I assume you meant is not compliant

Actinic will be posting some new summaries of our advice on PCI DSS compliance in the next few weeks, as I agree it is all fairly difficult to grasp. I'm currently talking to the PCI DSS compliance teams at several of the banks and will update everything, hopefully with their endorsement, accordingly.

The advice from the forum regulars, Lee, Jan, Darren etc are all correct.

There are two additional points that I would like to make:

The confusing thing about PCI DSS compliance is that it is possible for the bank (or the bank's recommended security company) to imply that you are compliant when you are not. If you look at the small print you will find that it's you that is stating you are compliant, not any third party service.

True compliance i.e. where you would pass a proper audit of the standard, is almost impossible for a small company to achieve. To illustrate this, I have spoken to two companies that undertook proper compliance and the cost was c£45k and c£85k respectively. The example that I always quote, that you can't have cleaners in for the evening because that breaks compliance by having unsupervised people in the building, illustrates the point. Although you may pass a security scan, if your security is compromised they will check everything, and believe me anyone who stores card data, whether using Actinic or another system, and who hasn't spent the sort of money above, will end up by being declared non-compliant and will then be fined and forced to follow the most stringent rules. This would put most smaller companies out of business.

The second point is that the activities of hackers have gone up a notch in the last few years. They are now organised gangs of criminals, and they can and will target companies who store card data. As the big guys get more on top of things, their attention is moving down the market. We have seen highly organised hacking attempts ourselves already.

Actinic has always had a major focus on security - we used asymmetric encryption of card data back in 1997 when nobody was much concerned about any of this. However, because of the threat from hackers and the impossibility of properly securing things without spending huge amounts of money, our position is that no small business should capture card data on their site and they definitely shouldn't store any card data. Instead they should use a PSP for both web and MOTO (phone) orders so their servers never see the card details. It's the quickest, safest and cheapest way of becoming compliant.

If you use Actinic Payments to achieve this, you will also achieve some productivity gains. However, compliance can be achieved with other PSPs, and we don't rule out integrating them to a similar level with Actinic in the future.

Hope that makes sense.

Chris

Thats what i said