PCI DSS Hosting – Is it really worth it?

11 08 2010

It was only a year ago, but oh how the polish seems to have worn off. Those wild, heady days where the Payment Card Industry Data Security Standard was ‘my new religion‘ were some of the happiest. It didn’t matter who I was talking to – and it certainly didn’t matter if they were interested in the topic – I would stop at nothing to educate on the wonders and achievements that were the Standard.

In the web hosting world, where I spend far too much of my time, the Standard sets out a list of requirements for the hosting provider to guide them on how best to secure their systems. More importantly, it tells the provider how to pass the requirements of the Standard so that their customers are not in breach of their existing contracts with their bank. That’s right, every merchant agreement requires that the merchant be compliant with the Standard, or they could be liable for any losses resulting from a security breach.

When I became manager of a web hosting company 18 months ago, I set out to implement a PCI DSS product for our customers to use. Any business approaching us to host an e-commerce site would be offered the most resilient, all-complying hosting solution money could buy. My suprise? Nobody wanted to buy it.

Defending the Standard

PCI DSS really is great stuff, and I can’t be clear enough on that. It lays out best-practices for an industry (web hosting) that doesn’t really have any. I’d be surprised if any business wants to host their customer’s or their own data in a manner other than what the DSS recommends. If you are compliant with the Standard’s requirements, then the chances of you experiencing a security breach are significantly reduced.

The best way to defend the Standard is simply to say that it’s common sense. And it is! If you doubt that, and many do, consider the following examples of PCI DSS’ requirements. Would you drop any of them and feel just as secure as you did before?

  • Database servers not accessible to the Internet
  • Web servers behind an Intrusion Prevention Firewall
  • Up-to-date virus scanners and vulnerability management
  • Police background checks on anyone with high-level access to the hosting environment
  • Regular security scanning and network penetration tests
  • Proper information security and response policies

What surprised me when I first started looking at this as a product to develop for my customers was the sheer lack of any competitors. From countless searches, I could come up with only 2 other Australian hosting providers who said “we are PCI DSS compliant”. But… every e-commerce site must be PCI compliant, right? This is in their contract with the bank. Here’s an entirely untapped, niche market. It all seemed to good to be true.

It was…

The problem with the Standard

The (only) problem with the Standard is, ironically, a financial one. It may be best to explain this in practical terms…

Imagine yourself as the (Australian) operator of the medium-sized e-commerce site,  fancycheeseshop.com, and you host that site in Australia. Your site’s revenue is $500,000/year, or ‘medium-sized’, and your net profit every year is $100,000 or 20%.

Sounds pretty decent for a small-to-medium e-commerce site to make 500k/y. Now consider the cost of three different hosting solutions:

  • El-Chepo U.S. Hosting Co. $5,000/yr. Just a basic virtual server hosted in the US. No added security or features.
  • Standard Australian Dedicated Hosting. $15,000/yr. Dedicated combined web/db server. No PCI compliance, but good enough for most.
  • Elite Australian PCI DSS Compliant Hosting. $48,000/yr. Everything you need to meet your contractual obligations to the bank.

These numbers are quite realistic, so I’m sure you see the problem here. The cost of being PCI Compliant (in Australia at least) is prohibitive. Would you spent half of your yearly profit to satisfy the Standard? I would not.

But why is PCI DSS so expensive? More than anything, it comes down to the cost of operating an environment that needs to be a lot more complicated than your ‘average’ hosting, where your host doesn’t care what you’re hosting. Here’s just a few of the things that we provide our PCI DSS customers that runs up the bill quite a bit:

  1. Centralised log collection software with tamper-proofing.
  2. Physically isolated web and database servers (read: duplication of infrastructure)
  3. SSL-offloading Intrusion Prevention System (that’s one really expensive piece of equipment)
  4. External security scans and auditor fees
  5. Housing in a PCI-compliant data centre (about 25-40% more expensive than a regular data centre)

My experience in offering this solution to our customers for 12 months has been rather disappointing. I believe that our adherence to the DSS has actually lost us business. When an e-commerce customer approaches us after spending 200k on a shop, and I tell them that I’ll charge them 25% of that every year. Well, of course they talk to my competitors.

