Announcement

**bamboo** · 14-Jan-2009, 05:21 PM

Originally posted by GAViN�� View Post

you want to elaborate on what you mean?
We get quite a few orders per day every day as it happens.
The cert is there to give potential customers piece of mind. If its available to us we might as well use it than not.

No. If you spend a few minutes looking you will find it as it's hiding in plain sight.

I have no idea how many orders you get a day with your site as it is but I'll be willing to bet that you are leaving money on the table because you are focussing on unheard of & therefore pointless logos/certificate that don't register in the mind of the customer who is making the decision whether to purchase from your site or not. Getting 'on message' is far more important. Your site is also unbelievably thin on copy in it's product descriptions so plenty of work still to do IMO.

As Parklife has said

Putting something like secured by Tesco for instance would have more clout as it's a brand near enough all of us have heard and trust

**GAViN��** · 15-Jan-2009, 08:44 AM

Originally posted by bamboo View Post

No. If you spend a few minutes looking you will find it as it's hiding in plain sight.

I have no idea how many orders you get a day with your site as it is but I'll be willing to bet that you are leaving money on the table because you are focussing on unheard of & therefore pointless logos/certificate that don't register in the mind of the customer who is making the decision whether to purchase from your site or not. Getting 'on message' is far more important. Your site is also unbelievably thin on copy in it's product descriptions so plenty of work still to do IMO.

As Parklife has said

Sorry but how are we focussing on unheard of pointless logos/certs?
We need to keep PCI Compliant hence the reason for this post. Now that it has been sorted I wont be spending anymore time messing around with until it our next scan and it returns further vulnerbilities.

Bear in mind that this site is purely run by myself only, it is updated, monitored by one person. For the income we receive from the site am sure many people would be happy with what we receive, although yes there is always room for improvement.

**Rich Brady** · 15-Jan-2009, 10:26 AM

Originally posted by GAViN�� View Post

We need to keep PCI Compliant hence the reason for this post. Now that it has been sorted I wont be spending anymore time messing around with until it our next scan and it returns further vulnerbilities.

Gavin, you've spent 2 days on the forum, and who knows how long before you posted, before you solved this problem. If SM throw up more vulnerabilities on their other scans, you could be in the situation where you have to write off 2 days every 3 months to be PCI DSS compliant.

If you'd gone done the PSP route you'd have to set it up and then... nothing, just process the orders. If your site becomes busy I doubt you'll have the time to stop processing purchases to bend to SM's will.

In addition, you've gone to all this effort and the SM logo image is tucked away in the bottom left, so very few people are going to see it anyway, let alone follow the link to a page that IMO looks home made.

**GAViN��** · 15-Jan-2009, 10:32 AM

Originally posted by webD View Post

Gavin, you've spent 2 days on the forum, and who knows how long before you posted, before you solved this problem. If SM throw up more vulnerabilities on their other scans, you could be in the situation where you have to write off 2 days every 3 months to be PCI DSS compliant.

If you'd gone done the PSP route you'd have to set it up and then... nothing, just process the orders. If your site becomes busy I doubt you'll have the time to stop processing purchases to bend to SM's will.

In addition, you've gone to all this effort and the SM logo image is tucked away in the bottom left, so very few people are going to see it anyway, let alone follow the link to a page that IMO looks home made.

Gavin, you've spent 2 days on the forum

You make it sound like am on here all the time for the past two days

I've spent I reckon max 2-3 hours on it, all in all, emailing our web host and SM to get the issues fixed.

If you'd gone done the PSP route you'd have to set it up and then... nothing, just process the orders. If your site becomes busy I doubt you'll have the time to stop processing purchases to bend to SM's will.

We actually do use a PSP for processing of orders.

In addition, you've gone to all this effort and the SM logo image is tucked away in the bottom left, so very few people are going to see it anyway, let alone follow the link to a page that IMO looks home made.

Unfortunately there is sod all we can do about the design of the page, thats upto SM, but I agree it does look lame. I think I may move the SM logo image elsewhere on the site that is more prominent.

**Rich Brady** · 15-Jan-2009, 10:52 AM

Originally posted by GAViN�� View Post

You make it sound like am on here all the time for the past two days

I've spent I reckon max 2-3 hours on it, all in all, emailing our web host and SM to get the issues fixed.

Some of us are LOL. I didn't mean it to sound as if you were hounding people 24/7, but the site was not PCI DSS compliant for at least 48 hrs, so in theory you should have suspended ordering until it was sorted. I don't know many businesses that would be prepared to do that every 3 months, especially in today's climate.

Originally posted by GAViN�� View Post

Unfortunately there is sod all we can do about the design of the page, thats upto SM, but I agree it does look lame. I think I may move the SM logo image elsewhere on the site that is more prominent.

Yes there is, don't use them... Not the answer you were looking for I'm sure.

I don't think moving the logo up is necessarily a good idea. You want customers to be hit with section titles and products first.

IMO the majority of online shoppers will assume that a professional looking site will be a safe place to enter their card details. People don't interrogate high street shops about how they handle card information do they?

