I am working towards getting my website PCI Compliant. I know authorize.net and my merchant bank are both PCI Compliant. Also, I don't store credit cards on my website or office computer and I have a private SSL.
I am using a shared plan with HostGator but am switching to a VPS hosting plan with HostGator.
I have done a lot of research and have posted on here before and it seems a missing piece is I have to have a scan done of my website and also fill out a huge questionaire and then submit it along with my scan results to my merchant bank to become PCI Compliant.
Am I correct about the above?
What this comes back to is site scanning. I have looked at many services including McAfee, Security Metrics, ControlScan, and TrustWave.
Most of my research so far has been with McAfee. They have a service for $319/yr which includes quarterly scans and manual scans as often as I desire. The are no logos with it for my website.
They also offer a full service for $959/year or $1289/2 years for a discount. This full service includes their PCI Scanning but also it includes their McAfee Secure scanning. The scanning is done daily and also with the McAfee Secure scanning you get a McAfee trust logo for your website.
With HostGator's shared plan for free I get the McAfee secure scanning with logo and it includes the PCI scanning but also once I change to VPS hosting I likely will lose this.
I am interested in opinions of the various options for scanning, MCafee, Security Metrics, and ControlScan, and also Trustwave and also if I go with MCafee is their higher plan worth it? They claim I'll see an increase in sales but is that likely to be true? Thank you for your thoughts on the above.

ask them to guarantee in writing a percentage of sales increase within a certain amount of time ( which they will not nor cannot do )

If they say they can then ask if they fail will they continues the scans for free for the life of your website ( they will say no but you can have your money back

( ask would it not be better to just keep the money in my bank to begin with )

The more I have read up on McAfee's Secure the more I am against it. I had done a live chat on their site and they told me a rep would call me within 10 minutes. He did but I was already out of the office and returned to have 4 phone calls. Phone calls started at 7AM today and they are basically not offering me the PCI Compliance telling me I need the other plan that is $968 approximately, about all the sales, etc. High Pressure sales are a huge turnoff to me, especially when they try to sign me up before I'm able to ask all the questions I want to. I may look at their pci compliance option but I think basic pci scanning is all I need and I likely wil llook at controlscan, security metrics, qualys, or trustwave.

One thing you better ask your hosting company is if they are willing to work with your scanning company to assist in getting your site PCI compliant!
I ran into the same thing when I was using CRE Hosting ( Chain Reaction Hosting) one thing was said then I was later told something different.

It was always the scanning companies problem (WINK-WINK) ( Control-scan) even though they used to say "THEY WERE PARTNERS" even they could not make it happen and pass scans on a regular basis.


SO be sure to always save emails and get everything in writing before hand!

Mark,

Not sure how relevant this would be to you, as we use PayPal Pro and I just noticed this on their site while researching further PCI stuff;



ScanAlert is a McAfee service, free for the first year... I've read the T&C's at the bottom of the page and they say the following;



So I'd send them a cancellation letter or something similar around the 340th day and by that time, hopefully there's more competitively full priced PCI scanning services out there in a years time?

You may not use PayPal of course but I just thought I'd let you know what I'd come across, in case it helps.

GoDaddy offers scans for less than $10 per month and provide a "logo" indicating status of site as well. http://www.godaddy.com/security/website ... x?ci=20677

SAVE YOUR MONEY.

Scans do nothing to really secure your data, they just waste your time and give you a false sense of security.

CRE Secure will really actually provide you with seamless PCI Compliant security and we now support more gateways than ever.

Also you can get CRE Secure free for 25 trans a month with any 6.5 pro or B2B purchase and the 250 trans a a month is just $12 a month additional.

Try it and you will see it is the best possible solution for PCI Compliance bar none.

We always assist clients with operating system scan violations and remediate as false-positive or dispute because the underlying open source project such as OpenSSH and centOS may have back-ported and patched rather than matched the version the scanner thinks should be present.

We do charge to fix violations found in the CRE cart such as the attack vectors of advanced search, banner manager and others. The best thing to do to ensure a host has completed their assessment is request an "Attestation of Compliance" document.