PCI Compliance of Hosting Provider

[hanscl]

Hello, 

 

I'm wondering if anybody has trouble getting PCI compliant.  My merchant processor (elavon) works with trustkeeper and they require me to complete a self assessment and questionnaire.  

 

They use the Trustkeeper by Trustwave system, which requires me to complete "SAQ D 2.0".  This should be the same for anybody who takes the credit card information on the website and then passes it through to their payment processing gateway (no storage of credit card details).

 

I have been able to complete all items and pass the vulnerability scan after making a few adjustments to the website. The only remaining item is "Penetration Testing", which is part of the questionnaire. According to Trustkeeper support, the question targets the hosting provider; i.e. they are required to perform Penetration Testing on their network.  I should answer the question based on their response.

 

My hosting provider is inmotionhosting.

 

I was told that I should get either their response to the "SAQ D" or, alternatively, an ROC (report of compliance) or AOC (attestation of compliance).  I have been talking to and emailing with inmotionhosting all day without success. They state on their website that they are PCI compliant, but they refuse to hand over any proof in the forms mentioned above. Furthermore the support agents claim that they have never had such a request.

 

Given that inmotionhosting is the preferred provider for Prestashop, I am stunned that they have never heard this before and I have a few questions for the community.

 

1. Are all Prestashop merchants required by their payment processor to complete the PCI self-assessment questionnaire? Do folks get different versions (i.e. A, B, C or C-VT) instead of D?

 

2. For merchants who get the SAQ D, how do they answer the "Penetration Testing" (PT) question? From what I have found, PT costs upwards of $5K and I doubt that most of us all small merchants can even afford this.

 

3. Has anybody tried to get proof of PCI compliance from inmotionhosting or a different hosting provider?

 

Obvioulsy breaches are commonplace these days and I'm a little worried that we're ones stuck with some responsibility here if the hosting provider won't even attest to the PCI compliance of their datacenters!

 

Any feedback would be greatly appreciated!

 

[wlabs]

Hi —

 

Curious if you've had any update since your post. I'm also trying to ensure PCI compliance for a PrestaShop site, and am about to move from A2 Hosting (who provides no help wrt PCI) to InMotion. The rep at InMotion assured me that they provide PCI compliant hosting, and will work with me to accomplish it... I assumed that they do their own internal penetration testing in order to claim PCI compliant hosting, but maybe that's wrong?

 

So in the end, were you able to get verification of PCI compliance with InMotion?

 

Regarding the SAQ version, I'm also using TrustKeeper but got SAQ A-EP 3.0. I believe it's because I'm using a direct post payment method, so the credit card info never lands on our server.

 

Also curious if anyone else has truly obtained PCI Compliance with PrestaShop on any host. Seems like PCI compliance is far too complex for most small businesses to accomplish on their own, and my impression is that most small ecommerce websites essentially ignore it... 

[bellini13]

PCI compliance against a shared hosting platform is going to be difficult to obtain.  You might want to look into a different payment platform that offloads the collection of the credit card so that your server never receives it and removes you from having to be compliant.

 

Stripe and Braintree both offer that style of payment processing, and do not require you to be PCI compliant at all.

[wlabs]

Thanks for the input. I have been looking into stripe over the past couple days, and learning more about the details.

 

Just to be clear, as of Jan 1st 2015 the new PCI DSS 3.0 will be fully effective, and will require servers to be PCI compliant if they serve the form that collects the CC info, even if the CC info is posted directly to the payment processor and never touches your server. This is evidently a change from PCI DSS 2.0, where serving the form via SSL was enough.

 

It does look like Stripe has a drop-in replacement that ensures 3.0 compliance by serving the CC form from their servers via an iframe. (Technically speaking, this seems like a weird loophole, since the theoretical problem is that an attacker modifies the code on your server which serves the CC form, and the same type of attack could easily modify the code that serves the iframe...)

 

For sites that use a direct post method, with the CC form served from their own servers, the new SAQ A-EP appears to be the correct Self-Assessment Questionnaire.