It's only other sellers or the paranoid that will be looking for reasurrance, therefore you need to make yourself PCI DSS compliant in the simplist way you can.

IMHO

**bamboo** · 15-Jan-2009, 11:41 AM

We need to keep PCI Compliant hence the reason for this post.

Don't we all?
Use a PSP & the useless Security Metrics problems will go away and then you won't wasting time doing this!

spending time messing around with until it our next scan and it returns further vulnerbilities.

See you are even expecting the idiots to 'highlight' more vulnerabilities

Bear in mind that this site is purely run by myself only, it is updated, monitored by one person

and how is this so different from most of the people on here?

Look Gavin. It really doesn't matter whether you spend 2 minutes or 2 days on Security Metrics or worrying about whether your site seems to be secure in the minds of the customer who has just found the perfect Philips kettle she has been searching for on your site it is your extremely valuable time WASTED.

If you simply lurked on here for an hour a day and then spent another hour implementing any 'best practice' you come across, and they are legion, your sales WILL go up and you can bin SM and all their vulnerabilities for good.

Here's a clue to the unique selling proposition or value proposition you hide on your website that would allay the fears of the majority of your customers if you had it 'front & centre' instead of the silly SM logo.
http://royal-enfield.com/

**SmTechRep** · 15-Feb-2009, 09:16 PM

Originally posted by grantglendinnin View Post

I must be psychic, I knew I was getting that answer!

Have a search around the forum for 'Security Metrics'.

Your so mis informed about what Security Metrics actually does,. Security Metrics doesn't come up with the vulnerabilities that companies need to be flagged for its determined by PCI (Payment Card Industry). Which was developed by all the major credit card companies to follow. For more information since you have none go www.pcisecuritystand.org. So they decide what to scan for and we are just the third party company that does the scanning for them. Plus our company isn't the one requiring anyone that excepts credit cards as a form of payment to become compliant its there bank. So any money charged is not by us but by the banks themselves.So get your facts straight first.

**GAViN��** · 16-Feb-2009, 10:07 AM

Originally posted by bamboo View Post

Don't we all?
Use a PSP & the useless Security Metrics problems will go away and then you won't wasting time doing this!

That is what I thought until I was informed that is not correct. We use a PSP (Secure Hosting) for our payments, but your site itself still needs to be PCI Compliant, this what Barclays Bank told us, no offence here but I tend to believe them.

**RuralWeb** · 16-Feb-2009, 10:16 AM

Lmfao - who in thier right mind believes anything banks say these days - they have been shown to be the biggest bunch of muppets in business history.

**grantglendinnin** · 16-Feb-2009, 10:19 AM

Originally posted by RuralWeb View Post

Lmfao - who in thier right mind believes anything banks say these days - they have been shown to be the biggest bunch of muppets in business history.

Not me. Nor will I apologise for someone who comes and makes a fool of himself representing SM. You'd honestly think somebody employed by the Government would do things professionally

**GAViN��** · 16-Feb-2009, 10:20 AM

Whether you believe them or not, it was a case of us having to go with PCI compliance on the webserver even if we do use a PSP for taking customer card details, otherwise the bank would not agree to let us use them.

Just out of curiosity, how many sites that people have on here, are one man bands or actual businesses who employ x amount of employees?

Dont forget we are a distributor for Philips so we have to go through the correct channels, a joe bloggs who creates sites for small businesses in their home office can (if they so wish) skip certain procedures, and have more flexibility as to what they can and cannot do.

**grantglendinnin** · 16-Feb-2009, 10:23 AM

Gavin,

PCI-DSS compliance has been mandatory since April 2008. The bank are well within their right to refuse your business if you are not PCI-DSS compliant. It's bordering shameful that they refuse your business without signing up to Security Metrics.

To be perfectly honest, I'd be more worried that they'll screw you over than you screw them over

**parklifeclothes** · 16-Feb-2009, 10:24 AM

The problem seems to be Barclays targetting their customers with what feels like Blackmail techniques that whether or not you use a PSP and are compliant or not you must notify Security Metrics anyway. The emails we have received have no contact for Barcalys only that of Security Metrics and having replied to both emails have heard naff all.
My apparent deadline set by Barcalys expires on thursday this week so we'll see what happens, they might set GAViN on me

!!!

**RuralWeb** · 16-Feb-2009, 10:32 AM

Well sm can go away - the three clients I had using barclays have now moved to actinic secure payments which is far far better. I suspect that barcoay will loose more clients than they keep with these bully boy tactics by sm.

I used to recommend barclays as a psp but no more. And gavin the one man bands you talk about are barclays bread and butter - All my clients made more than most of the banks did last year and I suspect more than you as well so don't come on here slagging off other actinic users and designers many many of which have helped you over the years.

**parklifeclothes** · 16-Feb-2009, 10:33 AM

It also shows how the banks still do their best to control other peoples businesses yet don't have a clue about controlling their own.

Unfortunately banks never lose, just get public money to bail them out and still get silly bonuses!!

Announcement

Weak SSL Ciphers on Remote Server - Help?!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment