What does it achieve looking at my site? It Achieves nothing and as for learning surely the fact you are now even slightly considering the ramifications on your own business or your clients business is enough and if any of you now take security seriously and not simply assume the responsibility of your business lies with a third party then that is more than enough of a wake up call.

The simple fact here is all anybody needed to do was call or email your PSP support and ask if they are responsible in the event that your site is compromised via some form of hack and a customer’s are captured using a some form of script injection and the customer being presented with a phony payment phishing page and then their details are used fraudulently who is responsible you would all have the answers so many here are so confident they already have and therefore I have no idea why they are so upset.

Hope you're not sitting in the security-scanning firms offices, vBulletin has an inbuilt IP-tracker - I'm surprised Actinic haven't already clicked on to your evident tirade against Actinic Payments and the use of Actinic software.

This is almost like a History lesson, where the lecturer says "On April 30th 1945, Adolf Hitler committed suicide after learning of the advances made towards Berlin". The kid asks "How do you know he killed himself?" "Because I do".

That's the same scenario you're giving - without proof of what you have to say, your revolution is neither here nor there.

People in glass (or is that dolls Simon ) houses shouldn't throw stones.

How topical, just got yet another email from Barclays

Dear Sir/Madam,

Further to our previous communications regarding the requirements of the Payment Card Industry Data Security Standard (PCI DSS) programme, you need to inform us urgently of the steps your business is undertaking to become compliant under the rules of the scheme.

If you require any further information about PCI DSS compliance and your obligations under the scheme, please cut and paste the following link into your browser:

http://www.barclaycardbusiness.co.uk...y/pci_dss.html

Why you need to be Compliant
If your business is found to be non-compliant with PCI DSS and customer data which you or your third parties have handled is proven to have been compromised, stolen or used fraudulently, you are liable to receive fines from Visa and MasterCard , in addition to facing substantial costs for forensic investigations, issuer losses, and reputational damages.

What you need to do
If you have already completed a Self Assessment Questionnaire or used an alternative Qualified Security Assessor, please send your evidence of PCI DSS compliance by email to pci.barclaycard@securitymetrics.com, attaching the relevant documents that prove your compliance including your self assessment questionnaire v1.2 A, B, C or D, and network vulnerability scans if you have an e-commerce presence.

Need help?
Our accredited partner, SecurityMetrics, can help you complete your SAQ. To enrol simply click on the link from the Barclaycard website in the useful links section. Please note a small charge applies for this service.

Alternatively, if you would like to contact a Qualified Security Assessor (QSA) to help you complete your assessment please visit https://www.pcisecuritystandards.org...i_qsa_list.pdf

For further information or advice please call our accredited partner SecurityMetrics on 0844 561 1662* (lines open 09.00am to midnight Mon-Fri. Please have your Merchant Identification number to hand when you call).

Regardless of whether you enrol with SecurityMetrics for their technical services or just notify them of your compliance status, we ask that you please respond to them by February 19, 2009.

We thank you for your cooperation in making credit card transactions more secure for you and for your customers.

Yours faithfully,



PCI DSS Programme Director
Barclaycard

Simon

I don't agree and you have failed to answer any questions put to you, please go and annoy another forum with your wild claims. You have been asked to back up what you say, not becuase people are considering it but because people know your talking rubbish.

the knowledge on this forum heavely out ways yours and as such i doubt anyone would be taking you seriously.

Of course that's what you do when you rely on an external firm to tell you daily that you're PCI DSS compliant. What if your compliance checker itself is hacked / erronous / incompetent / fraudulent?

Blimey!
I like this term even if it meant to be derogatory .
Lee has helped more people with his no bullshit, 'call a spade a spade' approach to answering some truly inane questions. He along with many many others does this day in day out for no financial recompense.

He doesn't need defending but I thought I'd chip in anyway.

OK had a short email from the PCI-DSS council and this is what they said to my question about ecommerce sites using a PSP and the need for PCI-DSS

"All merchants who store process or transmit credit card data must be PCI compliant. However, PCI does not manage the merchants compliance. This is done at the Credit card brand level. I would recommend you go the credit card brand websites for that type of information."

so i presume this would mean my merchant service provider - Streamline in my case or VISA and Mastercard, who all say it is not required


And streamline tell me this

If you use a PSP and your integration method means that your web shop software and back end systems do not store the card data on your systems then compliance with the standard will be undertaken by your PSP. You should ensure that they are compliant or working towards compliance.

However, Streamline would recommend that you still carry out a review of your general data security practices on a regular basis.

However if you use a PSP but your integration method still enables you to capture the card details on your web shop software and back office systems then you will still need to comply with the standard. If you have any doubt on the nature of your PSP integration please contact your PSP to confirm your type of integration and if the standard applies to you.

If you also process face to face and/or MOTO transactions it is likely that you will need to become compliant with PCI DSS irrespective of your PSP integration method

But i guess Simon this is all wrong aswell?????

It would be their responsibility.

Bloody hell
I've just Googled on bcomp pci compliance and page 7 of this thread is already top of the search

Visa's take on the situation:

http://www.visaeurope.com/documents/...ants_guide.pdf

Quote:

"For example, if you do not actually store any cardholder account data in your own systems, it will be up to any payment service providers that process transactions or access card data on your behalf to validate compliance."

Now here's a chance to prove that. Please post an authoritative statement from a compliance checker stating that they would indemnify their customers against all losses caused by their errors / omissions. I bet you'll find terms and conditions stating just the opposite.

Good point, I suspect they will have same clauses as an MOT station in that 20 seconds after your car passes an MOT, your wheel can fall off and your brakes can fail with little or no comeback. How could a free service ever indemnify you against anything. The whole thing seems to be one big farce, came into force 10 mths ago, thousands not doing it, who has heard of anyone getting caught by it yet? anyone?

I'm closing this thread.

There are a number of good points made by all of the parties contributing.

However, unfortunately the tone of many of the postings was more conducive to heat rather than light.

I've now edited the thread to remove the off topic comments and insults. I've tried to keep the gist of what everyone said, if I've misinterpreted anyone, please email me at cbarling (at) actinic.co.uk and I will endeavour to put it right.

If we continue in a new thread, please can we conduct the discussion without the personal abuse?

Chris
Actinic

Please see http://community.actinic.com/showthread.php?t=41266

Chris