I've been debating with a client who refuses to adopt PCI standards. I want to check with the community to make sure I'm correct in my objections.
Question: Is there a way to store credit card information on a shared hosting server AND be PCI compliant?
Here is the setup:
1) SSL is being implemented for the whole checkout process and for the client's site's admin section.
2) The credit card information is being stored on the server (a shared hosting plan) in a MYSQL database. It is encrypted.
3) The client accesses a password protected admin panel and prints the credit card from her website.
4) The client then manually runs the credit card info through a terminal and deletes this credit card info from the server.
Take a look at MaximumASP's maxesp cloud offering: http://www.maximumasp.com/products/cloudhosting/default.aspx
They claim to be "completely PCI compliant" for both web and data tiers on their shared hosting cloud plan. Short of evidence to the contrary, the answer to your question appears to be "yes" assuming MaximumASP's claim is valid. I'm not familiar enough with the details of PCI to argue against them but I'd be very interested if anyone else can refute the claim.