{"id":249,"date":"2011-01-07T11:13:06","date_gmt":"2011-01-07T19:13:06","guid":{"rendered":"http:\/\/www.zenutech.com\/kb\/?p=249"},"modified":"2012-03-19T11:40:35","modified_gmt":"2012-03-19T19:40:35","slug":"do-i-need-a-pci-compliant-dedicated-server-or-regular-web-hosting-with-pci-compliance","status":"publish","type":"post","link":"https:\/\/www.zenutech.com\/kb\/article\/do-i-need-a-pci-compliant-dedicated-server-or-regular-web-hosting-with-pci-compliance\/","title":{"rendered":"Do I need a PCI compliant dedicated server or regular web hosting with PCI compliance?"},"content":{"rendered":"<p>You will undoubtedly come across many online suggestions in regards to this, and the fact is, various opinions exist.<\/p>\n<p>The real answers are available at the official website of the PCI Security Standards Council site: <a title=\"PCI Security Standards Council site\" href=\"https:\/\/www.pcisecuritystandards.org\/\" target=\"_blank\">https:\/\/www.pcisecuritystandards.org<\/a><\/p>\n<p>Unfortunately, the technical documentation is difficult to understand for most.<\/p>\n<p>Our opinion:<\/p>\n<p>If you plan to accept credit cards through  your website AND you do <strong>not<\/strong> store credit card numbers in your  database at anytime in the process, then you may be suitable for a <a title=\"E-Commerce Ready Hosting\" href=\"\/ecommerce\/ecommerce-ready-hosting\/\" target=\"_blank\">regular web hosting solution that meets PCI compliance scan requirements<\/a><\/p>\n<p>We  believe that if you plan to store credit card data (permanently or  temporarily) in your database, then you would fall under the requirement  of a &#8220;<a title=\"Managed Dedicated Servers with PCI Compliance\" href=\"\/hosting\/dedicated-servers\/pci-compliant\/\" target=\"_blank\">Managed Dedicated Server with PCI Compliance<\/a>&#8220;.<\/p>\n<p><strong>Example #1<\/strong> (A website that most likely can be hosted on a <a title=\"Zenutech E-Commerce Ready Hosting\" href=\"\/ecommerce\/ecommerce-ready-hosting\/\" target=\"_blank\">Zenutech e-commerce shared hosting solution<\/a> with PCI compliance):<\/p>\n<p>Bob has an online store that sells shoes.<br \/>\nBob receives less than 200 unique visits to his website per day (low to medium traffic)<br \/>\nBob  has an SSL certificate with Zenutech and a merchant account with  Beanstream to process credit card transactions. Bob also subscribes to  the monthly PCI compliance scans from Zenutech.<\/p>\n<p>When a client orders shoes from Bob:<\/p>\n<ul class=\"bullets\">\n<li>The client selects the products<\/li>\n<li>The client goes through a standard &#8220;checkout&#8221; shopping cart system protected by SSL encryption hosted at Zenutech<\/li>\n<li>The client enter his\/her credit card information on Bob&#8217;s website, in a secure form protected by SSL encryption<\/li>\n<li>When the client &#8220;submit&#8221; the information, the credit card information is   immediately sent to Beanstream (Bob&#8217;s merchant account) for processing   through a secure channel (often referred to as a &#8220;cURL secure  connection&#8221;)<\/li>\n<li>The credit card data is never stored on the Zenutech hard drive (except   in memory for php variables), because the information flows from the   secure form, and directly into a secure channel with Beantream for  immediate processing<\/li>\n<\/ul>\n<p>Please note:<\/p>\n<p>In  the above scenario, Bob would require a dedicated server with PCI  compliance if he received website traffic (visitors) which would  monopolize a shared hosting server&#8217;s resources and slow down the  server. In other words, if Bob received over 2000 visits per day, he  may need a dedicated server because he consumes far too much CPU and memory on the server sharing the resources with other clients, even if he never stores credit card information.<\/p>\n<p><strong>Example #2 (<\/strong>A website that most likely requires hosting on a <a title=\"Zenutech Managed Dedicated Hosting solution with PCI compliance\" href=\"\/hosting\/dedicated-servers\/pci-compliant\/\" target=\"_blank\">Zenutech Managed Dedicated Hosting solution with PCI compliance<\/a>):<\/p>\n<p>Jenny  has an online business magazine subscription service where she provides  online readers the ability to view a special edition of a magazine  every month, in exchange for a fee.