Hello,
I'm wondering if anybody has trouble getting PCI compliant. My merchant processor (elavon) works with trustkeeper and they require me to complete a self assessment and questionnaire.
They use the Trustkeeper by Trustwave system, which requires me to complete "SAQ D 2.0". This should be the same for anybody who takes the credit card information on the website and then passes it through to their payment processing gateway (no storage of credit card details).
I have been able to complete all items and pass the vulnerability scan after making a few adjustments to the website. The only remaining item is "Penetration Testing", which is part of the questionnaire. According to Trustkeeper support, the question targets the hosting provider; i.e. they are required to perform Penetration Testing on their network. I should answer the question based on their response.
My hosting provider is inmotionhosting.
I was told that I should get either their response to the "SAQ D" or, alternatively, an ROC (report of compliance) or AOC (attestation of compliance). I have been talking to and emailing with inmotionhosting all day without success. They state on their website that they are PCI compliant, but they refuse to hand over any proof in the forms mentioned above. Furthermore the support agents claim that they have never had such a request.
Given that inmotionhosting is the preferred provider for Prestashop, I am stunned that they have never heard this before and I have a few questions for the community.
1. Are all Prestashop merchants required by their payment processor to complete the PCI self-assessment questionnaire? Do folks get different versions (i.e. A, B, C or C-VT) instead of D?
2. For merchants who get the SAQ D, how do they answer the "Penetration Testing" (PT) question? From what I have found, PT costs upwards of $5K and I doubt that most of us all small merchants can even afford this.
3. Has anybody tried to get proof of PCI compliance from inmotionhosting or a different hosting provider?
Obvioulsy breaches are commonplace these days and I'm a little worried that we're ones stuck with some responsibility here if the hosting provider won't even attest to the PCI compliance of their datacenters!
Any feedback would be greatly appreciated!