My competitors don’t care if you’re PCI compliant or not. Many of them don’t even know what it is. When they propose a regular hosting solution, it is invariably 30% of what I proposed.

What’s The Solution?

I really don’t know. I will continue to offer PCI DSS compliant hosting to those that want it, but can I afford to be proposing such expensive solutions when none of my competitors are doing the same? Or what my prospective client isn’t the least bit interested? Should I simply stop offering it unless someone big enough knows they need it?

Personally I feel these things are irresponsible, and I believe that’s what makes our hosting company a bit different to all the rest. We try our best to make sure the client is doing the right thing in this space, which they are generally unfamiliar with. As another example, do we wait for a major corporation to ask for Disaster Recovery Plan (generally when it’s too late), or do we offer it them up-front?

Perhaps the governing body, the Payment Card Industry Security Standards Council, needs to be doing more to raise awareness of DSS and their other standards? Or maybe our own governments should be legislating more to protect not just credit card data, but all personal data online?

I welcome your comments and feedback on this subject.


Comments : 5 Comments »

Categories : Hosting

Selling lies and magic

8 03 2010

For the uninitiated: I’m a hosting geek. I’ve spent about 10 years working in web hosting, in some capacity or another, and I really enjoy it here. In the past year, I’ve had the privilege of establishing a web hosting company, which is owned by a massive Australian corporate advertising and communications group. The hosting company I run has invested in some of the best infrastructure in town. My customers are among the biggest brands in the country, and for them even a simple 5 minute outage is a big deal.

For me, the best part of starting this hosting company is that I’ve been able to do it my way. Conveniently, my way matches the corporate ethos in that massive parent company that I work for. In my time working in an advertising group, I’ve come to observe, that if you don’t protect your customer and treat them right, you’ll lose them really quickly. Compared to the web hosting industry, it is very easy for an advertising customer to move away to a new provider. Moving from one hosting company to the next is a painful process that takes a lot of time. The effect of this, I believe, is that hosting companies can treat their customers quite poorly, as those customer have  a higher tolerance for getting screwed.

All I want to do with my web hosting company is build a service which I can truly be proud of. My managers believe that this approach can be quite profitable and grow quickly. I agree with them, but between you and me, I’m not really doing this for money or business success. I’m doing this because I’m too ideological. I’m doing this because the hosting industry in Australia currently disgusts me.

What I find so repulsive about the state of the industry is that, with some honorable exceptions, most of my competitors seem to be completely disinterested in taking care of their customers. This is business, and you should always be looking to protect your own stock. But it isn’t it true that, in business, if you take care of your customer then they will take care of you?

I’m not going to mention names, but I would like to share one experience. In the last few weeks, I’ve been bidding for a contract to host the corporate website of a very large multinational organisation. They required a hosting solution that would be truly robust, and incorporate all of the must-haves to achieve that, such as load balancing, disaster recovery, and 24×7 support. I prepared a lengthy solution overview which detailed how my hosting company would achieve the resulting 99.95% uptime guarantee.

99.95% equates to a maximum monthly downtime of 20 minutes. 99.5%, which is your industry standard, is a max of about 4-hours per month. These guarantees typically involve the provider making financial compensations to the customer if the site is offline for a longer period. 4-hours of downtime, especially if it occurs during peak load, can be quite serious for a large organisation that depends heavily on their website.

Computers break, we all know that. My offer of 99.95% availability is an engineered value based on my work as a solution architect. I’m aware of what systems will fail, the way they are likely to fail, and what needs to happen to make those failures transparent to the outside world. In all likelihood, their website would operate 100% of the time for most months, but occasionally bad things happen and I’m not going to make promises that I don’t think the infrastructure will keep.

