I have recently moved one of my web sites over to Network Solutions from a unnamed provider. The reason I did this was due to my old provider was not PCI compliant through Hacker Safe / Scan Alert. In fact they had 23 vulnerabilities found that they refused to fix. When I contacted Network Solutions they informed me that I would not have an issue with this on the plan that I purchased "due to the number of hits this site gets I did go with the shared plan". Now bear in mind that with these plans they do offer cart software for e-commerce. Well I got everything moved and ran a scan though Scan Alert and guess what?!? The Apache version they are running has a major vulnerability and is preventing this site from being PCI compliant. I contacted Network Solutions and they informed me that they know of the issue and as of now they have NO plans of updating to a new version of Apache that does not have this vulnerability"ver. 2.2.8". They went on to state that to meet PCI compliance I must upgrade to their e-commerce hosting. Wait a minute... I was told I would not have an issue... These plans come with cart software but their shared hosting plans are not PCI compliant.... For laughs I checked another one of my sites that is hosted on Blue Host and did a scan on it and guess what? It passed with flying colors. Although Blue Host does not load as fast as Network Solutions, they are half the price. Yes load time is very important I know but I find it hard to believe that a well known hosting provider is unwilling to upgrade from a version of Apache that is at least 3 versions old when a vulnerability is known, and a cheaper somewhat no name hosting provider out does them.

Sorry but I cannot say much for Network Solutions for I feel that I have been lied to and mislead. The one site in question has over 1200 products. Network Solutions wants $99.95 a month for hosting even though I do not use their software. This is a big jump from the $13.30 / month that I am paying now. Also please keep in mind that I have my own SSL certification, I have my own cart, the only thing I needed from them was their server to be PCI compliant. I see no reason in paying $100 / month when I already have the SSL certificate and cart. They still do not state in writing on their website that those accounts are PCI compliant. I was told this verbally over the phone by tech support.

Just food for though if you plan on switching to them.


Other hosting provider experience:

Ipower web ----- Stay away from at all cost. Poor / no tech support, Not PCI compliant, server vulnerabilities
Network Solutions ----- Not PCI compliant on shared hosting, tech support good, load times good
Blue Host ----- load time a bit slow, tech support very good, no issues other then load time
Host Gater ----- Tech support ok, NOT checked PCI compliance yet.

A copy and paste of Scan Alerts' report of Network Solutions:


Severity https://images.scanalert.com/images/ico_2.gif Medium https://images.scanalert.com/images/inline_quest.gif (javascript:void(c_help(57));) https://images.scanalert.com/images/ico_3.gif High In PCI
Fixed in Apache httpd 2.2.8

Low: mod_proxy_ftp UTF-7 XSS ---> CVE-2008-0005

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

Low: mod_proxy_balancer DoS ---> CVE-2007-6422

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

Low: mod_proxy_balancer XSS ---> CVE-2007-6421

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

Moderate: mod_status XSS ---> CVE-2007-6388

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

Moderate: mod_imagemap XSS ---> CVE-2007-5000

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

There are solutions out there that can remove your site from PCI scope. Paypal has a complete SAQ written specifically with them in mind - SAQ A. We offer a solution (i4Go) that qualifies for SAQ A but leaves you in full control over how the credit card transaction is processed. With both these solutions, your site never handles credit card data and is therefore taken out of PCI scope.

Also, I use Intermedia.net for my "on-the-side" sites and they are PCI compliant.

Your experience is similar to mine, I moved a website from Hostway (which has fallen down over the years) to network solutions....because they had a good name. It was gone in two weeks with a years hosting fee forfieted.

They were awful.

I have had good results with


ipowerweb
Hostgator
Bluehost
The hoster I moved my site to aplus.net is excellent

and of course the best for tech support, usability and features is....Go Daddy

I can't (and won't) tell you how many domains I have hosted there.

Web hosts are not in the business of providing financial services, and should never be relied on for providing the security necessary for such unless they expressly hold themselves out as providing such.

