My SellerDeck Account | Newsletter | Free Trial

Community and Knowledge Base

  #16  
Old 12-Dec-2009, 12:47 PM
trafford trafford is offline
Registered User
Join Date: Oct 2009
Full Name: dave kelly
Posts: 154
Thanks: 0
Thanked 1 Time in 1 Post
that's what i thought . . . . so basically anyone could tick yes to everything they want to hear and we're honky dory . . . . not exactly 'policed' in any way then is it lol . . . . well this should be a breeze then, they're calling me back monday to arrange the scanning side, one change to our mail order form so i can slice off and shred customer details and i'm done . . . . thanks for the replies.
Reply With Quote
  #17  
Old 14-Dec-2009, 08:59 AM
cbarling's Avatar
cbarling cbarling is offline
Administrator
Join Date: Nov 2002
Full Name: Chris Barling
Posts: 904
Thanks: 7
Thanked 51 Times in 31 Posts
It's true that mercahnts are classified into levels, the majority of Actinic customers being level 4 merchants. At this level you "self certify". However, the actual PCI DSS requirement is the same.

This is a sort of contradiction, which is one of the reasons for confusion.

So yes, if you have the correct procedures in place, as a relatively low volume merchant all you have to do is state that you have them.

If, however, any breach is ever proved, you automatly become a level 1 merchant. Compliance activities at this level will put pretty much everyone out of business. Creditcall (Actinic Payment's backbone provider) announced at the Actinic conference that it cost them over £250k to comply.

Chris
__________________
Co-founder, SellerDeck

Ecommerce web site by SellerDeck
Reply With Quote
  #18  
Old 14-Dec-2009, 09:41 AM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,980
Thanks: 258
Thanked 448 Times in 396 Posts
I'd have to assume that the level 1 compliance costs for Creditcall are significantly higher than they would be for the rest of us because they store and process credit card details on computers and systems that are widely interconnected with public access.

To make these systems safe, verify and test them, put secure systems and procedures around them, document and audit is going to be far more expensive than doing the same thing for a simple paper procedure.

But Chris is making a valid point. The whole point of PCI-DSS is to ensure companies that handle credit card details do so responsibly and safely. Clearly self-certifying isn't policed, but you won't be able to deny awareness or responsibility if any breaches do occur.

As far as I can remember there are significant fines for breaches as well as tighter certification requirements.

Mike
Reply With Quote
  #19  
Old 13-Jan-2010, 08:52 PM
Mark H's Avatar
Mark H Mark H is offline
Registered User
Join Date: Mar 2003
Full Name: Mark Hall
Posts: 1,190
Thanks: 0
Thanked 3 Times in 3 Posts
"If, however, any breach is ever proved, you automatly become a level 1 merchant"

I've come a bit late to this discussion. Say a merchant is currently level 4, validation 4, SAQ C, passes all web transactions to a PSP, but is 4/4/SAQ C because they have chosen to use the PSP's virtual terminal as well (but does not collect card details on their own website).

If a breach is proven as a result of a failure related to the more stringent requirements of SAQ C over SAQ A, and the merchant automatically becomes level 1, is the worst that can happen (apart from fines etc) that the merchant has to "become SAQ A" ie stop using the virtual terminal?

Or is this outcome really so bad (including fines etc) that it really isn't worth using the virtual terminal from the start, avoiding SAQ C and sticking with SAQ A??
Reply With Quote
  #20  
Old 14-Jan-2010, 09:14 AM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,980
Thanks: 258
Thanked 448 Times in 396 Posts
"Level 1" complaince means level 1 - fully audited. Not Level 4 in any flavour.

At the end of the day this is a commercial agreement between two companies. The penalties you face depend on how badly the card companies view your breach.

Mike
Reply With Quote
  #21  
Old 14-Jan-2010, 04:23 PM
Mark H's Avatar
Mark H Mark H is offline
Registered User
Join Date: Mar 2003
Full Name: Mark Hall
Posts: 1,190
Thanks: 0
Thanked 3 Times in 3 Posts
Daft question probably, but how do you arrange to get scanned if you don't have a fixed IP address (like most of us...)?

Also, any more on the "scanned until compliant" thing? I would have thought that compliance was a "regular, forever" process of testing even when you become compliant.

Also (sorry ), has anyone considered/implemented a page on their site which allows a customer to enter an amount and address, then get taken to the PSP to enter their card details. This might get round the MOTO problem for us, since most MOTOs are done because we are dealing with none standard amounts on products which aren't on our site (eg special orders). So we tell the customer the amount and tell them to go and pay for it on a certain page.....?
Reply With Quote
  #22  
Old 14-Jan-2010, 04:36 PM
Duncan Rounding's Avatar
Duncan Rounding Duncan Rounding is offline
Administrator
Join Date: Sep 2005
Full Name: Duncan Rounding
Posts: 10,284
Thanks: 123
Thanked 465 Times in 422 Posts
I've done this for Paypal and Nochex (http://w w w.paysecurely.c o.u k) , you could use that as a backup under those curcumstances perhaps.
__________________
SellerDeck/Actinic Report Modifications - Add your logo to your invoice - email for information
Integrated e-Commerce Web Design
SellerDeck/Actinic Upgrades, Custom Designs, Layout Modifications and General SellerDeck/Actinic Help
Reply With Quote
  #23  
Old 14-Jan-2010, 05:32 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,980
Thanks: 258
Thanked 448 Times in 396 Posts
Quote:
Also, any more on the "scanned until compliant" thing? I would have thought that compliance was a "regular, forever" process of testing even when you become compliant.
The scans until you're compliant bit just means that if you fail you can run repeated scans until you sort out the problem. After that it's done quarterly.

Mike
Reply With Quote
  #24  
Old 14-Jan-2010, 06:34 PM
Golf Tee Warehouse's Avatar
Golf Tee Warehouse Golf Tee Warehouse is offline
Registered User
Join Date: Jun 2006
Full Name: Darren
Posts: 1,146
Thanks: 42
Thanked 73 Times in 43 Posts
How often do other Streamline users get a scan done as their own PCI-DSS Merchant Guide http://www.streamline.com/downloads/PCIDSSGuideV3.pdf states that for Level 4 merchant they require a 'Vulnerability scan at least annually' but when completing the SAQ C Question 11.2 asks 'Are internal and external network vulnerability scans run at least quarterly'.
__________________
Darren Guppy
Golf Tee Warehouse
Golf Tees and Golf Accessories.
Reply With Quote
  #25  
Old 15-Jan-2010, 09:26 AM
Mark H's Avatar
Mark H Mark H is offline
Registered User
Join Date: Mar 2003
Full Name: Mark Hall
Posts: 1,190
Thanks: 0
Thanked 3 Times in 3 Posts
Quote:
Originally Posted by drounding View Post
I've done this for Paypal and Nochex (http://w w w.paysecurely.c o.u k) , you could use that as a backup under those curcumstances perhaps.
Hmm. Thanks Duncan, I like that. The problem I can foresee is that the people who phone for MOTO often do so because they don't like/trust putting their details into a website. For us to then tell them to go to a payment page because "it's more secure" isn't going to wash at this stage of the development of ecommerce.......
Reply With Quote
  #26  
Old 15-Jan-2010, 10:50 AM
cbarling's Avatar
cbarling cbarling is offline
Administrator
Join Date: Nov 2002
Full Name: Chris Barling
Posts: 904
Thanks: 7
Thanked 51 Times in 31 Posts
I suggest a quick re-read of my article referenced in the root of this thread (and below).

Quote:
Security Metrics and other providers can provide the external scan for the third case (Type 4 / SAQ C) at a reasonable cost, even if you are connected to the Internet by broadband and donít have a fixed IP address.
From a sales perspective, it's much better to get the payment details while you are on the phone. This can be done safely and easily using a virtual terminal, you just need to follow the correct procedure.

Actinic ourselves use a virtual terminal. We had an external scan from Security Metrics, we run virus checkers on every PC. We also use several anti-spyware products. We followed the procedure that I outlined. Job done.

See http://www.actinic.co.uk/services/pci-dss.htm .


Chris
__________________
Co-founder, SellerDeck

Ecommerce web site by SellerDeck
Reply With Quote
  #27  
Old 14-Feb-2010, 09:09 PM
glendower glendower is offline
Registered User
Join Date: Feb 2010
Full Name: peter
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Do I need PCIDSS

We have a B&B and have a PDQ connected to a phone line. I do CNP over the phone and face to face transactions. We have no staff.

I also deal with firms like Laterooms & bookings.com who send me Fax's with CC details, but not the 3 digits from the reverse of the CCard. If I need these I log onto their site and get them.

Do I need to go through the PCIDSS system and if so which level, type am I
Reply With Quote
  #28  
Old 15-Feb-2010, 07:05 PM
simonwar simonwar is offline
Registered User
Join Date: Sep 2005
Full Name: Simon Warren
Posts: 479
Thanks: 0
Thanked 0 Times in 0 Posts
Yes you will.

My wife has a PDQ from Barclays and has recently been informed of an increase in transaction pecentages if she does not comply, all of this after being told by them that she didn't have to do it ?

If you only swipe cards using someone elses PDQ, e.g. Barclays/HSBC, etc and do not collect any information whatsoever, the compliance form is quite straight forward - (2 forms #1 Version 1.2 and #2 SAQ.A v.1.2).

However as someone is sending you paper copies of details, the problem on security etc grows, and you will have to select a different form, see here for overview.
https://www.pcisecuritystandards.org...ions_dss.shtml


All that being said , for £12 pa, these people
https://www.pcisecuritystandards.org/index.shtml

will do it for you over the phone and set you up with a web link to fill in the correct form electronically with your own password etc. Its a Yes/No form with instant RED/GREEN acknowledgment of your answers, so you can get on with it and get a green light straight away (assuming your systems and procedures comply - esle you have to submit an action plan, of improvements etc).

To be honest its £12 a year - do it IMO?

OK £12 pa feels like a TAX, but what are you gonna do? Well what you can do is sign up for 1 year and simply "learn by example" what these guys tell you for subsequent years assuming no changes in your procedures or setups, and then do it yourself.

Simon.
__________________
esafetysigns.co.uk
your instant download portal for self printable health and safety signs and posters
... download once use as many times as you like !


http://www.esafetysigns.co.uk/index.html
http://www.esafetysigns.co.uk/acatalog/index.html
Reply With Quote
  #29  
Old 18-Feb-2010, 08:48 AM
EdHarrison's Avatar
EdHarrison EdHarrison is offline
Registered User
Join Date: Jan 2009
Full Name: Ed Harrison
Posts: 528
Thanks: 92
Thanked 18 Times in 18 Posts
vulnerability scan

Started the process yesterday and the scan showed 4 issues all to do with open shh with strange solutions I am yet to investigate.

The bottom line says non compliance - quite worrying as there seems to be no proper guidelines or indeed how long I have before losing the ability to take card payments!
__________________
https://www.harrisontelescopes.co.uk/

Ed Harrison
Reply With Quote
  #30  
Old 18-Feb-2010, 09:14 AM
Golf Tee Warehouse's Avatar
Golf Tee Warehouse Golf Tee Warehouse is offline
Registered User
Join Date: Jun 2006
Full Name: Darren
Posts: 1,146
Thanks: 42
Thanked 73 Times in 43 Posts
I assume this was a scan of the office network and not the website.
__________________
Darren Guppy
Golf Tee Warehouse
Golf Tees and Golf Accessories.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT. The time now is 02:06 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.