You are correct. Anyone who downloads and processes cc details via their own website is required to be compliant, regardless of the PSP, be it PPP or any other.
Announcement
Collapse
No announcement yet.
Mastercard Secure Code
Collapse
X
-
We don't collect card details, they are just transferred securely (I assume encrypted as the checkout process is hosted on a secure server) to Paypal Pro who then process the card details, collect the money and return a confirmation. We never see or store the card details.
Comment
-
Originally posted by Smart View PostI haven't had my head in the sand, I've simply never come across this issue before, I only came across it now because we wanted to implement 3D secure.
If you're in the right places at the right times, it has been discussed to death online, hottest topic on here for the past 2 years. If you're not in the right places, i guess it falls down to the people setting the rules to get this out to you guys so you also know.
Comment
-
I can't believe Paypal haven't contacted us about it, we put a lot of money through their site in this way, and also using their virtual terminal (which makes us even less compliant from what I've read today). I get the impression that other IMA providers are being much more proactive to ensue their clients are compliant (possibly too proactive in some instances). I also think Actinic could have done more. We purchased Actinic business less than 2 years ago, and went with PPP integration from the off, infact this was one of the major selling points. There was no mention in the product documentation that this was not PCI compliant, and there have been no emails or communications (to my knowledge) about this directly since.
I do think you have a duty to keep in touch with the industry in which you operate to a certain degree though
I'm now looking at other PSPs to process our card transactions, and am considering using the Actinic Payment service. Now I understand the buyer will be taken to their site to handle the card payment which takes the comlpliance issue away for online transactions. But watching the webcast about this product, it also shows that you can do MOTO transactions directly from your desktop where Actinic is installed. From the orders section it opens a browser window and seems to pass the order details to virtual terminal where you can enter the card details manually. Now this is a useful feature, but surely it causes PCI compliance issues, because the card data is now stored on your local machine, and is transmitted over your network and internet connection. Can anyone tell me more about the compliance requirements of using this feature?
Comment
-
Chris, this is good and detailed. I suspect it's still going to leave people coming here with questions but we can always update it over time.
What I'd like to see is this getting to the stage where we can just direct anyone with questions to that page.
Mike
PS. From what I know, the Security metrics scan is really only good value if done at the rates negotiated by the card companies. Otherwise they can be expensive (as a lot of them are).-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------
Comment
-
There are a couple of sites offering one-off free scans:
1. Comodo/Hackerguardian - http://www.hackerguardian.com/hacker...free_scan.html - Static IP addresses Only.
2. McAfee - http://www.merchantplus.com/partners...nning-partner/ - A google for McAfee Free PCI scan should also bring up a few other McAfee partners offering the free scan, but doesn't appear to be available direct through McAfee.
Most places suggest that quarterly scans are required but the PCI-DSS guide from Streamline states they only require their merchants to have annual scans if they are level 4 companies.
I have used the Comodo/hackrgardian scan on my network and passed on first attempt (they allow upto 6 scans within the frist 90 days of signing up for the free scan).
Comment
-
I think I remember reading that the Comodo offering is only suitable for fixed IP addresses and not dynamic ip addresses which was OK for me but could be a problem if you cannot get a static IP address, although you can test upto 3 IP addresses.
I have a dynamic IP assigned by my ISP. Can I still use HackerGuardian?
No. It is not possible to use the Scan Control Service unless you have a static IP.
I think the McAfee offer is suitable for dynamic IP addresses, although not too sure as I am on a fixed IP so didn't investigate fully.
Comment
-
One of the issues I wonder about the DIY approach is do you then just self certify and do you need to show anything to your card acquirer?
i.e do you just phone them up and say "I've completed the forms and run a test. No problems," or do you have to send off the completed forms and test results to the card acquirer?
Mike-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------
Comment
-
Originally posted by olderscot View PostOne of the issues I wonder about the DIY approach is do you then just self certify and do you need to show anything to your card acquirer?
Mike
The Streamline PCI DSS guide states for Level 4 that they require:
Annual Self Assessment Questionnaire
Vulnerability scan at least annually
From time to time we may ask some level 4 merchants to submit their compliance plans and certifications.
Comment
-
"apparently level 4, validation 1 (SAQ A) merchants (ie those who pass to a PSP) don't have to complete the form (SAQ A) unless they are required to by their acquiring bank, but they do have to be compliant. PayPal apparently don't require the merchant to complete this form."
http://community.actinic.com/showthread.php?t=45966
#20
I don't know offhand what the position is regarding validation 4 (SAQ C) merchants, ie those who use virtual terminals for MOTO.
We use Lloyds Cardnet, and so far they appear to have only contacted level 1-3 merchants regarding PCI DSS:
http://www.lloydstsbcardnet.com/latest_news.asp
Comment
-
Originally posted by Golf Tee Warehouse View PostThere are a couple of sites offering one-off free scans:
1. Comodo/Hackerguardian - http://www.hackerguardian.com/hacker...free_scan.html
2. McAfee - http://www.merchantplus.com/partners...nning-partner/
- Comodo/Hackerguardian do not do dynamic network/device/PC IP addresses. This would present difficulties for many offices connecting by broadband.
- McAfee do scan dynamic IP addresses, offered 6 free scans, and didn't require credit card details to sign up for a free service (others did....). The control panel is a little tricky, but we passed PCI first time on a couple of networks.
Comment
- Comodo/Hackerguardian do not do dynamic network/device/PC IP addresses. This would present difficulties for many offices connecting by broadband.
-
PS
Out of interest we scanned a standalone (ie not networked) netbook connected to the Internet via a built in Vodafone SIM; it passed the PCI test with flying colours. This might be a serious option for accessing a virtual terminal for companies where the main office network is difficult to secure to PCI standards, plus would get round that tricky "The payment application system/Internet device is not connected to any other system within the merchant environment" tick box in SAQ C.......
Comment
Comment