Online payment and PCI compliance

Dear experts,

We have a project planned to accept online payments on our website.

Our website uses Kentico EMS and is hosted in local AWS zone (Sydney region) with all website traffic behind SSL. We are currently using an AWS dedicated host, however we would like to move to an AWS shared host to reduce costs.  

We will use a PCI-compliant third-party payment gateway provider for the transactions. We are not looking at storing customer's credit card information on our servers. I want to understand the process to ensure we are PCI compliant in Australia.

I would appreciate any comment on below:

1. Does our web server need to be on a dedicated server/host? i.e, not on a shared host?
2. Since the payment will be processed by the payment gateway provider, do we need to take further measures on our current infrastructure (as described above) to become compliant?
3. Anything else I should look into?

Cheers all!
Al KimoIT PMAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
1) If security is essential, best use a dedicated server. There's just no way to secure a shared hosting situation.

2) PCI Compliance relates to the testing service you use. Each service is different, so you'll have to pass their scanner.

Minimum requirements will be things like using Apache-2.4 + PHP-5.6+ + other software like Kernel + OpenSSL.

Likely your service will scan your site every week or so + notify you of anything they require you to fix.

3) Just follow instructions provided by your scanning service.

Note: This process is easy to go through. All you require is a dedicated machine + a Server Savant to admin your machine + you'll be good.
0
Eddie ShipmanAll-around developerCommented:
Well, to be honest, it would be better for you to just implement a 3rd party e-commerce solution into your Kentico installation.
The majority of these solutions are already PCI compliant and the burden for the compliancy would not fall on you.

Since you need to integrate with Kentico, I'd suggest looking into VirtoCommerce, it is a great ASP.Net cart package that is not difficult to integrate with Kentico.
0
Laroy ShtotlandIT Security ConsultantCommented:
1. No, your server doesn't have to be dedicated. I designed and implemented a PCI DSS compliant architecture using AWS "shared" though PCI DSS compliant EC2 servers.
2. Yes, you still have to comply all PCI Standart requirements. Check out Self-Assessment Questionnaire (SAQ) type A or A-EP.
3. https://blog.varonis.com/a-guide-to-pci-dss-3-2-compliance-a-dos-and-donts-checklist/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.