I'm not really sure if this a "integration" question but i'm looking for some affordable hosting options. I will be using the AIM and CIM API's. I'll never store any cardholder data in my databases though.
I called rackspace and they quoted me like $1500/mo for PCI compliant web hosting. I thought that was absurd. I then looked at Liquid Web hosting and they offer PCI compliance certfificate for $50/mo and VPS hosting for $60/mo and they throw in a free SSL certificate. That seems a WHOLE lot more reasonable. I'm wondering if there's a huge cost i'm missing or i need to be aware of anything to get my code hosted and into production.
Can anybody recommend an affordable hosting option? or tell me if the liquid web option is the best way to go?
08-10-2011 05:26 PM
Heh, $1500 per month. That must be the price for storing credit card information on their servers, because no way in heck a server should cost that much normally. My parents have had a server with Rackspace for some time now, and it cost us around $500 / month originally and then I worked them down another $100 or so when it came up for renewal a year or two later on the basis of the competition charging so much less. This is still high, but Rackspace does offer better security and support, so we're living with it.
I have another client who has a server with Cari.net. It's a reasonably powerful server with 4 GB RAM and so on and costs around $300 per month including backup and cPanel. Service and uptime has been quite good, and my client imports data and runs a variety of marketing campaigns for probably 80+ car dealerships off that one server.
Then there's virtual server options. I've worked a lot with Godaddy's virtual dedicated servers - you get a certain amount of guaranteed CPU, RAM and your own partition, and I think it costs around $30ish per month depending on plan level and number of months. If you're worried about security and lack of configuration options on shared hosting, and don't require the juice of a full server, this is probably the way to go. The price is definitely good, but you need to know your way around servers, since the phone tech support will just tell you to open up server chat, and server chat isn't always helpful either. I'd personally rather pay $5 per month more and have good service when I need it, but maybe that's just me.
I'm guessing you don't have anything hideously resource-intensive, so a virtual server is probably sufficient. Forget "PCI-compliant hosting" or "PCI compliance certificates" - you'll be fine as long as you aren't on shared hosting and as long as you don't store credit card information. Anyone who tries to sell you "PCI" something is just ripping you off. Heck, I have clients who DO store credit card data on their site for about a day - it really makes no practical difference as long as the information is encrypted in storage and wiped as soon as it's downloaded and used. Security starts and ends at your FTP user name and password, since if hackers gain access to the hosting, they can farm credit card info just as easily with or without any level of internal security.
08-10-2011 10:06 PM
so a lot of people who are integrating with authnet aren't really concerned with being PCI compliant? the potential fines scare the hell outta me
08-11-2011 09:13 AM
You only have be worried about three things:
1) Is credit card info only being transmitted securely? If you're using SSL, then the answer is yes.
2) Is credit card info being stored securely? Authorize.net handles that part, so you don't have to worry about it.
3) Do you have proper security procedures in place to protect your hosting login? Assuming you don't share your hosting account with someone else, and assuming you don't leave your password lying around, you're probably fine there.
As I said before, the real security hole is almost always item 3, not items 1 and 2. Stop freaking out about PCI - nobody I've worked on a project for has ever been audited, and even if audited you should be fine with Authorize.net (or any major merchant system, for that matter) unless you're a complete programming moron. Just make sure your contracts specifically state you're providing your code as-is and the client is responsible for any legal issues that may arise from its use.
08-11-2011 02:47 PM
thanks for the feedback TJPride. I won't be distributing my code though. I'm creating something similar to shopify or another cart system where my clients will input their authnet credentials so their customers can pay my clients directly.
Could you elaborate on "proper security procedures"?
08-11-2011 09:14 PM
Don't make your password something that can be easily guessed (combinations of your name and birth date, for instance) or brute forced (a dictionary word followed by the number 1). Don't write your password down on a piece of paper and leave the paper lying around. Never throw out anything with your password on it without shredding first. Don't leave your password in your email. Don't use your password on any computer that could get infected with a virus (PC running off-brand antivirus, for instance, or a PC friends use to download illegal software, music, movies, etc.). Don't share your password with anyone you don't trust to also follow the same safety procedures, or anyone you don't trust with your money. Don't leave your laptop lying around where it can get stolen.
That sort of thing.
08-12-2011 04:59 AM