Originally posted by Mark H
View Post
Announcement
Collapse
No announcement yet.
Mastercard Secure Code
Collapse
X
-
Hi Chris,
Thanks Chris for the link to the PCI DSS explanation page on your website, which I had already seen. According to this, if we take ecommerce payments via a PCI compliant 3rd party (like Actinic Payments) and want to do MOTO payments then we will be SAQ validation type 4, and need to complete SAQ form C, which after brief inspection looks quite involved. So some questions arise from this :
1) Can we send our MOTO customers to the Actinic Payments website to make payments to us direct? If so then according to the Actinic info page we would then be SAQ validation type 1, and only need to complete SAQ form A
2) If we were to use this method, we would never have access to to any cardholder data, so why do we need to do any PCI DSS compliance? It would be like paying for an MOT and not owning a car.
3) If we want to continue using PayPal Pro integrated on our site, does that make us SAQ validation type 5?
4) Regarding integration of 3D secure to Paypal Pro, the good people at Actinic have either got to support it, with a statement relating to the compliance issues, or drop support for PPP. I don't see how on one hand you can advertise this feature and on the other hand not support it properly. Time to make a decision, support it or don't.
5) PCI compliance is not currently a legal requirement (from what I've read online). The fines or restrictions are only imposed by the payment providers. In the case of Paypal, they don't seem to care about the non compliance of PayPal Pro, and as far as I know (and I haven't done any detailed research on this) there is nothing in our contract with them that says they can fine us for not being PCI compliant. If that is all true then what am I worrying about (apart from the fact that Actinic doesn't integrate 3d secure with PPP)
Sorry, to many points and questions for one post, but as a newbie to this issue, I'm finding it very difficult to get my head around.
Comment
-
Yes
I can confirm that you need to change to using a payment service provider and stop having customers entering any payment details on your website, unless you want to go to great annual expense and pain-in-a***e trouble to become pci compliant yourself.
What we do is use SagePay for all payments, with PayPal as one of the payment options on SagePay. This we found preferable to a separate PayPal option, though it may cost us a bit more. We have 3D-Secure enabled on SagePay and would recommend that others do likewise, and it is essential for accepting Maestro payments. On SagePay you can check the fraud score for payments, even when payment successful, and including the PayPal payments. I am starting a new posting for more about this Third Man fraud score.
Sarah
Comment
-
Third Man
The Third Man checking for fraud, on SagePay, I have found to be very important, after being caught out:
A customer placed an order (£80) for goods which were delivered to him. He contacted his card issuer saying he didn't receive the goods, and the bank did a chargeback. We defended the chargeback, but his card issuer would not accept it as we did not have his signature, though the barcode was scanned at the point of delivery and the Royal Mail tracking said Delivered. We didn't check the Third Man report until the chargeback happened, and found that he had a very high fraud score, in red, with both his address (where he lived alone) and his telephone number having very high fraud scores. So in retrospect we should have checked the Third Man report before despatching the goods, and should have cancelled and refunded the order at that point. We are now checking several times a day. Watch out for people placing orders just before your cut-off point for the day!
You are covered for fraudulent payments that have gone through 3D-Secure, but not for customers saying that they did not receive the goods. Card issuers are only accepting the signature of the addressee as proof, not scanned bar codes, but PayPal accept these (i.e Royal Mail Tracked saying Delivered is accepted by PayPal).
Sarah
Comment
Comment