eCommerce Tycoon

**lamordnt** · 09-02-2010, 12:32 PM

Hey Folks
I am pretty new to all this PCI Compliance stuff and am trying to get it figured out. I have read up a bit understand the basics but a client of mine is having some problems and failed a audit scan of their site. They are using Godaddy for their hosting and when they called Godaddy the support told them the only way to be compliant is to use Godaddys shopping cart system. The site is currently using a 3rd party merchant services cart so I don't really understand where the failure to comply came from.

Has anyone else dealt with the sort of problem with Godaddy? Their support team seems unwilling to offer up any other solution other than their own in house cart service.

I am assuming that since this new PCI compliance was just rolled out it is going to become an increasing problem for alot of ecommerce sites.

Any suggestions on how other folks have dealt with this sort of thing?

Responses much appreciated!

**duguqiubai** · 09-02-2010, 04:25 PM

Hi,

You can ask your payment service provider to implement PaymentSeal. This method will shift PCI-Compliance woes to the payment service provider while improve shopper confidence on your site. Just google: PaymentSeal

**lynxus** · 04:38 PM

Essentially, PCI compliance insures that you dont hold customer card numbers, cvv2 etc etc etc all on teh same servers.

They ahve to be on different networks, Firewalled etc etc.

management of the servers have to be locked down by firewalls. Jump boxes etc.

Its like, Security on drugs.
EVERYTHING has to be separate, Locked down and proven that if lets say a webserver or a db server etc was hacked, They cant get hold of any info on people. ( Card numbers, dob etc. )

One way to get round being pci compliant is just to use a 3rd part payment processor who is already pci compliant.

PCI-compliance is a huge headache, So if you "need!" to be compliant i suggest you hire someone who knows what to do and how to get people compliant. Its not fun. Especially if you dont know where to begin.

**chrishirst** · 09-02-2010, 07:59 PM

Are they actually handling the credit card details, numbers and cvv's?

If not they do not need PCI compliance.

**X-Cart** · 09-16-2010, 09:17 AM

There are levels of PCI compliance. See http://help.qtmsoft.com/index.php?ti...equirements.3F

**TWD** · 09-17-2010, 01:18 AM

GoDaddy are notorious upsell/cross sell merchants so I would take anything they say with a grain of salt.

In a nutshell, if your client is using PayPal Standard Website Payments, Google Checkout or any similar 3rd party service which handles all the credit card details, there shouldnt be any PCI requirements at all (assuming for simplicity that they do not have bricks and mortar c.card transactions also).

If you are not using one of those services, but rather taking the credit card details directly on the CLIENT website, then the client will be required to complete the SAQ-C questionnaire (or SAQ-D if they keep the c.card informtion stored, which is just plain dumb).

There are two issues with SAQ-C or SAQ-D compliance 1) you need a PCI compliant hosting environment which by definition includes a dedicated server 2) The payment application software (the ecommerce software) must be PA-DSS certified OR developed in house in accordance with PA-DSS principles.