In my opinion, No, and neither do your customers.

The PCI goals are well-intentioned, and all merchants should abide by their guidelines. But the PCI-DSS space is dominated by "compliance auditors" who charge high fees to ensure your store is compliant, without reviewing a *single line* of source code. Magical, and I assume very profitable.

I feel that the single-biggest threat to the security of your store is a disgruntled former employee / programmer with a secret username or back-door into your database. Without physical inspection or source code analysis, there's no way that PCI can detect this via port scans or self-audits.

jwolthuis, might you be implying that the security analysis is done via a "bot" of some sort ?

Your credit card number is more likely to be stolen by a waiter when he disappears around the corner to charge your meal than from the Internet. PCI compliance is a racket, it's just another way for credit card companies to make money off of honest merchants and developers.

But to the OP's question... no, search engines don't place any value at all on PCI compliance. It's not relevant to search, as SE's would (1) have no way of knowing whether a site is compliant or not, and (2) Have no way of knowing if a site should be compliant or not. Just because you're accepting a credit card online doesn't mean you're saving it in a database, so you wouldn't need to be compliant.

I'm assuming you're asking this question because some sales rep for one of these companies told you it would help you in the search engines? If so, he's lying.

No, it's just a question raised do the a report which the owner of the site has been seeing which just so happens to coincide with SERP position change.

That's why I was wondering if there's any "weight" put to this PCI signal.

how does the search engine "know" he's pci compliant?

I'm not sure but I would think that something via an "algo" would work.
-OR-
There may be a relationship of sharing compliance information between the SE's and

pcisecuritystandards.org

OK, here's the kicker.
Our merchant banccard.com is NOW charging a minimum of $25.00 each month for non-compliance!

[edited by: Propools at 9:12 pm (utc) on Jan 18, 2011]

might you be implying that the security analysis is done via a "bot" of some sort ?

Not a bot, but a secretary, or perhaps a "Compliance Engineer", aka a new college graduate with a questionnaire and a check-sheet. Certainly the port-scan is automated.

there are kinds of signals G could garner, but i'm wondering if any would constitute enough "proof"... of course, maybe they just weight what they can and try to weight it appropriately... the orgs may share info, but because it's security related, i lean towards assuming not.

maybe a prime indicator would be a bona fide hacker safe / hacker proof sort of marker?

OK, here's the kicker.
Our merchant banccard.com is NOW charging a minimum of $25.00 each month for non-compliance!

Is that all that happens? If so, that's a pretty good deal... The $10k for PCI compliance (for the level I would want) vs. $25 per month is a no-brainer. :)

Our merchant banccard.com is NOW charging a minimum of $25.00 each month for non-compliance!

More proof that PCI compliance is simply another profit-center for banks.

If it were really about security, wouldn't they refuse you as a customer? Instead, they say, "oh just pay us more, and we'll turn a blind eye to your security practices".

jwolthuis, might you be implying that the security analysis is done via a "bot" of some sort ?

If it's done by Security Metrics, it's definitely an automated process. And I sorta agree, it's a dig in our pockets. But on the other hand, it does close up a lot of security holes which can't be bad in any case, so we live with it and keep it compliant to avoid the extra $21/month (our processor's non-compliance charge.)

So, the feed back I'm getting from the pci folks is that some of the ports on the server are open which should be closed. I found a directory of what the ports are.

Here's the list - [iana.org...]

Anyone have a feel for which ports I should leave open?

As a general rule you should only open ports that are required for the application to run - on a web server, for maximum security that would be ports 80 and 443 and nothing else.