To get yourself out from under the purview of PCI compliance, you need to use a 3rd party ASP that specializes in providing plug-ins that will capture all of the order data and store it on their own servers in a secure manner. Depending on the nature of the business in question, there may be vendors that specialize in plug-ins for that industry sector.

The same holds true for card processing if you are not using a local POS terminal.

Web hosts are not in the business of providing financial services, and should never be relied on for providing the security necessary for such unless they expressly hold themselves out as providing such.

To get yourself out from under the purview of PCI compliance, you need to use a 3rd party ASP that specializes in providing plug-ins that will capture all of the order data and store it on their own servers in a secure manner. Depending on the nature of the business in question, there may be vendors that specialize in plug-ins for that industry sector.

The same holds true for card processing if you are not using a local POS terminal.

although I do not sell fro my site I use Complete Web Solutions: domains, hosting, site builders and SSL. (http://www.godaddy.com) very good reputation & 24 hour support service been with them with a few sites since 2005 recommend them highly (unless somebody out there knows different...)

Web hosts are not in the business of providing financial services, and should never be relied on for providing the security necessary for such unless they expressly hold themselves out as providing such.

To get yourself out from under the purview of PCI compliance, you need to use a 3rd party ASP that specializes in providing plug-ins that will capture all of the order data and store it on their own servers in a secure manner.
I fully agree with the second part of your quote above -- find a solution that offloads your payment processing compliance to a third party that specializes in this.

I disagree with the first statement though (unless your site is simply a non-business blog or similar). With any web site that sells anything, your hosting provider is in essence providing financial services -- even if you outsource the payments portion. IMHO, all parts of an ecomm site, even the non shopping cart portions, are part of your overall web offering & company image and should be equally secured. A merchant can offload the entire shopping cart to eBay, Paypal, our solution, or anyone, but if someone attempts to go to Suicide.org: Suicide Prevention, Suicide Awareness, Suicide Support - Suicide.org! Suicide.org! Suicide.org! (http://www.mybiblestore.com) and porn starts spewing out, who has the black eye -- the merchant or the hosting provider?

All merchants should seek out hosting providers that take security seriously and are PCI compliant, even if the merchant site offloads the payment processing portion.

I fully agree with the second part of your quote above -- find a solution that offloads your payment processing compliance to a third party that specializes in this.

I disagree with the first statement though (unless your site is simply a non-business blog or similar). With any web site that sells anything, your hosting provider is in essence providing financial services -- even if you outsource the payments portion. <snip>

All merchants should seek out hosting providers that take security seriously and are PCI compliant, even if the merchant site offloads the payment processing portion.

Hosts rent the use of their physical resources; that a client may make use of such for providing a particular good or service does not suffice to make the host a provider of the same. By analogy, the host is a landlord, with the clients being renters of space in the landlords building(s).

Furthermore, PCI is not a technical standard, but a functional one; even those who are in the business of doing PCI audits vary greatly in their determinations of what is and is not compliant.

Therefore, to expect that a site host should provide for "PCI compliant" transaction processing is most unreasonable, particularly when said host's servers handle none of the transaction related data.

Data security and PCI compliance are two entirely different things; related, in that the latter is dependent on the former, but distinctly different.

Data security and PCI compliance are two entirely different things; related, in that the latter is dependent on the former, but distinctly different.Again, I fully agree. I'm saying that security should be a big factor in selecting a hosting provider. My current hosting provider is great. My sites are scanned by my scanning vendor -- the few times I've had any issues I forward it to them and they usually have a fix within hours and a couple days at the most. With the previous vendor I had, I would forward them the scan results and they would squawk that I was violating my service agreement by scanning my own site and they rarely fixed anything without attaching some sort of customization fee to the case. I'm just saying to select a hosting provider that takes security seriously because the success of your ecomm site depends on it, whether or not the payment portions are offloaded.

