Is this set-up PCI-Compliant?

1
votes

I've been debating with a client who refuses to adopt PCI standards. I want to check with the community to make sure I'm correct in my objections.

Question: Is there a way to store credit card information on a shared hosting server AND be PCI compliant?

Here is the setup:

1) SSL is being implemented for the whole checkout process and for the client's site's admin section.

2) The credit card information is being stored on the server (a shared hosting plan) in a MYSQL database. It is encrypted.

3) The client accesses a password protected admin panel and prints the credit card from her website.

4) The client then manually runs the credit card info through a terminal and deletes this credit card info from the server.

4
securityencryptioncredit-cardpci-compliance
Off-topic for this site -- please read the FAQ. There is a security stackexchange site that is more appropriate.President James K. Polk
I don't see why this is off-topic. I don't believe the existence of other SE sites where it would also be on-topic makes it off-topic here. It is a question about programming; the question describes a software system and asks if it has a certain property. The fact that the property is PCI compliance and not, say, O(n) running time or freedom from memory leaks does not seem significant.Tom Anderson
Where is the decryption key stored? If it's on the machine, then an attacker with access to your machine can take all the card numbers, and this would not be PCI compliant even if it was on a dedicated host.Tom Anderson

4 Answers

2
votes

No it is not.

Have a read through https://www.pcisecuritystandards.org/documents/Prioritized_Approach_V2.0.pdf - this is a good guide to PCI DSS stuff.

Personally, I'd say sections 5-10 are unlikely to be happening here.

0
votes

Sometimes as developers we have to guide clients toward best practices, even when they resist. This current practice of storing encrypted data sounds extremely risky. If your client is found to be in violation, the fines alone could destroy their business, and it could come back to haunt you, as well. There is some good info on this site: https://www.owasp.org/index.php/Handling_E-Commerce_Payments

Many merchant accounts are very affordable for small businesses. You should look into having your client set up with Authorize.net or a similar gateway. Setting up a cart/checkout process is moderately challenging, but if you were able to set up a system like you've described I'm sure you could figure it out within a week or so.

Good luck!

0
votes

It is possible to use a shared hosting provider and be PCI compliant. The PCI standard includes additional controls that must be in place if you are (or are using) a shared hosting provider.

The extra controls include the ability to separate processess between the different clients, control access of one client's data by another client, control access to audit logs and others.

However, if you decide to go down this route... good luck!

-3
votes

Take a look at MaximumASP's maxesp cloud offering: http://www.maximumasp.com/products/cloudhosting/default.aspx

They claim to be "completely PCI compliant" for both web and data tiers on their shared hosting cloud plan. Short of evidence to the contrary, the answer to your question appears to be "yes" assuming MaximumASP's claim is valid. I'm not familiar enough with the details of PCI to argue against them but I'd be very interested if anyone else can refute the claim.