Posted by Robin Greenhagen, President/CEO on September 25, 2009 11:18 AM
Several of the big names in the hosting and payments business have released "solutions" that offer PCI-DSS relief to Level 4 merchants (small businesses with small transaction volumes). Well, after reviewing almost 20 offerings, I can readily summarize this as "all hat, no cattle." A bunch of hot air.
One major hosting provider recommends that merchants just don't handle credit cards. Seriously? But what about the MILLIONS of merchants that have custom-coded shopping carts, ERP systems, and business POS tools that rely upon the back-end databases that hold their client and payment information? What about businesses that retain card data for recurrent payments?
IMHO, these folks are trying to pull the bait-n-switch on a relatively unsophisticated (from an IT capabilities perspective) group. 'Hey, host in our "cloud" and follow our recommendations (or at least think you are following them), and you can be PCI-DSS compliant.' Wrong, that is PCI-DSS avoidance. Not really an option for millions of businesses.
These businesses need a REAL PCI-DSS compliant way to economically host their systems. We all know the hoops that a TRUE, VALIDATED, MANAGED PCI-DSS solution will require. It won't be cheap (no more $59 per month hosting with no firewalls!). But, there will be solutions on the market that will uphold even the most vigorous QSA audit, or even a REAL, HONEST Level 4 SAQ. Stay tuned for more from GSI!