| Marc Zucchelli on 25 Dec 2007 09:36:26 -0800 |
|
I hope this isn't too off topic. I've been hosting my client's websites for a while, and I want to completely automate the billing, as well I want a place for my clients to be able to sign in and update billing/credit card info. The problem I run into is, I believe that if I am to store credit card's, I have to be PCI DSS compliant. Networking isn't one of my strong points, so I don't entirely understand the PCI DSS spec, but there is one item that concern's me. Item 1.3.4 of the spec says: "Placing the database in an internal network zone, segregated from the DMZ" The spec can be found here: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf This concern's me because I am simply renting a dedicated server, and it appears that this is saying that I have to have another server running which is blocked off from the public internet, with a firewall. It seem's the cost's involved are not worth it for my small operation. I may be reading into this too much. There is plenty of popular billing software available for webhost's that store the credit card's encrypted directly on the public server itself. I am wondering if I am reading the spec wrong, or if all this software isn't compliant after all? I would appreciate everyone's thoughts. Merry Christmas! Marc
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|