Thank you all for your comments on the "Rackspace managed hosting vs in-house" thread. It's funny because this project originally came to me as "We want you to look into whether we should outsource to someone like Rackspace or keep sysadmin stuff in-house and hire a dedicated sysadmin and oh by the way we'd like to be PCI compliant and don't have a single part of PCI-DSS implemented, not even a single firewall".
I have succeeded in pointing out that the PCI compliant thing is a very big project and affects who we could possibly outsource to. It is pretty clear to me at this point that Rackspace probably isn't going to be able to do it even though they have a couple of token PCI offerings. As I understand it their services only satisfy a few of the 233 or so PCI requirements. And PCI is an all or nothing thing. Aside from just being more secure for the sake of principle if you can't accomplish the whole thing there is little point in going down that road. Non-compliant is non-compliant. So we either go with one of the few hosting providers that specialize in PCI or we do it in-house. The current debate within the company which will have to be resolved before we can pick a hosting company or keep it in-house is whether we *really* need to get PCI compliant or not. Will they ever really enforce this? We got a letter a few months ago saying our payment processor would start charging a fee if we hadn't completed our SAQ. Then we got another this week saying they would wave the fee. I guess a lot of customers complained and threatened to jump ship. My client doesn't want to be "the only imbecile on the block to actually implement all this stuff only to have it never enforced." And if all they are going to do is ask people to fill out an SAQ there is now serious talk about just fudging the SAQ if there is little risk of getting caught. Bad karma for sure. I explained that if they were to get caught they could be in for serious liability and likely jumped straight up to being a level 1 merchant requiring on-site audits which could put them out of business. But for the purely business-minded it's all about risk vs reward. Various people in the company have made comments to the effect that the PCI security standard is way over-blown and egregiously unnecessary etc. I actually think the standard is pretty decent as far as such things go. If just one year worth of their card database gets stolen (and there is no way to know that it hasn't been already) and each of the 65,000 cards was charged with an average of $1000 in fraudulent charges that's $65,000,000 alone. Not to mention all of the time lost in clearing up the mess over 65,000 people. I called one of our payment processors and the lady told me that all we have to do is fill out the SAQ, get a scan, and then we are compliant. I asked her what if we answered "no" to everything? She said it doesn't matter. What the...? She referred me to complyguardnetworks.com who does their scans and fields any other PCI questions. I have called them twice in the last week and nobody answers or returns my calls. It's getting hard to believe that anyone is taking PCI seriously. We emailed our other payment processor and the reply was that we just need to fill out a questionairre. How can they expect anyone to take PCI seriously with this sort of thing going on? No enforcement, payment processors themselves misinforming clients and treating it like a joke, business owners taking 65,000 cards a year and not understanding the potential harm they could do to people if they are compromised, etc. Since our processors aren't very helpful I have put in a call to the PCI-DSS council (had to leave a message since they are east coast and were already closed when I called) and may well just call Visa tomorrow to get their take on things. The problem is that I'm pretty sure they will say that yes, they are serious about PCI but won't give me any hard info on when they will enforce it or what that enforcement might look like. So what has your experience with PCI been? Is anyone really enforcing it on level 3 merchants? What if they just keep blowing it off? How long can they get away with it? Will the payment card brands ever finally put some pressure on the payment processors to clean up their act? It must be made clearly more expensive to be out of compliance than to be compliant. Penalties need to be levied and someone made an example of or it just won't happen. If anyone has any contacts or knows any level 3 merchants who have been forced to become compliant I would love to be put in touch with them so I could hold them up as examples that other people are doing it and not doing it does incur serious penalties. -- Tracy Reed http://tracyreed.org
pgpikFeDYef5X.pgp
Description: PGP signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
