Online payment and PCI compliance

Dear experts,

We have a project planned to accept online payments on our website.

Our website uses Kentico EMS and is hosted in local AWS zone (Sydney region) with all website traffic behind SSL. We are currently using an AWS dedicated host, however we would like to move to an AWS shared host to reduce costs.  

We will use a PCI-compliant third-party payment gateway provider for the transactions. We are not looking at storing customer's credit card information on our servers. I want to understand the process to ensure we are PCI compliant in Australia.

I would appreciate any comment on below:

1. Does our web server need to be on a dedicated server/host? i.e, not on a shared host?
2. Since the payment will be processed by the payment gateway provider, do we need to take further measures on our current infrastructure (as described above) to become compliant?
3. Anything else I should look into?

Cheers all!
Al KimoIT PMAsked:
Who is Participating?
 
Laroy ShtotlandConnect With a Mentor IT Security ConsultantCommented:
1. No, your server doesn't have to be dedicated. I designed and implemented a PCI DSS compliant architecture using AWS "shared" though PCI DSS compliant EC2 servers.
2. Yes, you still have to comply all PCI Standart requirements. Check out Self-Assessment Questionnaire (SAQ) type A or A-EP.
3. https://blog.varonis.com/a-guide-to-pci-dss-3-2-compliance-a-dos-and-donts-checklist/
0
 
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
1) If security is essential, best use a dedicated server. There's just no way to secure a shared hosting situation.

2) PCI Compliance relates to the testing service you use. Each service is different, so you'll have to pass their scanner.

Minimum requirements will be things like using Apache-2.4 + PHP-5.6+ + other software like Kernel + OpenSSL.

Likely your service will scan your site every week or so + notify you of anything they require you to fix.

3) Just follow instructions provided by your scanning service.

Note: This process is easy to go through. All you require is a dedicated machine + a Server Savant to admin your machine + you'll be good.
0
 
Eddie ShipmanAll-around developerCommented:
Well, to be honest, it would be better for you to just implement a 3rd party e-commerce solution into your Kentico installation.
The majority of these solutions are already PCI compliant and the burden for the compliancy would not fall on you.

Since you need to integrate with Kentico, I'd suggest looking into VirtoCommerce, it is a great ASP.Net cart package that is not difficult to integrate with Kentico.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.