Announcement

**guccij** · 27-Jun-2013, 03:48 PM

Do you capture credit card details? Or do you use a PSP? The former isn't PCI compliant. The latter is.

**Duncan Rounding** · 27-Jun-2013, 03:51 PM

By accepting credit card details online on your own server (even with SSL) you will find it virtually impossible to be compliant. I would suggest you get a PSP to process the card payments asap. Talk to Sellerdeck about card processing using their compliant service.

**guccij** · 27-Jun-2013, 03:53 PM

Ah. You *do* capture credit card details. It is unlikely that you can pass a scan while you continue to do this.

The rules changed about three years ago.

Best get a PSP if you want to be compliant. Plenty out there to choose from.

**Laylah** · 27-Jun-2013, 05:12 PM

It's not worth it?

Given the low number of CC transactions -v- Paypal, the cost of the terminal for offline processing etc. . . . added to which the hassle of PCI DSS compliance I think I'll just stop taking CCs.

By the way I passed the scan last month and have done so every month for the last 18months . . . but trustwave have confirmed to me they have just expanded/modified their scans without giving any real notice to anyone!

When I queried it they said referred me to http://blog.spiderlabs.com/2013/06/t...e-25-2013.html

**cbarling** · 01-Jul-2013, 08:43 PM

Sad to tell you, but ypou've probably been breaking the rules all along.

SellerDeck Payments is only �120 + VAT per annum, and you don't need an SSL certificate so there's a saving there immediately.

Chris

**Laylah** · 01-Jul-2013, 11:03 PM

Hmm!

a) You don't say why you think I have been breaking rules (or even explain which ones) . . . but then you promote your own payment solution???

b) Nobody has answered the original question . . . where are details stored on a site?

There are plenty of alternatives if I want to simply throw money at it without resolving exactly what is happening with the scans etc. and where I am failing (or getting false positives!!!!)

**cbarling** · 02-Jul-2013, 06:17 AM

Sorry, excuse the terse reply but I said the same things on PCI DSS so many times over the years.

It's well worth reading the article on the SellerDeck web site on the subject and which can be found in the payments section.

To answer your specific questions:
- the card schemes require you to identify ecommerce payments separately. If you're re-keying your ecommerce card payments into a virtual terminal or PDQ machine (an assumption by me, I know), you are breaking the rules
- the full PCI standard applies to anyone accepting cards on their site, although the rigour with which the standard is being checked varies according to which level you are classified in. So, for instance, if an unsupervised cleaner is ever in the office where your PCs are ( or your son etc etc) then you are breaking the rules. Believe me, you will be breaking the rules. The problem is if a data breach is ever traced back to you, you will be put out of business
- card details are held encrypted on the SellerDeck web site until the next download, they are not stored on the web site after that. We recommend that no-one uses this method

Chris

**Mike Hughes** · 02-Jul-2013, 06:29 AM

Hi Chris,

While not disagreeing with the thrust of your position re pci-dss this bit is not necessary correct.

the card schemes require you to identify ecommerce payments separately. If you're re-keying your ecommerce card payments into a virtual terminal or PDQ machine (an assumption by me, I know), you are breaking the rules

Some virtual terminals let you specify whether the transaction is ecommerce, moto, etc.

Mike

**Laylah** · 02-Jul-2013, 08:25 AM

Original question still not answered

> - card details are held encrypted on the SellerDeck web site until the next download, they are not stored on the web site after that. We recommend that no-one uses this method

That then begs the question why, if you are convinced it leads to non-compliance do you offer it to your customers? Doesn't that make you an accomplice for facilitating it?

Trustwave don't have an issue with the my current procedure . . . capture and key into a terminal as long as all the other procedures are secure and compliant.

Sorry but for the third time of asking you you still don't state where on the site the encrypted data is stored?

Trustwave have asked me to tell me them where on the site the encrypted data is stored I'd really like to to answer their question.

**Mike Hughes** · 02-Jul-2013, 09:48 AM

For PSP payments, the payment confirmation details are stored in files with a .occ extension. I'd be surprised if the same files aren't used for the 'capture details online' process.

These files are usually stored in the /acatalog/ folder.

It shouldn't be a major task to look at your server and see what's sitting there when an order arrives.

Mike

**saucysal** · 02-Jul-2013, 11:15 AM

Not just trying to promote Sellerdeck

The advice to use a psp applies regardless of which psp it is. We use SagePay and use it exclusively. Many years ago we captured card payments online with ssl, and used a physical terminal. We now do not need a terminal, so are saving on the rental. A few years ago we took it a step further, no longer accepting orders offline. So now we do not access or handle anybody's payment details, and can self-declare pci compliance annually at no cost. Otherwise we would have to have our computers, office systems, server, etc audited annually at great cost. Our customers benefit in that they can be confident to making payments with us as they know we do not handle or access any payments, their details are not seen by any human being anywhere, and their details are not stored in any form anywhere. There is nothing to hack into.

Sarah

**NormanRouxel** · 02-Jul-2013, 11:38 AM

why, if you are convinced it leads to non-compliance do you offer it to your customers

It's mainly a relic from days prior to PCI DSS (SD / Actinic has been around long before the PCI existed).

However there are many other countries in the world other than the UK and there may still be places where it's allowed or the "Credit Card" isn't a PCI one but perhaps a traders private card scheme. Etc.

**mje** · 02-Jul-2013, 12:14 PM

That then begs the question why, if you are convinced it leads to non-compliance do you offer it to your customers? Doesn't that make you an accomplice for facilitating it?

Using your argument that makes BMW liable for my speeding tickets?

You need to sort it one way or another as they fine quite heavily for non-compliance...

**cbarling** · 03-Jul-2013, 09:07 AM

The comments made here are correct.

The ability to capture card details on your site dates from back to 1996 and when we were the only ecommerce package that encrypted card details as a matter of course.

However, for many years we have been recommended that people use a PSP, in fact we introduced our payments service initially as our response to PCI DSS. We specifically designed the entry level package to replace Shared SSL, which we withdrew. This cost us business and reduced our margins, but it was the right thing to do.

Should we update the latest version so that you can't capture card details directly? Maybe, but it is theoretically possible to be PCI DSS compliant and it's up to our customers what they do.

Chris

Announcement

PCI DSS compliance

PCI DSS compliance

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment