I’m excited to see this white paper on PCI compliance published today. This couldn’t be better timing for me, as I plan to spend the next few days on final shopping cart QA and security checks for the gench site.
It looks like most of the recommendations are pretty straightforward, but the big take-away is that I have to make sure the shared hosting service for the new gench e-commerce site is PCI DSS compliant. Something tells me earthlink probably isn’t compliant (their support guy once asked me for my password!!!).
My client is reluctant to move the gench site to another hosting provider, but we may have to if we want to avoid the huge fines and headaches non-compliance could entail.
banoodle land 
It turns out earthlink offers a PCI DSS package (“contact us for a quote”) but it’s not part of the standard hosting agreement.
@abonham2012. The issue I have is the most shared hosting providers provide false information to customers. We had a client that contacted one company and was assured that their shared hosting offering was compliant. Thankfully we were able to convince him otherwise, but I imagine a lot of people don’t press further to make sure.
That said, I’m happy that earthlink at least provides an avenue for people to request a quote and start a proper conversation!
Yes – and I wonder who would be accountable if one were to trust a disreputable hosting provider making false claims of PCI compliance. How much due diligence is reasonable or expected of the consumer?
For now, I’ve decided to take the easy and cheap way out for the gench site: I’m using the Drupal PayPal WPS module which allows me to have my cake (itemized cart on paypal payment pages) and eat it too (I’m off-the-hook for PCI compliance since I’m not transmitting or storing credit card info).
I wanted to use a service called HostedPCI and a corresponding drupal module. This would have embedded a PCI compliant iframe on my payment page, so the customer would feel like they’re paying on my site, but in actuality, I’m neither storing nor transmitting credit card info. The only hitch is that HostedPCI only works with the pro versions of paypal which start at $25 per month. A very reasonable expense, but not a viable solution for the gench site as it only sells a few CDs a year.
Thanks for commenting! You’re the first person not related to me to do so ; )