistic. Sorta like still charging $35 a year for domain names. (*cough*)

Lease a dedi, even an economy solution, for around $1100- $1500/year, and you can make it PCI compliant. Half of it will be in your programming, the other half in resolving server issues for which you'll need a good system admin's assistance - money well spent.

For details, see previous, there is no reason to store CC info at all. Pass all that off the a gateway.

The card data is not on the server. We send it all through the gateway. That is MY POINT.

We does someone like me even need to be PCI Compliant.

GaryBradshaw,

All merchants are subject to PCI if they take Visa/MC/etc. Obviously I didn't address your issue though, so let's back up then to the 80,000 foot view: which PCI-DSS SAQ do you think you fall under?

If you're a card-not-present merchant already - you're using Authorize.net's payment gateway, offloading all CC transactions, and only storing the last 4 digits - you'd use SAQ A, where you answer a handful of questions and submit that along with the Attestation of Compliance to the PCI Council. Bing, bang, done.

Something doesn't sit right with me that Rackspace is claiming you need $10k in services to be PCI compliant though. What are they including in that $10k and why?

-Sean

They are sending me a quote. However, I think SAQ 4 will work for us. So that's where I am going.

Thanks for all the responses.

The card data is not on the server. We send it all through the gateway. That is MY POINT. We does someone like me even need to be PCI Compliant.

PCI Compliance isn't just focused on *storing* card data, but *handling* the data as well. I assume that if you're storing 4 digits, at one point you had a web page that asked for all sixteen digits. PCI Compliance is concerned with that too.

But as a Tier 4 merchant, annual SAQ's are totally optional, and your costs should be two-figures a month (at most), not $10k.

Don't necessarily offload credit card processing to a 3rd party, as someone suggested above. While it's true that you're not in the business of "processing payments", you are in the business of "order management", and a seemless Shop/ Checkout/ OrderStatus/ Reorder experience for the customer reflects a professional website, much more than a boomerang payment system that bounces a shopper to a different url for payment details. Especially for foreign shoppers, who might not recognize the url of a payment processor.

Don't necessarily offload credit card processing to a 3rd party, as someone suggested above. While it's true that you're not in the business of "processing payments", you are in the business of "order management", and a seemless Shop/ Checkout/ OrderStatus/ Reorder experience for the customer reflects a professional website, much more than a boomerang payment system that bounces a shopper to a different url for payment details. Especially for foreign shoppers, who might not recognize the url of a payment processor.

Great point here. Also good to point out that most modern payment gateways don't do page forwarding like this any more but instead use API or datasource calls, ensuring a seamless user experience.

Still a great point though! Avoid those payment gateways that are still stuck in the old page forwarding model of payment handling!

much more than a boomerang payment system that bounces a shopper to a different url for payment details.

All of my clients use some form of a gateway - Authorize.net, LinkPoint, NetBilling - and the visitor never leaves their sites during a transaction. None of these clients store anything, save one, who uses autobilling and his system requires the last four and a transaction id. It's done with silent post using curl.

These servers and the programming on them survive regular PCI compliance scans. It doesn't cost 2K/month. Just lots of hair pulling after a scan. :-)

How long must "storage" be before PCI compliance becomes an issue?

I get the CC info when an order is placed, process the order either immediately or within a few hours, then delete the number completely.

When I discussed my procedure with my CC processing company, I was told that I didn't need PCI compliance with the way I'm doing things.

When I discussed my procedure with my CC processing company, I was told that I didn't need PCI compliance with the way I'm doing things.

Well what your processor says is ultimately what matters.

FWIW, my impression (from both my processor and the PCI-DSS documentation) is that any storage, no matter how short, qualifies for PCI compliance.

Same here. Someone can be listening, right now, logging everything you input. Delete it in five seconds, doesn't matter.

dickbaker, ALL businesses in the USA that accept payment cards (including Visa, MasterCard, Discover, American Express and JCB) are required to adhere to PCI-DSS.

Even those companies intelligent enough to offload the complete CC transaction stack as has been discussed above are required to adhere to PCI-DSS. They just have a much easier and cheaper time doing so than those companies who internalize any part of payment acceptance.

The card data is not on the server. We send it all through the gateway. That is MY POINT.

We does someone like me even need to be PCI Compliant.

you should consider tokens from Authorize.net

Can anyone suggest a company that does the scanning?

Usually the credit card company requires your merchant provider to choose them (example, Visa says A.N. must require compliance of customers, I **think** the merchant provider chooses the company that does the audit.) The good news is, the merchant provider usually foots the bill for the quarterly scans, last I checked it was $700/year. Ours uses Security Metrics.

Non-compliance = +20/month or so from your merchant provider. Waived if you pass the scans.

If your merchant provider doesn't include scanning as rocknbil noted, check out Trustkeeper. We use multiple external and internal scanners, and with regards to the external ones, Trustkeeper has so far provided the cleanest results with the lowewst number of false positives, meaning wwe aren't chasing shadows but fixing real issues as they crop up. It also has some great reporting features.

This topic is timely, that's for sure.

I have a client who received a notification from Wells Fargo that if their ecommerce store is not PCI Compliant, Wells Fargo will bill them an additional $25.00 per month in fees. If we are compliant, Wells Fargo picks up the quarterly scanning costs.

I just finished the Trustwave 226 question SAQ. For this client, we have compliancy on 217 of the 226. I have to get my server administrators involved to go back through the SAQ and make sure I answered the questions correctly. We may have a little bit of work to do in cleaning up some issues.

Personally? It feels like a brute force move to get anyone doing ecommerce transactions to clean up ALL of their security issues. Not 99% of them but 100%. If you are not 100% compliant, then there are monthly fees involved from your provider. I feel like I'm being blackmailed.

There are no laws requiring this. It was a decision made by the credit card companies. You will be 100% compliant or you will pay a monthly fee for non-compliancy.

GaryBradshaw that is just plain bull crap. Just plain stealing. You can run a free scan from comodo to see if there are any serious issues with the server. Since you don't store any cc details all your gonna need is the lowest level of PCI.
If the server has issues beyond your control move to another host set up a dedicated server so you have full control and or use a company/cart that is PCI. I know several that are for a couple hundred a month in hosting fees with a shopping cart or just use the cart for processing that is PCI for much less.

I feel like I'm being blackmailed.

YES! I felt the same way . . . however . . .

The first time through it, seeing green lights across the board, knowing the server is a little bit tighter, a little more secure . . . I don't feel that way now. I feel happy I don't have to fork out the $700/year. :-)

LOL @bil

It does give you a warm fuzzy, no matter how meaningless.

They should give me a hacker safe badge. :)

I sure have learned a great deal from this thread. Also learned that when I call companies about PCI compliance they dance around trying to figure out how much money you have before they start giving you information.

Kind of sad really.

Oh, and everyone I spoke has said "not meaning to scare you but you could be shut down or fined up to $100,000 if you are not compliant.

I really do care about customer protection, but this sounds as bad as the merchant account business is. The whole industry is "questionable" really.