Home » Forums » Ubercart » Support

Payment options and PCI compliance? Hosting recommendations?

Submitted by Matt V. on Tue, 06/03/2008 - 23:39
Matt V.
Posts: 12
 Joined: 04/10/2008

I have a site that is essentially ready to launch, except for the decision of hosting and payment gateway. The site sits in limbo while I weigh the options in light of the PCI standards.

I had decided on using the hosting company I already use, Anhosting, since it is endorsed on the Ubercart site. Unfortunately, Anhosting and the other two endorsed hosts seem to fall short on PCI criteria #1, a firewalled server. That rules out most shared hosting, right? Any recommendations for affordable PCI-capable hosts?

Am I correct that without a firewalled web host, current PCI-safe payment options would be Paypal or 2Checkout? Is anyone actively working on a Google Checkout gateway? If not and if there's interest, I'd be willing to help organize a bounty.

Ideally, the company I've developed this site for would like to process their online orders on their existing in-store machine. From what I can tell, that strategy seems to not be recommended now because of PCI, correct?

In hindsight, it seems odd that the PCI standard isn't mentioned in the Ubercart documentation. When I mentioned PCI to a co-worker who runs an ecommerce side business, he'd never heard of it either. Is lack of awareness the issue? Or are companies knowingly flying by the seat of their non-compliant pants?

Sorry for all the questions, I'm just grasping at straws trying to decide what to do. Any suggestions or insight are very much appreciated. Thanks!
permalink #1 Wed, 06/04/2008 - 00:27
Ryan

Posts: 5269
 Joined: 08/07/2007
AdministratorHead Code Monkey - I eat bugs.

Hmm... I think there is generally lack of awareness and a confusion about PCI compliance. I actually hadn't investigated the shared hosting sites we have affiliate links with for PCI compliance. The lack of mention in the docs is mostly a result of my documenting being behind my coding.

Looking over the docs once more, it reads to me to be referring to protecting your personal internet traffic with a firewall. This would mean your home or your office network. I can't imagine a web host wouldn't be operating behind a firewall, but maybe I'm misunderstanding something. Puzzled

You might PM Lyle about the GCO module he was working on... it should be usable at this point, we were just waiting for a review from Google which sadly seems to be never-coming. Sad

permalink #2 Tue, 06/24/2008 - 19:23
fourcws

Posts: 63
 Joined: 04/16/2008
Cool profile pic award.

Actually glad you opened this. It is a topic that needs some feed back. I am Just recently going through the PCI process myself. If I had to do it over again I think I would use a PCI-safe chekout like, PayPal wps, Payflow, or 2Checkout or similar. The standards are almost impossible to make compliance. Only real advantage is for level 4 merchants where proof of compliace will most likely only be required in the event of an issue.

As far as the way your company wants to process the card orders, it may require that the cvv be stored with the PAN, For compliance storage of the cvv is not allowed. I don't know if a manually entered cc on a your clients swipe terminal requires cvv or not.
I know at present UC can store the cvv which is a compliance breaker if used. (however, it is NOT functionality I would want to loose from UC). As without this function automatic recurring billing is not possible unless you use one of the above PCI-safe methods.

I was informed that the firewall requirement applies to any and all internet accessable devices. This inclueds the webserver. As such I am currently waiting for my scan results from mcafeesecure.com against my e-commerce website. Hopefully this will let me know if my host-provider & website passs these requirements.

This is just my view and experience so far, and any information offered should NOT be concidered authoritive.