Announcement

Collapse
No announcement yet.

anyone passing security metrics scans?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Originally posted by cbarling View Post
    At the risk of repeating myself:


    I agreed this with the PCI DSS Director at Barclays.


    There is a more detailed version of this elsewhere on the community if you search.

    Chris
    This was news to me- I knew that this was your "understanding" (post if the 24th feb) I missed the post where you had agreed this with Barclays.
    However reread Gavins post, contacted SM, and they cancelled our website scan without question. I feel the effects of asprin without having taken one!

    Thanks for the replies, they have helped me out- big time!
    thanks
    Mark

    Comment


      #17
      Originally posted by cbarling View Post
      I would advise against as it gives a false sense of security. Just because you pass the test doesn't make you secure, and if you use a compliant PSP you do not need to pass these tests at your web site.

      Just to be clear, if you pass the test, and someone hacks into your site and starts collecting card details, you will be liable. It's better to leave the problem with a PSP that specialise in security protection of card details.

      Chris
      If someone hacks the website and changes the check out pages so that the cc info goes to them and not the PSP- Is this not a case for security scanning the website even if you use a PSP? just a thought

      Mark

      Comment


        #18
        If someone hacks the website and changes the check out pages so that the cc info goes to them and not the PSP- Is this not a case for security scanning the website even if you use a PSP? just a thought
        Yes, it's a case but not a requirement. Go ahead and do it if you want to.

        Any website could be hacked and a fake ecommerce site set up with false payment screens. You can't regulate against this.

        Mike
        -----------------------------------------

        First Tackle - Fly Fishing and Game Angling

        -----------------------------------------

        Comment


          #19
          Yes, I agree that a scan can provide some additional security, although it's not a requirement. The key thing is not to feel that risk is eradicated or that you are truly PCIDSS compliant, just because you passed a scan.

          I think that a hacker redirecting shoppers in some way to capture their card details is a lower order threat. This is because a merchant who uses a PSP and suffers sich an attack will quickly realise there's a problem because their payments will stop coming through.

          It means that the merchant will quickly take action to correct the hack. This in turn means that hackers will get relatively few cards. Therefore, this type of attack is less likely to occur.

          Sorry that's a bit of a long winded argument, but I hope that it makes sense.

          Chris

          Comment

          Working...
          X