The Byte Stops Here

GSI Hosting was really aggresive from the get go about talking on the phone. Once I did, I knew I was talking with guys who knew their stuff, and were in a completely different league. Not only are they experts in the security area for a while, but they've gotten PCI down, and can ask all the tough questions, and answer them right back. They were quick to bring all the necessary experts in the room.

As you can tell, I felt very comfortable with them. Plus, two key points really helped them, one they are among a few certified by Visa as a model for others (and from what I can remember, they even host some of their servers). Second, the company itself started out with CF (in the Allaire days).

It became quickly apparent, these guys had their technical and business chops. They talked about the competition, and how their ROI was different because you would achieve the highest level of PCI Compliance, because they didn't offer toolkits, but their whole environment from the ground up met or beat PCI Standards. What this meant was no unforseen costs, you host, you're compliant under their certification by Trustwave.

They also offered tons of flexibilty. Needless to say I was impressed.

Unfortunately, their cost structure put them at par with Rackspace. But, as you can tell, their was a world of difference between them and Rackspace. We tried really hard to get the cost down, as GSI ended up being my top choice, however they still ended up high, and with the economy, management could not support an increase in spending at this time.

There is so much more to say about these guys. So how do I rank them. Most definitely Tier 4! I would highly recommend them if PCI Compliant Managed Hosting means a lot to you and want premium support and services.

First off, a lot of people like Rackspace. Their website looks very credible, they are publicly traded, and the seems to know what they are doing.

However, my dealings with Rackspace, over the past several years, has shown them to be the opposite. Case in point: PCI Compliant Hosting.

Rackspace offers a "PCI Toolbox." You can tell right away this is not going to be good. At the bottom of the page is a contact our sales team link, and you have to basically fill out a form, which is what I did.

When I originally did this, I did not hear from them at all. Looks like they were too busy for me. 10 days later, I filled it out again, asking if they wanted my business, and they got back to me in 24 hours. I told them about my needs for PCI Compliant Managed Hosting, and they transferred me to someone, who was supposed to know what I was talking about. That person never responded. Days later, I emailed again, and got a generic response. I told them what I needed a quote on, and was told to wait a couple days. I waited.

And waited. Next I emailed again, and this time got a response from a 3rd person, that my quote was being worked on. I asked about how they met PCI Standards, and got generic responses. Basically, they provide you the tools, but your responsible for self-certification, and they'll work with you on any changes. It meant, they'll charge you later if you need more security… yet they sit on the PCI Council.

When I got my quote, it needed revisioning. As you can tell, things moved slowly. I was promised diagrams, which tooks weeks to deliver. In the end, it was an arduous journey.

The cost? They are HIGH. Let's just say, they are 2.5x what we ended up deciding on with our new host. All with little to medium knowledge, potential long term costs, and a poor sales process. How was I to make a case for their "Fanatical Support" after that?

I may attach some of the quotes, documentation and answers for you to see. Still deciding on that. But let's just say, my impression of Rackspace hasn't changed in the past 5 years.

So what Tier would I rank them. Let's make them a Tier 2.

Let me know if you have any comments or questions.

As many of you know, for e-Commerce, whenever and wherever you touch credit cards, you must be PCI Compliant. But where do you start to find hosts, who have created an environment for you, and are willing to work with you. Besides Google, oops, I mean Scroogle, you can look at the list Visa provides.

Download the list @ http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf.

I'll be covering the ones mentioned for Managed Hosting in forthcoming reviews.

The PCI Security Standards Council has released a new version of the Data Security Standards today; namely version 1.2.

To download the doc and a list of changes:

• PCI DSS Version 1.2
  
• PCI DSS Summary of Changes (Between 1.1 and 1.2)
  

Ok, so we're doing e-Commerce, and obviously we want our managed hosting environment to be PCI Compliant. For all the hoopla around PCI Compliance, I only found like a dozen or so hosts with PCI Compliance certification for creating, managing, and maintaining a PCI compliant environment. Given that 90%+ or more provide some sort of shopping cart/e-commerce lite functionality, this is pretty scary. And the more I dig in to this, the more scarier it becomes. Let's face, your data is not secure. And those who are meeting PCI Compliance, have yet to meet the latest requirement, section 6.6 of the PCI DSS.

There are some hosts who even say they are PCI Compliant and advertise that, but they are NOT. What they mean, is that their own operations are PCI Compliant, but their hosting environment are not. Others say, you know what, this could mean a lot of things, referring to the vague and unclear PCI guidelines, which makes it even worse.

As a result, I'm doing a presentation internally on PCI DSS, and clearing some of the FUD surrounding it. Its a matter of how close can you get to being certified when pursuing the self-certification path. When you hire one expert, they will tell you something different from the 2nd, so the smart thing to do is to be tech-savvy, think like a hacker, and start doing a GAP analysis to see what and how you can slowly move towards compliance, given your budget constraints.

Anyone interested in me posting a primer on PCI Compliance that clears some of the FUD?