The Byte Stops Here

One site:

• takes all tracking codes (Fedex, UPS, etc)
• provides a Google Maps display
• provides RSS feed functionality

What more code you ask for?

http://boxoh.com/

GSI Hosting was really aggresive from the get go about talking on the phone. Once I did, I knew I was talking with guys who knew their stuff, and were in a completely different league. Not only are they experts in the security area for a while, but they've gotten PCI down, and can ask all the tough questions, and answer them right back. They were quick to bring all the necessary experts in the room.

As you can tell, I felt very comfortable with them. Plus, two key points really helped them, one they are among a few certified by Visa as a model for others (and from what I can remember, they even host some of their servers). Second, the company itself started out with CF (in the Allaire days).

It became quickly apparent, these guys had their technical and business chops. They talked about the competition, and how their ROI was different because you would achieve the highest level of PCI Compliance, because they didn't offer toolkits, but their whole environment from the ground up met or beat PCI Standards. What this meant was no unforseen costs, you host, you're compliant under their certification by Trustwave.

They also offered tons of flexibilty. Needless to say I was impressed.

Unfortunately, their cost structure put them at par with Rackspace. But, as you can tell, their was a world of difference between them and Rackspace. We tried really hard to get the cost down, as GSI ended up being my top choice, however they still ended up high, and with the economy, management could not support an increase in spending at this time.

There is so much more to say about these guys. So how do I rank them. Most definitely Tier 4! I would highly recommend them if PCI Compliant Managed Hosting means a lot to you and want premium support and services.

First off, a lot of people like Rackspace. Their website looks very credible, they are publicly traded, and the seems to know what they are doing.

However, my dealings with Rackspace, over the past several years, has shown them to be the opposite. Case in point: PCI Compliant Hosting.

Rackspace offers a "PCI Toolbox." You can tell right away this is not going to be good. At the bottom of the page is a contact our sales team link, and you have to basically fill out a form, which is what I did.

When I originally did this, I did not hear from them at all. Looks like they were too busy for me. 10 days later, I filled it out again, asking if they wanted my business, and they got back to me in 24 hours. I told them about my needs for PCI Compliant Managed Hosting, and they transferred me to someone, who was supposed to know what I was talking about. That person never responded. Days later, I emailed again, and got a generic response. I told them what I needed a quote on, and was told to wait a couple days. I waited.

And waited. Next I emailed again, and this time got a response from a 3rd person, that my quote was being worked on. I asked about how they met PCI Standards, and got generic responses. Basically, they provide you the tools, but your responsible for self-certification, and they'll work with you on any changes. It meant, they'll charge you later if you need more security... yet they sit on the PCI Council.

When I got my quote, it needed revisioning. As you can tell, things moved slowly. I was promised diagrams, which tooks weeks to deliver. In the end, it was an arduous journey.

The cost? They are HIGH. Let's just say, they are 2.5x what we ended up deciding on with our new host. All with little to medium knowledge, potential long term costs, and a poor sales process. How was I to make a case for their "Fanatical Support" after that?

I may attach some of the quotes, documentation and answers for you to see. Still deciding on that. But let's just say, my impression of Rackspace hasn't changed in the past 5 years.

So what Tier would I rank them. Let's make them a Tier 2.

Let me know if you have any comments or questions.

In this post, we'll try to create a grading system for PCI Compliant Managed Hosts, which I'll later use to go over several hosts whom I've been interviewing and dealing with over the past 3 months.

This is all new territory for me, and for the industry. There is no coherent grading system, and its hard to tell the newbies apart from the gurus.

So you've scoured the web, and looked at lists. By this time, your initial shock may have subsided. Shock? Yeah, you've had no need to narrow your list as the list is already small. Why in the world are the rest of the hosts so behind? Are those $9.95 e-Commerce plans PCI Compliant? Probably not. Does it seem like 95% of the world doing e-Commerce actually doesn't meet most of the PCI specs? Yup. Should you be scared about where and whom you buy from online even more? Yes.

So let's take a look at the hosts. They tend to fall into categories pretty easily.

Tier 4 (Highest) - These guys rock. The eat PCI Compliance for breakfast.

• May belong to the PCI Security Standards Council
  
• Should be able to provide a pretty detailed diagram of the setup
• Should be able to provide a dedicated Account Exec, along with an in-house team of experts (Sys. Admins, DBAs, etc)
• Should have certification with Visa for their Cardholder Information Security Practices (CISP) standard for compliance, along with experience with Sarbanes-Oxley, HIPAA, etc
  
• Have expertise in other areas like SAS 70 Certification

Tier 3 (2nd Highest) - These guys have experience, but are far from experts.

• These guys don't have formal processes to handle new clients for PCI
• They usually have done several clients in the past, and are "getting better" with each new client
• They usually put more emphasis on the initial sales pitch, but drag their feet for details

Tier 2 (2nd Lowest) - These guys are new, and may actually be making stuff up along the way.

• I know, my rating system is getting harsher, but these guys may advertise PCI, but aren't prepared in the least.
• They may offer some sort of PCI Toolkit, but their implementation (and/or understanding) of PCI is flawed.
• They might think of PCI as a patch, or some extra hardware.
  
• Their sales people (and/or tech reps) are barely trained to talk PCI.

Tier 1 (Lowest) - These guys advertise PCI, but wouldn't know it if it stared them in the face.

• Their sales process is extremely weak.
  
• They have little to no understanding of PCI Compliance.
• They bad mouth other host.
• May offer "special" pricing to hook you.

I was fortunate enough to be asked to perform an early access review (unedited) of Tariq Ahmed's Flex 3 in Action. While I read through the book, I was side-tracked, and its definitely my bad I didn't get this review out earlier.

The version I have is 648 pages. Yes, its massive. While this can be a bit overwhelming to newbies, the "in Action" part of the title should give you an indication that this book is full of example, and thats a good thing.

The book does a good job of covering some of the history behind traditional web development and where Rich Internet Applications are headed. As Ray Camden mentions in his review of the book, that its also "to see many comparisons between Flex and ColdFusion concepts". Ray's review can be found here.

Take for example, Chapter 1: Introduction to Flex. Some of the topics this chapter covers is:

• The problems that Web developers face
• What Flex is and how it solves those problems
• What are RIAs (Rich Internet Applications)?
• The difference between RIAs and RWAs (Rich Web Applications)
• How Flex differs from the competition (i.e. how to sell Flex to your boss)
• The Flex Ecosystem

As you can see from just the first chapter, that this book lays some solid groundwork for the developer.

Plusses:

• Its written by developers for developers
• Tariq Ahmed's written several great books in the past
• Lots of examples and diagrams
• Provides good foundational and historical background
• Provides a step by step approach
• Talks high-level AND low-level, like Chapter 3: Working with ActionScript, which covers variables, operators, conditions, etc.
• Covers end to end development, from basics to reusability to customization to testing to deployment
• Appendix points you to dozens of forums, intiatives and developer resources

Minuses:

• Size, it may take a while to get through it.
• There is some incohesion between writing styles between authors (typical complaint), which I'm hoping would be resolved in the final version

So go out, and grab a pre-order of the book. More details here.