We have a site owner, a hosting company and a payment gateway all in the mix. The hosting company and the payment gateway can pass on blame to the site owner if something breaches their systems. It's a rather failsafe way of operating a business. Can't think of too many businesses that can get away with such blame free methods.

Does a server hack occur as often as Haley's comet appears Simon or more common that that? once again an area where you could state facts and not ramble on about how wrong people are. Paint the picture or we are all looking at a blank canvas, no matter how much you talk.

I think there is a confusion here between hacking of a site and PCI compliance:

• PCI Compliance only applies to sites which collect card data, which means the actual numbers. If your site doesn't collect card numbers then it doesn't need to be compliant. PCI themselves make this crystal clear.
  
• If your company collects card details (say over the phone) then you need to be PCI compliant (means of storage, PC network if used for storage etc), but your website still does not need be if it doesn't collect card details or form part of the storage process.
  
• If any website is hacked which leads to the skimming of card details by another website, the question of liability is an interesting one, however if your website doesn't need to be PCI compliant because it doesn't itself collect card details (see first point), then PCI compliance is wholly irrelevant.

PCI compliance of websites which collect/store data, and liability of website owners whose websites do not require PCI compliance, but which are hacked, are two completely different issues.

Actinics version / interpretation http://www.actinic.co.uk/services/pci-dss.htm

interesting comment made here "Royal Bank of Scotland/Natwest/Streamline and HBOS have made clear statements that a merchant can depend on the compliance of their PSP. We are in the process of trying to obtain similar statements from other banks."

And simon posting a link to the pci website that tells you what to check to ensure compliance is a bit pointless really, the debate is who is and who is not. Not what to check for

Lee i think he took your advice, not prepared to give his full name, and company so went off

The simple fat is simple, all ecommerce websites are required to pass PCI-DSS or they will be liable in the event of a security breech regardless of the payment method they use. I’m very sorry for you that in order to be compliant you need to maintain security, I’m sorry if that’s an inconvenience to you and I’m sorry that running an ecommerce site requires that you take security seriously and not simply assume you can pass the buck to your PSP.
I simply used actinic as an example in the hope that someone from Actinic Payments would confirm who is liable in the event that a site is compromised, naturally the same applies to any other PSP.

Well having looked at a vast selection of your posts Lee it's quite clear who it is that deems themselves always right never wrong. I would suggest your comments such as “where people like yourself fail so miserably is communication” and “you get people's backs up by trying to tell us how right you are and how wrong we all are” could be referred to as “pot calling the kettle” and perhaps it would be advisable that you take a look in the mirror.

The fact is all ecommerce sites should be PCI-DSS compliant regardless of if they use a PSP or not and any site that isn't PCI-DSS compliant at the time of a compromise to their ecommerce site are liable and any professional or self proclaimed professional such as yourself advising client otherwise should be held accountable but sadly that would not be the case and it’s your clients who trusted and listed to your misinformed advice that would suffer the consequences..

You ask me for the answer? The answer is simple sign up to a scanning service and get your ecommerce store PCI-DSS compliant. It’s not even as if a scanning service would cost a single penny and even on a shared hosting environment

PS: Who said anywhere I was a security expert? I’m simply a site owner who has managed to pass PCI-DSS and now a user of these forums posting relivent information whilst not attacking other users in the process. Just because the penny has dropped for you that your advice is complete nonsense regarding a websites security and need to be PCI-DSS compliant thats not really my problem but at least the penny has dropped and you will now be a little more informed when advising others.

interesting this is from Barclaycards website

" I use other companies and suppliers to process card payments on my behalf and supply services. Does PCI DSS affect me?

You are responsible for ensuring you are using a fully compliant solution for managing your card data which includes your third parties. If your data is breached or stolen as a result of one of your third parties you will be held liable for that data breach.
Therefore any solution or service that is used by you to accept, process and/or store your customer card holder data must be compliant. It is your responsibility to ensure your supplier provides you with evidence of their compliance status and the compliance of their service or solution."

Simple answer to this. Site of the Year 2008 (Edit. Sorry, that's 'The Specsavers Award' ).

---Edit---

Thought I'd throw the rest in. Joint winner of the 'British Red Cross Award for Helpful Member to the Community' - very well deserved IMO. IMO the sites I have seen Lee develop are the best Actinic-based sites going, Atlantic Shopping, Quantum Electronics, Dude, etc.

Let me guess...you're getting commission from ALL of the 'security scanning' services???

Be a man and stop hiding behind your virtual hard-man act.

I'm glad you cleared that up for me LOL

The thing is Simon that you've kept everything about yourself a secret.

This leads me to believe either:

1. You are simply here to stir up trouble
2. You are here to drum business for some security check
3. You're not entirely sure what you are saying is true
4. You're a current member on this forum that knew his posts were going to piss people off and didn't want to effect any help you may need in the future

Which one is it?

Also, you do seem to be very much in the minority here and until you have proved what you are saying is true, members are going to follow the advice of established helpful guys like Lee

The fact that I have had a very successful actinic design service for a good few years now is yet again testament to the rubbish you speak i'd imagine, but don't take my word for it, speak to my clients. I think i did quite well in the recent forum votes for best of categories too.

Hmm do I believe a new forum ID hiding his true identity or look at facts in front of me. Hmm i wonder.

The worst part of it all is that you use the weak line of 'not being bothered about security' type affair, everyone is bothered about security, it's the rubbish and utter muddy information around that confuses the whole thing.

A: I run a business which is called BComp so nothing secret about that.
B: It opperates as an ecommerce business using Actinc.
C: My Name is Simon
D: Where have i linked to or recommended any security scanning services? Here's one just in case (It's FREE) www.qualys.com
E: What advice would i require exactly from the know it all's here that know nothing?

Oh information from a company selling ermmmm security scans LMFAO give me your address i bet i can sell you something on your door step

And from this your leaning towards perhaps becoming PCI-DSS compliant?

Lee, I have posted the facts which are if a site is compromised they are liable if they are not PCI-DSS compliant and not their PS which was not compromised, you choosing to ignore that is entirly your choice but unfortunately it is your clients that will suffer should there be a security compromise with one of their sites and not you.

Keep up - i already told you what i had done, and also informed you that i have checked information, i have been for the last 18 months and as yet found nothing to tell me i have to become compliant. So i actually recon i have more of an understanding on the subject than you do.

Admit it you have not got a clue, however i notice you have yet to refute the infomation others and myself have posted that all clearly states it is not required

When you come back with a compelling arguement and factual statements let me know until then i have work to do and shall not waste more time

The scanning service we use runs daily which is not required but as it's free why not and at the very least it offers piece of mind to us. We have not had a single issue for well over 2 months which required any attention, the last issue was

This took our hosts all of 2 minutes to resolve and for us to remain compliant, so far being compliant has not cost us a single penny and surely despite all the childish tantrums being PCI-DSS compliant and resting easier in that knowledge is better than being liable for potentially a fortune?

Simon, if you are who you say you are, give us a link to your Actinic E commerce PCI-DSS Compliant website and let us learn form you...

Where's GAViN when you need him??