What are the services you need from Dynamic Net, Inc. once you’ve made the decision you want to have a fully integrated (i.e. the customer never leaves your web site) PCI Compliant hosting experience?
Maybe you’ve been one of our customers for years, and need to be PCI compliant for your eCommerce offerings. Maybe you’ve read Revealing the process of becoming PCI Compliant, and decided you want care from a provider with high integrity as well as great security. Either way, you want to know the minimum requirements you need from us in order to get off the ground and become PCI Compliant.
Most of our customers are small to medium businesses; and the overwhelming majority of them fit well in our PCI Compliant Linux Professional Hosting Plan (or any of our hosting plans).
In addition to a hosting plan which will pass PCI Compliance scans from companies like SecurityMetrics.com and TrustKeeper — a TrustWave brand — you also need a secure certificate (also known as a digital ID) as well as a dedicated IP address for your site.
Most of our customers go with the GeoTrust QuickSSL Secure Certificate which runs $100 per year if you purchase it from our company. However, you are free to use almost any secure certificate (SSL) vendor; you do not have to purchase your secure certificate from our company. Our servers support secure certificates from Comodo, GeoTrust, InstantSSL, RapidSSL, Verisign, Thawte, and many others.
In addition to PCI Compliant hosting, a secure certificate, and a dedicated IP address, you will also need to contract with an authorized PCI Compliance scanning vendor.
We strongly recommend SecurityMetrics.com who is approved by the PCI Security Standards Council. Another authorized scanning provider that is easy to work with for small businesses is Control Scan.
Once you are under our hosting care, have a dedicated IP address (a requirement for the secure certificate), have your secure certificate (so areas of your site — including your entire site if needed — can use https), then prior to any PCI Compliance Scan, you want to make sure your applications — included, but not limited to, Drupal, Joomla, WordPress, etc. are completely up to date including any add ons, plugins, and themes.
You will want to review, or have your developer review, any custom coding used for customer information — whether there is credit card data being collected or not — is using secure coding techniques. This includes making sure all input and output is sanitized; and testing to ensure code cannot be injected or otherwise manipulated remotely. It may also involve the developer recoding old techniques that relied on direct operating system calls to more secure techniques that use what is referred to as black boxes.
If you are not sure of your code, check with our support department; and they will do their best to help review what you are using, and make suggestions to help with PCI Compliance.
Once you are ready, you then schedule a PCI Compliance Scan with your scanning vendor.
If you are able, please do let our support department know the scanning vendor, and the approximate date and time of their scan as well as where the scan will be coming from in terms of the scanning vendor IP address(es). While this information is not necessary, it does help us help you as we will typically monitor your site and the server your site is on more closely during the scan to ensure you have the best results.
Once your scan is complete, given that you’ve also filled out your self assessment questionnaire, you should now be fully PCI Compliant.
To summarize, what you need from us:
- Linux Professional Hosting Plan (or any of our hosting plans).
- Dedicated IP address (needed for a secure certificate).
What you need externally is an authorized PCI Compliance scanning vendor such as SecurityMetrics.com or Control Scan.
Contact us if you have any questions.