Announcement

**TraceyG** · 25-Jul-2008, 08:22 AM

Hi,

I'm afraid not. The options you tick in the 'Credit Card Capture Configuration' window make them required fields, so if you tick the 'start date' and 'issue no' for Switch then your customers will have to fill in both options. Your only alternative would be to use a Payment Service Provider (but not Paypal Pro which uses our payment form).

**Mike Hughes** · 25-Jul-2008, 08:35 AM

Richard,

You really need to find another method of processing cards. The card issuers no longer allow details to be taken online unless the method used is PCI-DSS compliant.

The only PCI-DSS compliant way of processing cards using Actinic is with a payment service provider such as protx, secpay, actinic payments, etc.

Mike

**Richardpixel** · 25-Jul-2008, 09:44 AM

Thanks for the responses.

Problem is that the client is using Paypal Pro. I could try to convince them to change I guess.

Cheers!

**Mike Hughes** · 25-Jul-2008, 10:36 AM

Your only alternative would be to use a Payment Service Provider (but not Paypal Pro which uses our payment form).

I really am shocked by this. So actinic spent all this time and effort on integrating a new payment scheme in a way that is not acceptable to the credit card providers?

I think Actinic has to take some responsibility for ensuring their customers achieve PCI-DSS compliance. At the very least I'd expect them to put warnings on non-compliant services now and phase them out over 6 months or so to ensure thay aren't used out of ignorance.

Mike

**TraceyG** · 25-Jul-2008, 10:59 AM

I think Actinic has to take some responsibility for ensuring their customers achieve PCI-DSS compliance.

The comment I made about not using PPP was nothing to do with PCI-DSS compliancy, it was just that the 'direct payments' part of PPP uses our credit card form so they would still have to set up the card options as he describes above. The payment is then authorised by PayPal in the background but you stay on the merchant's site. The 'Express Payments' side of PPP takes to off the merchants site and over to the Paypal servers.

**Mike Hughes** · 25-Jul-2008, 11:43 AM

Hi Tracey,

I know you didn't mention PCI-DSS but you did say not to use PP Pro as that uses the actinic form. I'm assuming that the form is presented on the merchants website which means it's extremely unlikely it will be PCI-DSS compliant.

This naturally leads to thoughts about why Actinic is still promoting PP Pro as a viable solution (not you, here, but on the actinic website) and hence the kind of problem we have like this where someone wants to use PP Pro even though it appears they shouldn't be.

Mike

**pinbrook** · 25-Jul-2008, 01:03 PM

I have been asking Actinic to confirm how PPP would be PCI compliant ever since it was released. Each time i asked I was left with a big silence, hence i drew my own conclusion that it could never be and this fact was being conveniently pushed under the carpet.

**pinbrook** · 25-Jul-2008, 01:37 PM

I think Actinic has to take some responsibility for ensuring their customers achieve PCI-DSS compliance.

it is the merchants responsibility to acheive compliance - this can not be passed to actinic or hosting. There is more to compliance than a website.

IMO The whole PCI thing has been grossly mismanaged by the banking industry, with little directive and useful readable documentation to help small business owners.

Please do not get me started on SM

**Mike Hughes** · 25-Jul-2008, 02:00 PM

it is the merchants responsibility to acheive compliance - this can not be passed to actinic or hosting. There is more to compliance than a website.

You're right of course. There is much more than that.

At the most basic level though, everyone using actinic is going to be taking orders online and I think it is wrong of Actinic to provide payment options that are not PCI-DSS compliant.

As for promoting something like PP pro that isn't compliant, if I was a customer who signed up only to be told that I shouldn't be using it I'd be rather unhappy to say the least.

Maybe the Actinic plan is to wait a while for Actinic Payments to prove itself and then disable the other options. I do hope so.

Mike

**pinbrook** · 25-Jul-2008, 02:02 PM

At the most basic level though, everyone using actinic is going to be taking orders online and I think it is wrong of Actinic to provide payment options that are not PCI-DSS compliant.

As for promoting something like PP pro that isn't compliant, if I was a customer who signed up only to be told that I shouldn't be using it I'd be rather unhappy to say the least.

agreed, this is why i kept asking how PPP would be compliant - and never got a reply - maybe now it is being discussed Big A will clarify

**TraceyG** · 25-Jul-2008, 02:22 PM

At the most basic level though, everyone using actinic is going to be taking orders online and I think it is wrong of Actinic to provide payment options that are not PCI-DSS compliant.

As for promoting something like PP pro that isn't compliant, if I was a customer who signed up only to be told that I shouldn't be using it I'd be rather unhappy to say the least.

I am trying to get some comments on this to clear it up once and for all

**Mike Hughes** · 31-Jul-2008, 08:04 AM

I am trying to get some comments on this to clear it up once and for all

And the answer is?

**Darren B** · 31-Jul-2008, 08:09 AM

A big silence as Jo has mentioned previous

**jont** · 31-Jul-2008, 08:16 AM

At the very least a simple warning box when selecting non compliant options should warn the user with a link to further information.

Announcement

Issue number/start date - different method?

Issue number/start date - different method?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment