Announcement

**printerbase** · 08-Nov-2009, 11:59 AM

Chris,

I've read the updated response from Actinic and from what it says I fall into this category:

If you take card payments for ecommerce orders using the web page of a compliant PSP, and also use the compliant PSP's web form for taking mail order related payments, you must get an external scan of your office network (to make sure hackers can�t get in from outside) and you are required to run a virus checker on every PC. You are a SAQ validation type 4, and need to complete SAQ form C.

But when I go to complete SAQ form C I get stuck with "Part 2d. Eligibility to Complete SAQ C", the second statement:

The payment application system/Internet device is not connected to any other system within the merchant environment.

I am interpreting this as meaning the PC that I am using to enter card details on our compliant PSP's web form for mail order payments must be standalone and not connected to the server in our office or any other PC's. Which means as all our PC's are networked and connected to a server we can't complete SAQ form C.

Is this correct or did you interpret it differently ?

Peter

**cbarling** · 08-Nov-2009, 03:36 PM

I read it differently. The payment application isn't connected to your environment any more than it is connected to every other device in the world that is in turn attached to the Internet. From my discussions with the PCI DSS teams in the banks, I believe that this is how they interpret it too.

Chris

**acompton** · 16-Nov-2009, 02:14 PM

Here's an interesting list of validated service providers (dated 3/11/09):
http://www.visaeurope.com/documents/...dss.pdf?011009

**orcahouse** · 29-Nov-2009, 05:47 PM

Had a letter from RBSWorldPay re PCI DSS compliance so just getting my ducks in a row. Reading the advice in the Actinic link above, I think I come under validation type 3 as we only link to Sagepay and take PDQ payments for those that think the telephone is more secure!!!!! Can someone confirm that I only have to complete SAQ form B or do I have to complete form A as well to cover the Sagepay bit? Many thanks.

Oh, by the way I think the link to the Visaeurope site in Alan's post should be:

http://www.visaeurope.com/documents/...dss.pdf?191109

**trafford** · 11-Dec-2009, 02:10 PM

i'm a bit baffled here, so no suprise to some of you . . . as none of these people issuing information for pci dss compliance are members of the plain english society . . . . . i have come to the conclusion we're level 4, we process some card payments through the actinic payments site for MOTO transactions with the virtual terminal, and we have a streamline terminal downstairs for regular transactions which we can also manually input card details - so we have the customers CC/DC details on paper.

so we need to

�Submit a completed annual Self Assessment Questionnaire

get the network tested by someone (they, RBS, suggest Arsenal but i'd like to know if this is recommended or someone else)

then do we need to get a certificate or some sort of assesment for the office where all records are kept and who does this?

**trafford** · 11-Dec-2009, 02:15 PM

this bit too

�Complete an External Vulnerability Scan at least annually. An Approved Scanning Vendor (ASV) will carry out vulnerability scans �

the somewhere else it said quarterly or until compliance has been achieved or words to that effect - which means what? you don't need any more scans once you're certified?

i'm gonna be certified by the time i get through this . . . .

**Mike Hughes** · 11-Dec-2009, 03:04 PM

Vulnerability Scans need to be done quarterly.

Whoever is doing the certification will need to see the Questionaire and Vulnerability scan results. Obviously the easiest way is for them to do it all. HSBC use Security Metrics as a recommended vendor (at a big discount) for this and with them you can complete the questionaire online and run the scans automatically.

I've no idea how the other companies are doing this.

Mike

**trafford** · 11-Dec-2009, 03:11 PM

cheers mike, i take it you must have looked into paying for scans from independants then? i found their approved list of people but i didn't want to start making enquiries with them yet until i know i wasn't setting anything up that wasn't required.

**cbarling** · 11-Dec-2009, 03:27 PM

If you can eliminate putting any card details onto paper that will simplify things. If you mention card details on paper to any of the scanning companies you are likley to get an adverse reaction.

Why not use the virtual terminal for all payments? We do this in our sales and credit control teams - no card details ever get written down inside Actinic itself.

Chris

**Mike Hughes** · 11-Dec-2009, 03:30 PM

I did quickly look at the independent testers. The trouble was that they all looked more expensive than the Security Metrics deal of �74.99 / year so in the end I just went with that.

Mike

**Mike Hughes** · 11-Dec-2009, 03:34 PM

If you can eliminate putting any card details onto paper that will simplify things. If you mention card details on paper to any of the scanning companies you are likley to get an adverse reaction.

Why not use the virtual terminal for all payments? We do this in our sales and credit control teams - no card details ever get written down inside Actinic itself.

This usually isn't a problem. All you need to do is self certify that access to the paperwork is restricted, that it's properly destroyed when no longer needed, that any transfer/movement outside of the business is only done when necesary (and properly secured) and that you have policies and training in place to ensure these are enforced.

Mike

**trafford** · 11-Dec-2009, 03:41 PM

mike, rbos have quoted me about �80 per year for quarterly scans so i guess it's about right, how long do they go on for though? i still don't understand the quote of 'quarterly scans until compliance has been achieved '.

chris, we take orders over the phone downstairs and i also take orders up in the office, they have to be written down as its not always possible to process it there and then. i also use actinic to make invoices for products i know are on the site and if not i create dummy products with a title and a price which only takes seconds, to create an invoice. either way we write the customers cc/dc details down.

**trafford** · 11-Dec-2009, 03:42 PM

This usually isn't a problem. All you need to do is self certify that access to the paperwork is restricted, that it's properly destroyed when no longer needed, that any transfer/movement outside of the business is only done when necesary (and properly secured) and that you have policies and training in place to ensure these are enforced.

how do you do this? surely that's not that saq_c form i've filled in?

**Mike Hughes** · 11-Dec-2009, 04:01 PM

how do you do this? surely that's not that saq_c form i've filled in?

Requirement 9.

https://www.pcisecuritystandards.org/docs/pci_saq_c.doc

Mike

Announcement

PCI DSS Compliance

PCI DSS Compliance

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment