It has not been long that I've become involved on many a client requests to make their servers PCI compliant. More often than not they would just pass onto us at least a 30 page report of what's needed to be done to become "PCI Compliant". This would often cause a short debacle between us and the clients since merely looking at the report and evaluating what is needed to be done on our part already costs our time.

The point of this article is how much should we get involved on getting our customers "PCI Compliant"?

From a customer's point of view, generally they would expect all the technical work necessary be done out of the report. From my point of view, this should not be the case. Security compliance is another box when it comes to web hosting, if the customers are employing a third party security company then they should do most of the leg work. We do not need to analyze pages of report that those security comapnies are supposed to be doing. We'd more than happy to get the customer compliant, but we only need the specific technical points to do our part. Yes, the customer gets confused at first when we throw back at them these ideas, fortunately they would get our point and point back to the security vendor then the vendor liasing directly back to us.

I'd hope there is a much more structured process between the security vendor, the customer and the hosting company. How about you, how have you been doing so far as a customer, vendor or a hosting company  with your part on the PCI compliance process?