DO Ideas 2

PCI Compliance

Hi, the service should be PCI compliant. I run a hosting company and our billing/customer portal is hosted on a DigitalOcean VPS. We want to begin accepting credit cards.

  • shovenose
  • Sep 11 2018
  • Attach files
  • Scot Self commented
    September 11, 2018 19:00

    This is truly and incredibly disappointing. So much for our $320/mo business with DO, guess we're going to have to take it to AWS.

  • James Ruffer commented
    September 11, 2018 19:00

    Sorry for this post. We are now trying to retract our comment. The main issue is the Data Center is NOT PCI compliant. In order for this to change, DO needs to show you an AOC for the Data Center. They cannot and have no plans to do this in the future. This means if you need to be or think you're compliant you're wrong. We are moving everything back to RackSpace because if a breach happens we are liable because we are hosting on a non PCI compliant Data Center.

    This means if you are running even a simple magento site doing more than 6M transactions/Inquiries/Pre-auth with Visa or MasterCard you are required to be level 1 and using DO, you are liable if you get hacked.

  • Jason Ruyle commented
    September 11, 2018 19:00

    What we're those couple of things yo needed from DO?

  • James Ruffer commented
    September 11, 2018 19:00

    We have achieved our PCI level 1 compliance certification while hosting on DigitalOcean. We needed to get a couple of things from DigitalOcean but at the end of the day we were able to show how to secure the server and passed. Happy to help anyone attempting to get level 1

  • James Ruffer commented
    September 11, 2018 19:00

    We are going to attempt to get a level 1 PCI cert while hosting at Digital Ocean this month. The only part we are worried about is the physical security of the data center. Would the data centers happen to already be PCI certified?

  • Anonymous commented
    September 11, 2018 19:00

    There are different levels of PCI compliance, as in being a merchant with a store, to processing credit cards online to simply passing data via the hosting partner, storing nothing and having the end provider do the processing. So that is at least 3 levels, probably more

  • Anonymous commented
    September 11, 2018 19:00

    Amazon AWS is PCI compliant...
    More info here : http://aws.amazon.com/compliance/pci-dss-level-1-compliance-faqs/

  • Moisey Uretsky commented
    September 11, 2018 19:00

    PCI compliance is a giant hurdle and we aren't investigating it at this time.

    Thanks!

  • Micheal Cottingham commented
    September 11, 2018 19:00

    You are going to have a hard time getting a QSA to sign off on a cloud hosting provider.

    - You need a separate PCI-compliant network
    - Access controls must be in place (kind of hard when the web host owns the hypervisor, as in, impossible)
    - End-to-end encryption of data in transit and at rest

    This is just some basics. I am not a QSA and I don't work for a company that offers those assessments, but I have some experience with the process.

    Long story short, you won't have any luck with getting Digital Ocean to certify or get certified. Your best bet is to use a processor like Stripe or another one. Sorry to be the bearer of bad news, but that's the way it is unfortunately.

  • Anonymous commented
    September 11, 2018 19:00

    PCI compliance is a huge burden. Its not really viable for a company of digital oceans size to invest in.

    You are best off using a payment gateway that abstracts the PCI compliance burden from you, rather than captuing card information directly.

  • Matt Walston commented
    September 11, 2018 19:00

    I've had experience in PCI qualification.

    First off, find out if you need to. Depending on how you process payments and card information, this may not be necessary.

    Second, if you're business has strong cash flow and modest customization (getting better everyday) consider a full-stack solution like Shopify.

    Third, if you are trying for your own PCI audit, be aware that the cost can be up to $225k USD. The PCI folks aren't that technically demanding. It is largely a money game.

    Here is what I did on a $120k/mo e-commerce site-- Payment provider started out as Stripe. After they became too expensive with their 2.9% pricing, I implemented Ubergateway (now Samurai with Fee Fighter) and a traditional merchant account. No cardholder data on my system. The card data is vaulted on provider's infrastructure. They are fully PCI compliant. I did get shaken down for a $100 junk fee by merchant provider and filled out a one page form explaining that I do not maintain cardholder data. These luddites only care about card holder data because they are convinced that there main customers, the credit card companies, face a greater risk online than in brick and mortar. After becoming frustrated with unreadable billing statements and junk fees. I sent those same statements to Stripe to mull over and was offered a significantly lower rate than 2.9% due to having over $1m / annual in sales. We now use Stripe. Google Checkout is available for backup, but is currently not promoted.

  • Moisey Uretsky commented
    September 11, 2018 19:00

    No for true PCI compliance you will need to get audited by a proper company that can issue PCI certification and their guidelines would indicate if its even possible to get PCI certified in a cloud environment.

  • shovenose commented
    September 11, 2018 19:00

    So you're saying if my website is taken care of PCI compliance then I should have no trouble while using your service?

  • Moisey Uretsky commented
    September 11, 2018 19:00

    PCI Compliance is a multi-step process and you would need to inquire with auditor if you are able to become PCI compliant running on top of a cloud platform, we are not our selves PCI compliant but our physical datacenters would qualify.

  • Moisey Uretsky commented
    September 11, 2018 19:00

    I would hesitate to recommend any cloud based solution for PCI compliance, I would agree with Kenn you either want to pass off all of your merchant processing directly to a processor like Stripe or Authorize, otherwise you would want to select a fully certified PCI complaint server provider and run on dedicated hardware.

  • Kenn Ejima commented
    September 11, 2018 19:00

    @Albeda why don't you just use https://stripe.com ? I don't think VPS (DigitalOcean) is the right layer of the solution for PCI compliance. Use third party vendors like Stripe.

  • Albeda commented
    September 11, 2018 19:00

    @Moisey Uretsky
    Yes tit's involved especially when you're storing credit card information on a server. Doing that you'll need costly third-party audits, security measures, scans, and such.

    However, this suggestion is only regarding the most basic level of PCI Compliance so that at least the merchant meet the requirements to capture credit cards while just send all the rest of the liability to the credit card processor under an encrypted connection.

  • Moisey Uretsky commented
    September 11, 2018 19:00

    PCI compliance is a pretty involved process, I think inherently running in a public cloud would be breaking that.