A competitor of mine also bid on the project, and responded with a solution that was 1/4 of the price, and offered a 100% availability guarantee. It consisted of a ‘load balanced environment’, but only a single web server, and only a single database server. The web server had no backup solution, and no disaster recovery component. The potential downtime here is literally hours or even days. If that provider’s data centre catches fire, there are no backups of the web server, no secondary site, and no secondary hardware to rebuild with.

The 100% guarantee is nothing more than an insurance policy. The provider will offer a 10% rebate for failure to meet the guarantee, but will also increase the price by 10% per month.

My prospect was unfortunately not technically aware, at least not in the hosting sense, and failed to see the risks in this proposal. The deal went to my competitor. I’ve added their web site to my monitoring platform, and will be sure to give them a call after their first several-hour outage.

In the interim, I’ll be asking the question: How can I compete with someone selling lies and magic?


Comments : 3 Comments »

Categories : Hosting

The Death of VMware

18 01 2010

I like to think that I’ve had a good amount of experience with VMware. I’ve been using their line of “Data Center Virtualisation” products for several years now. I’m a VMware Certified Professional, and the company I run is a VMware Service Provider Partner.

Admittedly, I’ve no experience with their desktop and application virtualisation, but I believe it’s safe to say that VMware make the best server virtualisation products around. Yes… I’ve used the others (Xen, Hyper-V, QEMU)… and anyone who says that Hyper-V can do what vSphere does simply doesn’t understand what vSphere is capable of doing.

So why the dramatic title? How could someone who is a VCP, VSPP, and admittedly rather fanatical about how good the VMware engineering team is, say something so strongly worded as: The Death of VMware?

I’m making this statement because not only am I a user of VMware, I am also a customer of VMware. I’m going to share some key experiences that I have had with VMware as a partner and customer. As you will see, the non-engineering side of VMware is in a state of ruin.

  • Support is terrible. Despite raising six different “Severity 1″ tickets in 2009, I was never once contacted within the 30-minute response target they advertise for Plantinum. I was never contacted in less than 60-minutes, and even if I called them to chase, I would be told that an engineer would call me back. You cannot be transferred to an engineer at VMware, it seems their phones can only dial out.
  • Nobody speaks decent English. This effectively slows a critical problem’s resolution right down, because you have to explain the situation 3 of 4 times, before the operator finally decides to escalate the problem to an engineer, who will call you back.
  • Partners get no love. Being a VMware Partner is like being best friends with a crocodile. Continue to feed it, and you can continue to be friends. Try to do anything, like I dunno, get a logo to use on your website, and it will bite your fucking head off with the worst partner services website in the world. Okay, so the crocodile analogy didn’t work.
  • They have a ‘best effort’ website. When you buy something from VMware, download it and make copies of it. Chances are, when you need to download it again, the VMware website will be offline.
  • Certification is a waste of time. I’m certified with Microsoft, VMware, and Cisco. My certification effort with VMware has been a big waste of time. My Partner Account lists me as a non-VCP, my “MyLearn” portal lists me as never having sat the test, and despite numerous emails and assurances from VMware, I’ve never received my welcome kit. All I have to prove my VCP status is an email in which VMware gave me my VCP number. Prospective employees will hopefully accept this as proof, because it’s all I’ve got even 8 months after my exam and course.

In short, VMware have provided the worst experience I’ve ever had in certification, support, partner service, and web-based interaction.

My dramatic title, “The Death of VMware”, comes from my experience as a VMware customer and partner, who is constantly being disappointed. I will continue to buy VMware, because they engineer the best virtualisation product. But – as with all things – it won’t be long before a competitor comes up with an acceptable replacement product, and will actually support their customers.

This was also the story of the decline of Novell, who used to treat their customers like crap because they were #1. Once a competing product reached maturity, nobody felt any loyalty, and today, Novell is all but dead.

I hope VMware can get it together and treat their customers with respect. Otherwise, soon, they will begin their steady decline.


Comments : 6 Comments »

Categories : Uncategorized

Stick to your guns, and shoot yourself in the foot.

23 09 2009

I manage a small web hosting operation which has a key focus on providing better service and quality than anybody else. Technically this includes things like security and availability, but web hosting isn’t just about technical service. It’s also about how you interact with customers, how you serve them. Lately, I’ve noticed more and more companies that are failing to dig themselves out of the ‘the customer is always an idiot’ culture. For us, if a customer has a special request that goes outside of how we normally do business, we do everything possible to serve our customer. The simple reason for that is that they give us money, and if we’re good to them, maybe they’ll give us more.

I’ve recently encountered a brilliant example of a company so determined to stick to it’s guns that it’s turning away customers who would like to give them more money. We buy a monthly service from this company (let’s call them Provider A), and do so under a two-year contract. Earlier this year, we had many problems with the quality of their service. I won’t go into detail, but we were getting to a point that we were going to sue them for breach of contract. Fortunately, the relationship stabilised somewhat, but I still find myself unprepared to commit to doing long term business with them, unless I can see an improvement in their internal processes and service.

Of the monthly services we buy every month, one of the largest components is data. We buy an allocation of monthly downloads from two different providers (let’s call them Provider A and Provider B), and we pay an excess fee if we use more than our allocation from either provider. This is a lot like how your home Internet bill works, but with a vastly larger amount of data each month.

I’m happy to say our business growth has resulted in the problem of needing to buy more data per month, and as such we had begun paying excess charges for going over our allocations. Provider A has a price list with pre-set allocations per month, ranging up  to huge amounts in the TB/month region. As the allocations get larger, the gap between them gets wider. Our problem is that our current usage is in the middle of two allocations, so we either take the smaller one and pay excess, or take the larger one and waste it. The difference in price between these two allocations is thousands of dollars, so I’m sure you can appreciate my desire to buy something in the middle.

I approached Provider A and asked if they would quote on an allocation in the middle of the two, and their response was that they would not, unless we renewed our contract for another two years. I didn’t walk away from it at this point, keen to find an easy solution for our business, and spelled it out; I won’t renew my contract because of the poor service history, but I want to give you more money in exchange for more services… can we buy an allocation in the middle?”. The answer was still no, and that it was a “standard business rule”.

I didn’t go to any fancy business schools, but in my world, the “standard business rule” is, simply, grow. Grow your service, grow your revenue, grow your profit, grow your business. It’s a free market, and now more than ever an information-based market, so if you won’t compete to win business, you won’t win any business.

Fortunately for me, we buy Internet connectivity from more than one provider (to achieve redundancy). I called Provider B, and asked them if they would let us buy a specific allocation of data without renewing the contract. To my relief, this company was happy to talk about new pricing, without renewal, and are even negotiating with us. I’m so please with their service and attitude that next time I need data, or anything else they sell, I’ll be talking to them first.

The key point here is not that Provider A couldn’t offer the product that we wanted, it was simply that they wouldn’t offer the product unless I rewarded them for their ineptitude. In this way, I felt that Provider A was more interested in serving their own interests, rather than mine. Nobody in business worth their salt would try to tell you that the way to grow your business is to do anything but enable the growth of your customers’.

Once again, the free market shows us that unless you’re working for your money, you won’t get any. Adam Smith would be pleased.


Comments : Leave a Comment »
Tags:
Categories : Hosting

PCI DSS Hosting – my new religion

26 08 2009

“PCI DSS”, or “PCI Compliance” is something that every one with an e-commerce site is going to start hearing more and more about in the coming months. You may have already started hearing about it, and probably decided early on that you’re not a fan. I can’t say I blame you, but hear me out.

