Question

Do i need to be an expert on security to have a secure Online Store in my droplet?

Posted October 13, 2020 134 views
Security

I have a big question about security and its requirements. I have a client who needs an online store with Stripe payment processing and I am concerned about hosting their website here or with another company that offers managed service (cw) because we will not have a security expert or anything like that to configure the server, update and maintain top security to prevent theft or leakage of card numbers. We are willing to invest the money in the other managed service company because we know that we will support DigitalOcean in the same way.

From what I am doing here, I have realized that things are easy, everything can be installed in just 1 click from the marketplace but I do not know about security and server protection issues. Do I need to be an expert in security or something related to be able to give full confidence to customers who buy through the online store with a card?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi @hcmendez,

Your assumption is somewhat correct. Hosting a website where people buy using their cards is quite a challenge. You need to have a PCI compliance test done, I think every 3 months, and their requirements are quite hard.

There is a workaround though, you can decide to use a vendor and once a person wants to buy something from the website redirect them to it. That way you don’t have to worry about storing the data on your droplet directly.

Regards,
KFSys

  • Thanks for the answer, this PCI compliance test has to be done by an expert or anybody can do it? Besides, an SSL certificate wouldn’t be enough to secure card data??

    • So, you’ll usually go to a vendor that does PCI tests. Once they do the said test, they provide you with a list of findings you need to resolve or prove you’ve backported. It takes a good if not even more system administrator to go over the list and resolve everything that’s on it.

      As for the SSL, it does to some extent but there are other means of getting data from a droplet than just the using the website. I’ll suggest doing a bit of research on PCI to see various vendors and what they offer.

      Ideally, you can as said us a vendor like Paypal to process payments through it.

      Regards,
      KFSys

Submit an Answer