Again, I fully agree. I'm saying that security should be a big factor in selecting a hosting provider. My current hosting provider is great. My sites are scanned by my scanning vendor -- the few times I've had any issues I forward it to them and they usually have a fix within hours and a couple days at the most. With the previous vendor I had, I would forward them the scan results and they would squawk that I was violating my service agreement by scanning my own site and they rarely fixed anything without attaching some sort of customization fee to the case. I'm just saying to select a hosting provider that takes security seriously because the success of your ecomm site depends on it, whether or not the payment portions are offloaded.

On this we do wholeheartedly concur; absent a secure base platform, 3rd party PCI compliant platforms remain vulnerable.

I would simply add that, in my opinion, by segregating the base hosting and order capture/transaction processing functions, one not only adds an additional layer or layers of security, but isolates those elements which may be subject to PCI in a manner that can effectively pass the burden of being in compliance from the merchant to the ASP(s).

For example, with the client whose links appear in my signature here, order transaction data is captured and stored by an ASP which specializes in both publishing ticket brokers' inventories, and providing web site plug-ins that both display such inventories and perform the order entry function; no personalized data is stored on the client's base site. The processing of the card transaction is handled by a 2nd ASP, in this case, Authorize.net, in a manner that is wholly isolated from the server(s) of the 1st ASP.

Thus, the client's site stores no data re. any order, and that data which requires protection is segregated into 2 portions which reside separately on the servers of the 2 ASPs, thereby isolating the merchant's site from those elements which are subject to PCI.

I have some earth shattering news for the geek community. Yesterday we got a security vulnerability report for a customer’s web site that has secured hosting at Godaddy. They use some shopping cart software that we customized to meet with their specifications. The report I got yesterday indicated that their web site, which is protected with a Godaddy SSL certificate and stored on one of Godaddy’s secured servers, is not PCI compliant. To be PCI compliant the server needs to support SSLv3 and not SSLv2.

Due to new requirement introduced last November all online merchant services require compliance with the new SSLv3 standard. This merchant is being fined on a monthly basis by Elavon, their merchant service, because their site is with Godaddy; and, Godaddy refuses to address the problem.

When I contacted support at GoDaddy, they confirmed the problem. So I escalated the problem to the Office of the President at Godaddy. The representative in the President’s office, John, refused to have the problem corrected. Furthermore, he indicated that Godaddy would not be correcting this security problem anytime soon.

John went on to say that the servers for Godaddy’s Quick Shopping Cart were setup correctly. This only makes matters worse. Now it is obvious that Godaddy is trying to take advantage of the confusion surrounding the technology, which makes it a clear case of “Unfair Competition” as defined by Federal Law. After hearing this, I have decided to file a complaint with the Federal Trade Commission. I encourage all other independent e-commerce web developers to follow suit.

We were partners with Godaddy before this issue arose, having previously provided and maintained our own hosting solutions until they showed up everywhere undercutting us. This literally forced us and many web developers to join with Godaddy. Now I am seriously rethinking this arrangement. We need a quick fix for this problem; and, Godaddy could quickly and easily remedy this problem, but Godaddy refuses to move. Now my precious time will be spend looking for another hosting provider for our e-commerce accounts. I encourage you to respond, if you know of someone who provides PCI compliant Windows Web Hosting with Access and/or SQL Server.

:eek:

Check out Lexiconn. Their support is stellar. I have an ecommerce site with them and they administrate PCI compliancy for me so I don't have to worry about that end of it should anything come up ie servers etc. Any questions or issues at all and they handle it immediately.

Dave

Thanks for the info CrankyDave. Unfortunatlly, Lexiconn only supports Linux hosting. I need Windows Hosting with true SQL support using either MS Access and/or MS SQL Server.

I have some earth shattering news for the geek community. Yesterday we got a security vulnerability report for a customer’s web site that has secured hosting at Godaddy. They use some shopping cart software that we customized to meet with their specifications. The report I got yesterday indicated that their web site, which is protected with a Godaddy SSL certificate and stored on one of Godaddy’s secured servers, is not PCI compliant. To be PCI compliant the server needs to support SSLv3 and not SSLv2.

