that's what i thought . . . . so basically anyone could tick yes to everything they want to hear and we're honky dory . . . . not exactly 'policed' in any way then is it lol . . . . well this should be a breeze then, they're calling me back monday to arrange the scanning side, one change to our mail order form so i can slice off and shred customer details and i'm done . . . . thanks for the replies.
-
-
It's true that mercahnts are classified into levels, the majority of Actinic customers being level 4 merchants. At this level you "self certify". However, the actual PCI DSS requirement is the same.
This is a sort of contradiction, which is one of the reasons for confusion.
So yes, if you have the correct procedures in place, as a relatively low volume merchant all you have to do is state that you have them.
If, however, any breach is ever proved, you automatly become a level 1 merchant. Compliance activities at this level will put pretty much everyone out of business. Creditcall (Actinic Payment's backbone provider) announced at the Actinic conference that it cost them over £250k to comply.
ChrisComment
-
I'd have to assume that the level 1 compliance costs for Creditcall are significantly higher than they would be for the rest of us because they store and process credit card details on computers and systems that are widely interconnected with public access.
To make these systems safe, verify and test them, put secure systems and procedures around them, document and audit is going to be far more expensive than doing the same thing for a simple paper procedure.
But Chris is making a valid point. The whole point of PCI-DSS is to ensure companies that handle credit card details do so responsibly and safely. Clearly self-certifying isn't policed, but you won't be able to deny awareness or responsibility if any breaches do occur.
As far as I can remember there are significant fines for breaches as well as tighter certification requirements.
Mike-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------Comment
-
"If, however, any breach is ever proved, you automatly become a level 1 merchant"
I've come a bit late to this discussion. Say a merchant is currently level 4, validation 4, SAQ C, passes all web transactions to a PSP, but is 4/4/SAQ C because they have chosen to use the PSP's virtual terminal as well (but does not collect card details on their own website).
If a breach is proven as a result of a failure related to the more stringent requirements of SAQ C over SAQ A, and the merchant automatically becomes level 1, is the worst that can happen (apart from fines etc) that the merchant has to "become SAQ A" ie stop using the virtual terminal?
Or is this outcome really so bad (including fines etc) that it really isn't worth using the virtual terminal from the start, avoiding SAQ C and sticking with SAQ A??Comment
-
"Level 1" complaince means level 1 - fully audited. Not Level 4 in any flavour.
At the end of the day this is a commercial agreement between two companies. The penalties you face depend on how badly the card companies view your breach.
Mike-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------Comment
-
Daft question probably, but how do you arrange to get scanned if you don't have a fixed IP address (like most of us...)?
Also, any more on the "scanned until compliant" thing? I would have thought that compliance was a "regular, forever" process of testing even when you become compliant.
Also (sorry
), has anyone considered/implemented a page on their site which allows a customer to enter an amount and address, then get taken to the PSP to enter their card details. This might get round the MOTO problem for us, since most MOTOs are done because we are dealing with none standard amounts on products which aren't on our site (eg special orders). So we tell the customer the amount and tell them to go and pay for it on a certain page.....?
Comment
-
I've done this for Paypal and Nochex (http://w w w.paysecurely.c o.u k) , you could use that as a backup under those curcumstances perhaps.Comment
-
The scans until you're compliant bit just means that if you fail you can run repeated scans until you sort out the problem. After that it's done quarterly.Also, any more on the "scanned until compliant" thing? I would have thought that compliance was a "regular, forever" process of testing even when you become compliant.
Mike-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------Comment
-
How often do other Streamline users get a scan done as their own PCI-DSS Merchant Guide http://www.streamline.com/downloads/PCIDSSGuideV3.pdf states that for Level 4 merchant they require a 'Vulnerability scan at least annually' but when completing the SAQ C Question 11.2 asks 'Are internal and external network vulnerability scans run at least quarterly'.Comment
-
Hmm. Thanks Duncan, I like that. The problem I can foresee is that the people who phone for MOTO often do so because they don't like/trust putting their details into a website. For us to then tell them to go to a payment page because "it's more secure" isn't going to wash at this stage of the development of ecommerce.......Originally posted by drounding View PostComment
-
I suggest a quick re-read of my article referenced in the root of this thread (and below).
From a sales perspective, it's much better to get the payment details while you are on the phone. This can be done safely and easily using a virtual terminal, you just need to follow the correct procedure.Security Metrics and other providers can provide the external scan for the third case (Type 4 / SAQ C) at a reasonable cost, even if you are connected to the Internet by broadband and don’t have a fixed IP address.
Actinic ourselves use a virtual terminal. We had an external scan from Security Metrics, we run virus checkers on every PC. We also use several anti-spyware products. We followed the procedure that I outlined. Job done.
See http://www.actinic.co.uk/services/pci-dss.htm .
ChrisComment
-
Do I need PCIDSS
We have a B&B and have a PDQ connected to a phone line. I do CNP over the phone and face to face transactions. We have no staff.
I also deal with firms like Laterooms & bookings.com who send me Fax's with CC details, but not the 3 digits from the reverse of the CCard. If I need these I log onto their site and get them.
Do I need to go through the PCIDSS system and if so which level, type am IComment
-
Yes you will.
My wife has a PDQ from Barclays and has recently been informed of an increase in transaction pecentages if she does not comply, all of this after being told by them that she didn't have to do it ?
If you only swipe cards using someone elses PDQ, e.g. Barclays/HSBC, etc and do not collect any information whatsoever, the compliance form is quite straight forward - (2 forms #1 Version 1.2 and #2 SAQ.A v.1.2).
However as someone is sending you paper copies of details, the problem on security etc grows, and you will have to select a different form, see here for overview.
https://www.pcisecuritystandards.org...ions_dss.shtml
All that being said , for £12 pa, these people
https://www.pcisecuritystandards.org/index.shtml
will do it for you over the phone and set you up with a web link to fill in the correct form electronically with your own password etc. Its a Yes/No form with instant RED/GREEN acknowledgment of your answers, so you can get on with it and get a green light straight away (assuming your systems and procedures comply - esle you have to submit an action plan, of improvements etc).
To be honest its £12 a year - do it IMO?
OK £12 pa feels like a TAX, but what are you gonna do? Well what you can do is sign up for 1 year and simply "learn by example" what these guys tell you for subsequent years assuming no changes in your procedures or setups, and then do it yourself.
Simon.esafetysigns.co.uk
your instant download portal for self printable health and safety signs and posters
... download once use as many times as you like !
http://www.esafetysigns.co.uk/index.html
http://www.esafetysigns.co.uk/acatalog/index.htmlComment
-
vulnerability scan
Started the process yesterday and the scan showed 4 issues all to do with open shh with strange solutions I am yet to investigate.
The bottom line says non compliance - quite worrying as there seems to be no proper guidelines or indeed how long I have before losing the ability to take card payments!Comment
-
I assume this was a scan of the office network and not the website.Comment
Comment