<br \/>\nJenny receives thousands of simultaneous viewers when a new version of the magazine is made available on a monthly basis.<br \/>\nJenny charges a monthly fee, each month from the list of stored credit card information in her database.<\/p>\n<p>Since  Jenny is storing credit card information directly into her database and  the information is not only stored in memory (RAM), Jenny&#8217;s  responsibilities are INCREASED SIGNIFICANTLY to protect the information she stores in her database. Jenny  also places herself at a much greater risk of liability by storing such  information physically on the system. Jenny must ensure she uses proper  standards to meets all the additional PCI compliance  requirements for conducting such business processes, in order to reduce  her liability in the event that a system becomes compromised.<\/p>\n<p>Zenutech  can provide one or more dedicated server in such an environment. In the  case of storing credit cards such as Jenny&#8217;s example, we would  recommend at least two servers. One would be used for the  website interaction (also referred to as a server located in the &#8220;DMZ&#8221;), and the other would be used for a server  with no external IP address. A secure connection would be implemented between server #1 and server #2 in order to transmit the credit card information back and forth.<\/p>\n<p>It  is the client&#8217;s responsibility (Jenny&#8217;s responsibility in this case) to determine what liability risk she is prepared to accept based on the business processes she has.<\/p>\n<p>Although  your merchant provider likely has terms and conditions to follow when conducting business as a merchant, you should also be aware of the  various policies that are enforced by each major credit card company.<\/p>\n<p>For  example, if you do have a system that becomes compromised and you have  not taken appropriate precautions,Visa and MasterCard may impose penalties (fines) according to their own policies.<\/p>\n<p>VISA USA: <a title=\"Visa USA\" href=\"http:\/\/usa.visa.com\/merchants\/risk_management\/cisp_overview.html\" target=\"_blank\">http:\/\/usa.visa.com\/merchants\/risk_management\/cisp_overview.html<\/a><br \/>\nVISA Canada: <a title=\"Visa Canada\" href=\"http:\/\/www.visa.ca\/en\/merchant\/fraud-prevention\/account-information-security\/merchant-levels-defined\/index.jsp\" target=\"_blank\">http:\/\/www.visa.ca\/en\/merchant\/fraud-prevention\/account-information-security\/merchant-levels-defined\/index.jsp<\/a><br \/>\nMasterCard USA: <a title=\"MasterCard USA\" href=\"http:\/\/www.mastercard.com\/us\/sdp\/merchants\/merchant_requirements.html\" target=\"_blank\">http:\/\/www.mastercard.com\/us\/sdp\/merchants\/merchant_requirements.html<\/a><br \/>\nMasterCard  Canada: <a title=\"MasterCard Canada\" href=\"http:\/\/www.mastercard.com\/ca\/merchant\/en\/getstarted\/rules.html\" target=\"_blank\">http:\/\/www.mastercard.com\/ca\/merchant\/en\/getstarted\/rules.html<\/a> and <a title=\"MasterCard Canada\" href=\"http:\/\/www.mastercard.com\/ca\/merchant\/en\/getstarted\/rules.html\" target=\"_blank\">http:\/\/www.mastercard.com\/ca\/merchant\/en\/security\/index.html<\/a> . Although we couldn&#8217;t find a website explaining the fines\/penalties  for MasterCard Canada, it doesn&#8217;t mean they don&#8217;t exist! Take precautions!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Answers and various hypothetical examples<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,14],"tags":[204,261,93],"class_list":["post-249","post","type-post","status-publish","format-standard","hentry","category-dedicated-servers","category-e-commerce","tag-credit-card","tag-pci","tag-pci-compliance"],"_links":{"self":[{"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/posts\/249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/comments?post=249"}],"version-history":[{"count":24,"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/posts\/249\/revisions"}],"predecessor-version":[{"id":551,"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/posts\/249\/revisions\/551"}],"wp:attachment":[{"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/media?parent=249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/categories?post=249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zenutech.com\/kb\/wp-json\/wp\/v2\/tags?post=249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}