Announcement

Collapse
No announcement yet.

Question regarding the Downloading of Orders

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #1

    Question regarding the Downloading of Orders

    We have received a letter from Barclays Bank with regards to complying with PCI DSS

    https://www.pcisecuritystandards.org/tech/index.htm

    Data Security Standard, regarding how the transactions of orders are handled on the website.

    One thing I want some info on is regarding the procedure with Actinic for downloading the orders (as this does have customer address details although not payment card details).

    Where does Actinic connect to in order to download these details, and how does Actinic do this?

    I'm assuming the Actinic connects through to our website, as this is the only information you have to configure when setting up your website. I cant see where else it stores this info?

    And, when Actinic connects to download these order details is it secure?

    I just want some answers as we need to complete a self assessment questionnaire about this sort of information.

    Incidently, has anyone else had this questionnaire to complete?

    https://www.pcisecuritystandards.org/tech/saq.htm

    That is the questionnaire we have been sent to complete.


    Cheers.
    Gavin
    Tags: None
    #2
    we need to complete a self assessment questionnaire
    I would go back to them and ask why you need to complete the questionnaire.

    PCI-DSS is all about card processing and if you don't process the card details then it shouldn't have any relevance to you.

    Mike
    -----------------------------------------

    First Tackle - Fly Fishing and Game Angling

    -----------------------------------------

    Comment

      #3
      Yes it does, as we also sell via mail order and hold customers details in-house.

      Comment

        #4
        I did wonder if that might be the case.

        AFAIK:

        1. While the customer is shopping and checking out the customer details are held in a session file on the server. These are not encrypted but permissions are set to 200 to prevent unauthorised access.

        2. Once the order is created the customer details are stored in a .ord file. This is encrypted and permissions are set to 200 prevent unauthorised access.

        3. When you download the order files they remain encrypted until arriving at your PC. At this stage they are stored in Actinics database in a clear format. I don't know what protocol is used to download these but as they are encrypted it's probably plain old ftp.

        Mike
        -----------------------------------------

        First Tackle - Fly Fishing and Game Angling

        -----------------------------------------

        Comment

          #5
          Gavin,

          Check out this thread
          http://community.actinic.com/showthread.php?t=34718

          Actinic's V9 MOTO/CNP method looks to address this issue as well for offline order processing.
          Fergus Weir - teclan ltd
          Ecommerce Digital Marketing

          SellerDeck Responsive Web Design
          SellerDeck Hosting
          SellerDeck Digital Marketing

          Comment

            #6
            Originally posted by fergusw
            Gavin,

            Check out this thread
            http://community.actinic.com/showthread.php?t=34718

            Actinic's V9 MOTO/CNP method looks to address this issue as well for offline order processing.
            Thanks Fergus - Will go check the post out

            Comment

              #7
              Yes it does, as we also sell via mail order and hold customers details in-house.
              PCI is all about credit card detail not customer detail, so for main order processing you will need to put procedures in place to show you do not hold CC info in an insecure manner on a PC.

              Comment

                #8
                Yeah, on our "Mailer" bespoke system, any user can see the CC details at the moment of someone who has placed an order. We are looking as part of complying with the PCI DSS to implement some security into this i.e. on screen you can only see the last 4 digits of the card.

                *************1234

                Which I believe is the common procedure for this type of thing.

                But at the moment am concentrating on the internet order side of things as the in-house security issue is something else we need to deal with.

                In respect to the internet side of things if we use a PSP then we are o.k (thats what I gather from reading these posts anyway?)

                Comment

                  #9
                  Gavin thats the way i understand it aswell, PSP that is approved is ok, but in house is another issue.

                  D

                  Comment

                    #10
                    Originally posted by Darren B
                    Gavin thats the way i understand it aswell, PSP that is approved is ok, but in house is another issue.

                    D


                    I think possibly someone from Actinic should put this to rest and make a sticky regarding this?

                    Comment

                      #11
                      I think possibly someone from Actinic should put this to rest and make a sticky regarding this?
                      Gavin, did you notice the other thread you were directed to? It is a sticky and it is explained there.

                      Mike
                      -----------------------------------------

                      First Tackle - Fly Fishing and Game Angling

                      -----------------------------------------

                      Comment

                        #12
                        Originally posted by olderscot
                        Gavin, did you notice the other thread you were directed to? It is a sticky and it is explained there.

                        Mike
                        Sorry m8 was not taking much notice that the thread i was directed to was in fact a sticky in that section of the forum!

                        Comment

                          #13
                          No problem. This is becoming a big issue and there's so much info around that it's hard to find a solid reference.

                          Perhaps actinic should bung a PCI statement/explanation in the knowledge base or user guides somewhere. Not that anyone will see it there but at least there would be a single point of reference that people can be pointed to.

                          Mike
                          -----------------------------------------

                          First Tackle - Fly Fishing and Game Angling

                          -----------------------------------------

                          Comment

                            #14
                            Actually i was wondering if there is anymore info on the actinic psp, seems to be a little quiet or have i missed something

                            D

                            Comment

                              #15
                              Originally posted by olderscot
                              Perhaps actinic should bung a PCI statement/explanation in the knowledge base or user guides somewhere. Not that anyone will see it there but at least there would be a single point of reference that people can be pointed to.
                              Mike
                              Totally agree with you Mike - Great Idea.

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X