[alistairfellowes]

I've read conflicting advice on whether or not there are security implications for putting a new payment gateway site on a shared server, and if these security implications are removed when moved to a virtual private server.

Is there security issues with putting your site on a shared server, or is it more that there are bandwidth issues and pages not loading quickly, or at all, occasionally interfering with the gateway payment transaction process?

[SniderDK]

if you take card details on-site and process via an API then you can't simply because of outdated PCI rules on the definition of "multi-tenant" hosting as technically a VPS is a multi-tenant machine even though it was originally made to cover shared hosting... thats the source of the conflicting opinions.

way round is to have a dedicated box todo the card processing for you... bit of a PITA really

[alistairfellowes]

SniderDK, on 28 September 2011 - 01:33 PM, said:

if you take card details on-site and process via an API then you can't simply because of outdated PCI rules on the definition of "multi-tenant" hosting as technically a VPS is a multi-tenant machine even though it was originally made to cover shared hosting... thats the source of the conflicting opinions.

way round is to have a dedicated box todo the card processing for you... bit of a PITA really

I'm a bit new to all this. Are you saying that the PCI rules say that VPS is or isn't suitable due to the server being multi-tenant?

[SniderDK]

alistairfellowes, on 28 September 2011 - 01:46 PM, said:

I'm a bit new to all this. Are you saying that the PCI rules say that VPS is or isn't suitable due to the server being multi-tenant?

yes... so to take card payments you have to redirect users to paypal, google checkout, sagepay form etc...

[alistairfellowes]

I'm not quite following you :/ Do you mean yes VPS is allowed or yes it isn't allowed by PCI rules?

[skidz]

No, a VPS counts as multi tender. (Shared hosting). You can use an external API such as paypal, google checkout but to actually request card details you will need a dedicated server (amongst other things),

[alistairfellowes]

What is the best solution for new/very small web design businesses when it comes to creating sites that collect card payment. Payment processing rather than payment gateway or get a dedicated server?

[skidz]

I'd use a gateway like sagepay tbh!

[alistairfellowes]

Ahh, I'm still learning - got a lot to learn. So Autourize.net etc is a payment gateway? Is it okay to use payment gateways on shared servers?

[SniderDK]

alistairfellowes, on 28 September 2011 - 04:11 PM, said:

Ahh, I'm still learning - got a lot to learn. So Autourize.net etc is a payment gateway? Is it okay to use payment gateways on shared servers?

no its not, that’s what I was saying

you would have to invest a few hundred a month or use a hosted shop like shopify or my up and coming service

[alistairfellowes]

Snider, are you saying that Authorize.net is not a payment gateway, or that it is not okay to use a payment gateway on shared servers, or both?

[rallport]

alistairfellowes, on 28 September 2011 - 04:45 PM, said:

Snider, are you saying that Authorize.net is not a payment gateway, or that it is not okay to use a payment gateway on shared servers, or both?

He's saying it varies as you have a lot of integration methods for taking payments on your site. For instance, with Sagepay you have several options:

Form - users leaves website to pay
Server - in between, acts like user is making payment directly on site
Direct - users stays on website - SSL certificate required, higher level of PCI compliance. In the case of direct, a CURL request is made directrly from your website

This post has been edited by rallport: 28 September 2011 - 09:07 PM

[rallport]

SniderDK, on 28 September 2011 - 01:51 PM, said:

yes... so to take card payments you have to redirect users to paypal, google checkout, sagepay form etc...

If I'm reading you correctly, are you saying to use say sagepay direct, you couldn't use shared hosting due to pci compliance.

If so (and apologies if you aren't) I'm not sure you;re entirely correct. I've just have 3 sites, all on the same shared server, audited by 2 different merchant banks and checked for PCI compliance by sage pay. All came through with no issues. All the sites used the direct method too.

[SniderDK]

rallport, on 28 September 2011 - 09:10 PM, said:

If I'm reading you correctly, are you saying to use say sagepay direct, you couldn't use shared hosting due to pci compliance.

If so (and apologies if you aren't) I'm not sure you;re entirely correct. I've just have 3 sites, all on the same shared server, audited by 2 different merchant banks and checked for PCI compliance by sage pay. All came through with no issues. All the sites used the direct method too.

no you got me right... in talks before with rackspace it was always for level 1 compliance which has tighter restrictions, I've just sent my account manager an email to talk about the lower levels if it turns out your right (i hope you are!) I think I might owe you a pint mate!

[alistairfellowes]

I hope one day to understand all this lol. Are there any good resources that I could read?

[Dx3webs]

This is a very useful into

http://www.crucialwe...pliant-hosting/