You will undoubtedly come across many online suggestions in regards to this, and the fact is, various opinions exist.
The real answers are available at the official website of the PCI Security Standards Council site: https://www.pcisecuritystandards.org
Unfortunately, the technical documentation is difficult to understand for most.
Our opinion:
If you plan to accept credit cards through your website AND you do not store credit card numbers in your database at anytime in the process, then you may be suitable for a regular web hosting solution that meets PCI compliance scan requirements
We believe that if you plan to store credit card data (permanently or temporarily) in your database, then you would fall under the requirement of a “Managed Dedicated Server with PCI Compliance“.
Example #1 (A website that most likely can be hosted on a Zenutech e-commerce shared hosting solution with PCI compliance):
Bob has an online store that sells shoes.
Bob receives less than 200 unique visits to his website per day (low to medium traffic)
Bob has an SSL certificate with Zenutech and a merchant account with Beanstream to process credit card transactions. Bob also subscribes to the monthly PCI compliance scans from Zenutech.
When a client orders shoes from Bob:
- The client selects the products
- The client goes through a standard “checkout” shopping cart system protected by SSL encryption hosted at Zenutech
- The client enter his/her credit card information on Bob’s website, in a secure form protected by SSL encryption
- When the client “submit” the information, the credit card information is immediately sent to Beanstream (Bob’s merchant account) for processing through a secure channel (often referred to as a “cURL secure connection”)
- The credit card data is never stored on the Zenutech hard drive (except in memory for php variables), because the information flows from the secure form, and directly into a secure channel with Beantream for immediate processing
Please note:
In the above scenario, Bob would require a dedicated server with PCI compliance if he received website traffic (visitors) which would monopolize a shared hosting server’s resources and slow down the server. In other words, if Bob received over 2000 visits per day, he may need a dedicated server because he consumes far too much CPU and memory on the server sharing the resources with other clients, even if he never stores credit card information.
Example #2 (A website that most likely requires hosting on a Zenutech Managed Dedicated Hosting solution with PCI compliance):
Jenny has an online business magazine subscription service where she provides online readers the ability to view a special edition of a magazine every month, in exchange for a fee.
Jenny receives thousands of simultaneous viewers when a new version of the magazine is made available on a monthly basis.
Jenny charges a monthly fee, each month from the list of stored credit card information in her database.
Since Jenny is storing credit card information directly into her database and the information is not only stored in memory (RAM), Jenny’s responsibilities are INCREASED SIGNIFICANTLY to protect the information she stores in her database. Jenny also places herself at a much greater risk of liability by storing such information physically on the system. Jenny must ensure she uses proper standards to meets all the additional PCI compliance requirements for conducting such business processes, in order to reduce her liability in the event that a system becomes compromised.
Zenutech can provide one or more dedicated server in such an environment. In the case of storing credit cards such as Jenny’s example, we would recommend at least two servers. One would be used for the website interaction (also referred to as a server located in the “DMZ”), and the other would be used for a server with no external IP address. A secure connection would be implemented between server #1 and server #2 in order to transmit the credit card information back and forth.
It is the client’s responsibility (Jenny’s responsibility in this case) to determine what liability risk she is prepared to accept based on the business processes she has.
Although your merchant provider likely has terms and conditions to follow when conducting business as a merchant, you should also be aware of the various policies that are enforced by each major credit card company.
For example, if you do have a system that becomes compromised and you have not taken appropriate precautions,Visa and MasterCard may impose penalties (fines) according to their own policies.
VISA USA: http://usa.visa.com/merchants/risk_management/cisp_overview.html
VISA Canada: http://www.visa.ca/en/merchant/fraud-prevention/account-information-security/merchant-levels-defined/index.jsp
MasterCard USA: http://www.mastercard.com/us/sdp/merchants/merchant_requirements.html
MasterCard Canada: http://www.mastercard.com/ca/merchant/en/getstarted/rules.html and http://www.mastercard.com/ca/merchant/en/security/index.html . Although we couldn’t find a website explaining the fines/penalties for MasterCard Canada, it doesn’t mean they don’t exist! Take precautions!