By Josh Bartolomucci | May 02, 2017
By Josh Bartolomucci | December 30, 2016
One of the "perks" of being a PCI Level 1 Service Provider is that we often get asked about becoming PCI compliant by friends and acquaintances. Often it's by a developer friend who knows enough about PCI to be cautious, but nonetheless really just wants the fastest path to full compliance. Unfortunately, when it comes to achieving PCI compliance "quickly" or "easily", we don't generally have the answer our friends want to hear.
This scene recently repeated itself when we had a long-time FoxyCart user report that one of his clients needed to be PCI compliant in order to interact with a 3rd party. The dev was looking at a specific cloud hosting provider that claimed to offer a "PCI compliant box" (ie. dedicated or virtual server that was "out of the box" PCI compliant).
So what do we do when somebody simply must handle cardholder data? First, we need to explain what PCI compliance actually is. Next, we explain the options as we see them.
So first and foremost, we point to our "PCI DSS: What it is and what it means to you" so we're starting from the same page. It's important to note that vast bulk of the PCI DSS has very little to do with "servers". Rather, it's about policies and procedures and access and logging and monitoring and change protocols and application design and much more. So if you're shopping for a PCI compliant hosting environment, yes, the hosting provider does need to provide an environment that's capable of being PCI compliant. That's critically important, but it's just a small part of becoming truly PCI compliant.
(And of course, there are varying levels of PCI compliance, and as some would say, "The only winning move is not to play." If you can avoid full PCI compliance, you should.)
If a merchant truly cannot avoid full PCI compliance, there are a few options.
It's hard to give a good answer here, because the reality is that we've spent years and tons of time and money to actually "do" PCI correctly. So we could say, "Yeah, it's no big deal, just fill out the SAQ and get the scan," except we know it's just not actually how it works. Yet we have strong suspicion that the majority of merchants presenting an AOC for full compliance are, unfortunately, like Pinocchio in the image above.
We're sure you'll get a different answer from somebody who's been in the #3 boat (faking it) and never had to do #2 (full compliance), but from our perspective…
We aren't QSAs ourselves, but we've been in this business long enough to know more about PCI compliance than most. And at this point, our opinion is that unless you have money to burn and literally no other options, there are far better things to do with your time and resources than becoming PCI compliant. Trust us. We've done it. :)
Want to minimize your PCI compliance burden? It's up to you, but FoxyCart is free during development, and we're here to help. Give it a try.
The views expressed in the above post are the author's own, and may not reflect those of FoxyCart.com LLC.