Due to new requirement introduced last November all online merchant services require compliance with the new SSLv3 standard. This merchant is being fined on a monthly basis by Elavon, their merchant service, because their site is with Godaddy; and, Godaddy refuses to address the problem.

When I contacted support at GoDaddy, they confirmed the problem. So I escalated the problem to the Office of the President at Godaddy. The representative in the President’s office, John, refused to have the problem corrected. Furthermore, he indicated that Godaddy would not be correcting this security problem anytime soon.

John went on to say that the servers for Godaddy’s Quick Shopping Cart were setup correctly. This only makes matters worse. Now it is obvious that Godaddy is trying to take advantage of the confusion surrounding the technology, which makes it a clear case of “Unfair Competition” as defined by Federal Law. After hearing this, I have decided to file a complaint with the Federal Trade Commission. I encourage all other independent e-commerce web developers to follow suit.

We were partners with Godaddy before this issue arose, having previously provided and maintained our own hosting solutions until they showed up everywhere undercutting us. This literally forced us and many web developers to join with Godaddy. Now I am seriously rethinking this arrangement. We need a quick fix for this problem; and, Godaddy could quickly and easily remedy this problem, but Godaddy refuses to move. Now my precious time will be spend looking for another hosting provider for our e-commerce accounts. I encourage you to respond, if you know of someone who provides PCI compliant Windows Web Hosting with Access and/or SQL Server.

:eek:

I suggest that you send a link of this posting to Office of the President at Godaddy. Seeing it in public may convince them to change their position, as it may influence other customers who did not know of the problem & to that of future customers when considering using their hosting service.I personally find godaddys service excellent but do not or intend to use any shopping carts

Thanks for the info CrankyDave. Unfortunatlly, Lexiconn only supports Linux hosting. I need Windows Hosting with true SQL support using either MS Access and/or MS SQL Server.

sorry...

Didn't check first.

Couple of interesting things I noted about GoDaddy...

They "claim" that their "quick cart" is compliant. Also, on their legal agreement for "...website and virtual dedicated server..." they state the following...


The Services are not intended to provide a PCI (Payment Card Industry) compliant environment and therefore should not be considered as one. Go Daddy shall have no liability to You or any other person for Your use of the Services in violation of these terms. You shall at all times use the Services as a conventional and/or traditional web site

So if indeed they are PCI compliant for their quick cart they have the proper servers/safeguards in place. It seems they don't want to provide it for anything other than that though.

I guess it's a matter of how many folks are using them (without their quick cart) for ecommerce platforms, how many of those folks don't realize they are not in compliancy, and whether or not godaddy has been forthcoming enough about the fact that they are not.

My "guess" would be that ANYONE using godaddy for any ecommerce purposes will have a credibility problem with their customers/visitors is this gets around. Think about it for a moment... how "secure" is a visitor to an ecommerce site hosted by godaddy going to feel if ANY part of their hosting services are not compliant?

Dave

I've been a fan of GoDaddy for a long time, until today. If you have a shopping cart with someone else and host with GoDaddy you may encounter problems with PCI compliance testing by SecurityMetrics.com.

GoDaddy will not consider a white list to probe their hosting setup and look for empty ports and the like, even if it's just a few IP's to whitelist, even if it's just temporary.

While I appreciate that SecurityMetrics' inability to even probe makes it sound very secure and should be a passing grade, it isn't working out that way. GoDaddy told me, at all levels, even Presidential, that I had two options, order GoDaddy's shopping cart or host elsewhere.

I hear that the situation is a push towards certain shopping cart solutions, such as GoDaddy's shopping cart, PayPal and Google Checkout, where the PCI compliance is in large part the shopping cart providers'.

I posted my problem on BobParsons.me blog, but that's moderated and chose not to post the negative feedback I gave his company.

Posted by Duane A. Long, webmaster for [removed]