Do i need to be an expert on security to have a secure Online Store in my droplet?

Question

I have a big question about security and its requirements. I have a client who needs an online store with Stripe payment processing and I am concerned about hosting their website here or with another company that offers managed service (cw) because we will not have a security expert or anything like that to configure the server, update and maintain top security to prevent theft or leakage of card numbers. We are willing to invest the money in the other managed service company because we know that we will support DigitalOcean in the same way.

From what I am doing here, I have realized that things are easy, everything can be installed in just 1 click from the marketplace but I do not know about security and server protection issues. Do I need to be an expert in security or something related to be able to give full confidence to customers who buy through the online store with a card?

Answer 1

KFSys October 13, 2020

Hi @hcmendez,

Your assumption is somewhat correct. Hosting a website where people buy using their cards is quite a challenge. You need to have a PCI compliance test done, I think every 3 months, and their requirements are quite hard.

There is a workaround though, you can decide to use a vendor and once a person wants to buy something from the website redirect them to it. That way you don’t have to worry about storing the data on your droplet directly.

Regards,
KFSys

Reply Report

hcmendez October 13, 2020

Thanks for the answer, this PCI compliance test has to be done by an expert or anybody can do it? Besides, an SSL certificate wouldn’t be enough to secure card data??
Reply Report
- KFSys October 13, 2020
  
  So, you’ll usually go to a vendor that does PCI tests. Once they do the said test, they provide you with a list of findings you need to resolve or prove you’ve backported. It takes a good if not even more system administrator to go over the list and resolve everything that’s on it.
  
  As for the SSL, it does to some extent but there are other means of getting data from a droplet than just the using the website. I’ll suggest doing a bit of research on PCI to see various vendors and what they offer.
  
  Ideally, you can as said us a vendor like Paypal to process payments through it.
  
  Regards,
  KFSys
  
  Reply Report

Answer 2

hcmendez October 13, 2020

Thanks for the answer, this PCI compliance test has to be done by an expert or anybody can do it? Besides, an SSL certificate wouldn’t be enough to secure card data??
Reply Report
- KFSys October 13, 2020
  
  So, you’ll usually go to a vendor that does PCI tests. Once they do the said test, they provide you with a list of findings you need to resolve or prove you’ve backported. It takes a good if not even more system administrator to go over the list and resolve everything that’s on it.
  
  As for the SSL, it does to some extent but there are other means of getting data from a droplet than just the using the website. I’ll suggest doing a bit of research on PCI to see various vendors and what they offer.
  
  Ideally, you can as said us a vendor like Paypal to process payments through it.
  
  Regards,
  KFSys
  
  Reply Report

Related

Question

Do i need to be an expert on security to have a secure Online Store in my droplet?

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Do i need to be an expert on security to have a secure Online Store in my droplet?

Related

Leave a comment

Related

question

ISIS hack on my server / droplet

question

Game Server DDoS Attack??

question

How do I put my SSH key on my droplet? (Publickey,password in particular)

question

"freebsd-update install" command fails on FreeBSD 10.1-RELEASE

Looking for something else?