Discussions with any merchant around PCI compliance seem to quickly move towards “this is crazy rubbish!”. This is the response you’d expect from any non-believer when faced with a new religion. But hold on tight cause I’m about to gp all crazy-fanatical on you!

For those of you just starting to hear about this little miracle, here’s the short(ish) version. Up until a few years ago all the major credit card companies such as Visa, Amex, and Mastercard operated their own “security standards”, which was a set of rules and requirements that they placed on their customers, banks. The banks then passed the requirement on to their customers, merchants.

The problem was that if you were the customer, and wanted to process a Visa card or an Amex card, for example, you would be required to agree to comply to two separate security standards (one for Visa, one for Amex). To alleviate this problem, the card companies formed the Payment Card Industry Security Standards Council, which then unified all the differing standards into one document which they called the Payment Card Industry Data Security Standard, or PCI DSS for short(…ish).

This standard applies to any merchant, be it online or offline. For this discussion however, I’m only referring to e-commerce sites. If you maintain an e-commerce operation that conforms to the PCI standard, then you are said to be “PCI compliant”. Perhaps the most shocking thing that I encounter in my line of work is that all organisations with an e-commerce site have already agreed with their bank or other payment provider that they will operate in a PCI compliant manner, but most of them haven’t even heard of it.

If I may, allow me to dispel a few common myths about PCI compliance, starting from the most common:

  1. It’s not my problem.
    If you’re operating a merchant account on an e-commerce site, you’ve signed an agreement with your bank or payment provider stating that you are PCI complaint, and that you agree to pay fines that result from a security breach caused by a lack of compliance. That is, you are legally obligated to be PCI compliant already.
  2. It’s still not my problem.
    Some companies I’ve spoken to have the impression that PCI compliance for e-commerce is the responsibility of their hosting provider. This isn’t true. If your hosting provider has agreed, in writing, to give you PCI compliant hosting, then yes they are liable. However, this is rarely the case. Sadly, it is you that has the legal agreement with your payment provider, not your hosting company.
  3. It’s unnecessary nonsense.
    I’ll agree wholeheartedly that the PCI standard, if you read it, is incredibly detailed. A common reaction is to dismiss it as corporate nonsense that’s been written by people with far too much time on their hands. The reality is that PCI DSS is, for me, about more than just compliance – it’s my religion!

The above three myths, in their order, pretty much spell out the common path of merchants first getting exposed to PCI. First, you ignore it as if it doesn’t matter. Next, you dismiss it as someone elses responsibility. Finally, you ignore it as if it doesn’t matter again.

What I’m here to say is that PCI DSS is not a compliance issue, it’s a quality issue. I’m sure I sound like a real preacher here, but I see the PCI standard as something like “the bible of responsible web hosting”. In this standard, you have all the components of a well-structured, properly-managed, reliable and trustworthy web hosting platform. Here’s some of the big major requirements of the PCI DSS standard:

  • Database servers not accessible to the Internet
  • Web servers behind an Intrusion Prevention Firewall
  • Up-to-date virus scanners and vulnerability management
  • Police background checks on anyone with high-level access to the hosting environment
  • Regular security scanning and network penetration tests
  • Proper information security and response policies

This is just a sample. The PCI DSS standard is massive, and contains more than 100 questions for the hosting company relating to the environment.

A few weeks ago I was standing outside a data centre and I ran into a technician for one of my competitors. I won’t say who, but I asked him, “How are you guys going with PCI compliance”? The response was “We looked into it and decided it wasn’t worthwhile”.

My argument here is simply that, if you’re running a responsible hosting environment, you should be PCI compliant already! In the list above, is there anything there that doesn’t seem like common sense? Would you like to host your website with a hosting company that doesn’t have all of those requirements covered?


Comments : 1 Comment »
Tags:
Categories : Hosting

« Previous Entries


Follow

Get every new post delivered to your Inbox.