What I can say is, start with the simplest thing that works. It sounds like you’d need a bloody lot of traffic to bog down the single box you’re investigating. A single server setup will be simpler, less moving parts, less things to go wrong.

Once you get that server bogged down, you could put a web server in front of it, if you’re getting 50 requests per second – that’s a good problem to have.

I have the option of getting 2 decent servers from Nexcess. they are dual processor quad core servers, load balanced, with 16GB ram. Or, I can get 1 server from crucial that is a dual processor, hex core, 24GB. The single Crucial CPU is 3 X more powerful than the Nexcess cluster. Maybe this is better since Magento is so CPU intensive while putting together the php pages?

1. It is Magento based, but will not be used for ecommerce transactions.
2. Will have a good number of products (over 3000)
3. Should mostly see geographically local traffic.

So, even though we won’t be doing transactions, and our site visits should be in the 200-300/day range, we do have a lot of products and are somewhat graphic heavy.

I have already “decided” on who to host with, and have subsequently changed my mind several times. I have had the luxury of not having to decide yet because we ended up purchasing a new domain, so the transfer has given me a few extra days to come to a decision. I have now done so, and will be choosing Nexcess.

The most important reason I chose them, their site makes sense and their blog is full of stuff way over my head. We are going to go with the SIP-200 package, and depending on how it works out, we can upgrade if needed.

Thanks for the reviews on magento hosting, I’ve found your info very useful.

Preston

So we started shopping and found Nexcess. WOW! These guys know their stuff. They migrated the site free, which was very painful for them due to Crucial’s server timing out etc. We now pay $79/month, chron jobs work perfect, Eaccelerator works flawlessly, their servers are lightning quick, and you can host multiple sites under the account, which you can’t do with Crucial.

Crucial is not a bad host, they’re better than most and seem to know their Magento. I’m guessing they’re experiencing growing pains. But compared to Nexcess they’ve got a long way to go. Anyway, that’s my two cents. Hope it helps someone out.

I could not be more impressed with Nexcess.

The first red flag came up when a client was informed that they were over quota on a semi-dedicated container (at just over 5Gb). However, the client was on a 10GB plan. Their explanation? Their INTERNAL mirrored backup counts against the plan total. So 10Gb plan = 5Gb usable space. There eventualy was some ambiguity in subsequent responses, and I’m pretty sure the client was allowed to go over 5Gb. The point being that it never should have been an issue.

There have been a few other issues, such as their lack of offering of webmail clients (though I agree – why use a cpanel server as your mail host when Google Apps is available), their cpanel permissions, etc (need ftp users or subdomains? you’ll need to ask, but the response is quick and affirmative), but most recently a semi-dedicated client was SHUT DOWN without a phone call due to resource violations. They were sent the standard emails, which they either ignored or did not receive, but to SUSPEND a live ecommerce site that does hundreds in revenue a day is pretty severe, considering that Crucial has the phone number and can speak English. What was really irksome was that the violations were 2 backup files, which violated 2 policies:

1) no file larger than 256MB
2) no backups of any kind allowed on server.

That’s right… no backup files allowed on your account, which necessarily includes the backups that can be generated via Magento admin panel. Also, I should note that the offending files were created in June, and the policy wasn’t enforced until November. WTH?

So if you are considering Crucial, add this note to your consideration. They’re friendly and responsive, but one has to wonder about their policies and enforcement. Just ask lots of pre-sales questions.

We offer PCI compliant hosting for clients who do not store or transmit cardholder data. In order to build a PCI compliant ecommerce solution, your site needs to be paired up with a payment gateway partner (such as Authorize.Net, PayPal, or Google Checkout).

You can host your entire ecommerce site on our hosting plans up until the point where the customer provides credit card information during checkout. When a customer purchases items from your site, you’ll utilize the API with your payment gateway partner to provide a transaction ID and dollar amount to authorize.

The customer will then connect directly to the card processing system on a new session and input their payment information. After the processing system validates the transaction, it will return either an authorized or failed message. The failure messages can contain details such as insufficient funds, invalid card number, or failed to complete transaction.

The communication from the card processing system to your ecommerce system can never contain cardholder data. This includes the primary account number, expiration date, the name as it appears on the card, and CVV number.

Your ecommerce application’s database can store such information to uniquely identify the transaction with your payment gateway partner’s processing system, such as transaction ID, customer name, dollar amount of the transaction, timestamp of the transaction, and return status of the payment request.

By designing your ecommerce site in this manner, PCI compliance is reduced to a Type A Self-Assessment Questionnaire (SAQ) for merchants processing less than 6,000,000 annual transactions.

To achieve compliance when all cardholder data is handled by a partner, you only need to address two of the twelve sections of the complete PCI-DSS, and only a subset of the controls in each of those sections (specifically sections 9 and 12).

The current version of the Type A SAQ can be found here:

https://www.pcisecuritystandards.org/saq/instructions_dss.shtml

A portion of PCI compliance is the external vulnerability scan using an Approved Scanning Vendor (ASV), such as McAfee Secure. A list of ASV’s is available here:

https://www.pcisecuritystandards.org/pdfs/asv_report.html

Your payment partner or acquiring bank may have a preferred partner to work with, so ensure their recommended partner appears on the ASV list.

After you’ve selected your scanning vendor, you’ll provide the systems to perform the scan your domain. After the scan completes, it will provide you with a passing grade or list of open issues that need to be resolved.

When scanning our hosting environments, the scanning tool will detect software version issues against the OS or application stack (such as MySQL, PHP, and SSH).

If you transmit or store cardholder data, the only company who offers a truly PCI compliant hosting solution is Rackspace, but be prepared to spend about $3500/month on hosting (since you’ll need multiple servers), a yearly contract, and a $3500 setup fee. Also note that you’re getting an extremely low-end server.

“Budget” hosting companies who claim PCI compliance are simply lying. Unless they can provide you with actual certification (which, when asked, they can’t), do NOT believe PCI compliancy claims.

Basically, PCI compliance is a “pay to play” system. Most either pay the non-compliancy fine or use third-party checkout systems such as PayPal, Google Checkout, etc.