PCI Compliance Infrastructure.

Forum Moderators: buckworks

Message Too Old, No Replies

PCI Compliance Infrastructure.

Being given the run around...

Leonidas

11:29 am on May 9, 2006 (gmt 0)

I'm exploring PCI Compliance, partly to optimize our existing shopping cart, and also as part of the possible take-on for a new application with a new shopping cart.

What I'm being told by the vendor of the new application is that it's possible to achieve PCI compliance holding the cardholder database in a secure encrypted area outside the directory tree on the same server as the application.

What I interpret the PCI specs and questionnaires to mean is that we need a separate non-Internet-exposed database server connected via a firewall to the application server.

I think the vendor is giving me the run-around. Am I right? Or is there an alternative approach that doesn't involve the need for an expensive new hosted server?

jklivin

5:27 pm on May 10, 2006 (gmt 0)

Currently there is no precedence for storing data on the same server at all actually. I don’t believe you are getting factual information from your vendor.
It is that kind of misrepresentation that is putting a lot of merchants, webhosts, banks, etc. at risk.
We’ve gone through the auditing as a Level 1 Payment Gateway and that just isn’t the case.

You should consider a payment page option to alleviate your liability and also consider a company that is willing to offer you factual information. This isn’t a plea to use our services; it is just the facts.