On May 14, 2009, at 11:29 PM, seph wrote: >> They also take credit cards to the tune of around 65,000 transactions >> per year. PCI compliance is an issue and they want to aim towards >> being PCI compliant. > > PCI is a fairly big ball of wax. It may be my bias here, but I > suspect a > having an outsourced PCI environment is going to be fairly > expensive. I'd turn this around, and ask if you need to keep > processing > your own credit cards, or if you can start using an external CC > processor. (I believe authorize.net is common here, but I don't really > know the space) If you can get away from the PCI requirement, you > needs > start getting a lot simpler.
I second this. Most of the security consultants I talk to about PCI advise that if you can avoid it without blowing your margins, you should. It's not just maintaining a PCI compliant datacenter. If you connect your offices by VPN, then every workstation, locked door, wireless network, etc. is bound by PCI. There are also huge sections of the requirements that are strictly policy and documentation based. I'm sure Rackspace has people who could help you develop such policies, but the requirements are pretty strict. For example, I once had an argument with a CISSP who insisted that using djbdns would end up being a violation because you can't document a thorough, automatic, and reliable upgrade process for it. Also worth noting is that my understanding of the PCI compliance spec is that if there is ever an "incident", that even small merchants become immediately beholden to all the same requirements as tier 1 merchants. 65k transactions per year isn't tiny, but I bet the client wouldn't want to suddenly have the same requirements as, say, Disney World. --joshua. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
