I wholeheartedly agree with that statement.
I've given up counting the number of times we've had to reassure people and restate the facts regarding PCI compliancy and the "security" scans undertaken by 3rd parties (for a fee).

I liken these scanning companies to the marketeers promoting hygiene products i.e. the ones who suddenly inform you that the soap pump dispenser you've been using happily for years without any negative health impact is suddenly BAD for you and full of bacteria and you MUST buy the hands free dispenser.
e.g. suddenly the server or network systems you've had running happily (that had previously passed all their scans) suddenly are no longer secure as a *new* vulnerability has been discovered.

I completely subscribe to ensuring maximum protection and security and recommend a belt and braces approach to dealing with data protection and card information, however a not-for-profit body operating for the benefit of the consumer would be a much more reliable source of what is and what is not compliant as opposed to these kind of "scary" warnings and alerts.

On another note when someone breaches the PCI requirements they are supposed to be penalised? Also, if a company that breached the standards was accountable for £millions and hundreds of thousands of transactions daily you would hope that the PCI authorities (VISA, Mastercard) would make some kind of stand?
I had to laugh when WorldPay (RBS) we not PCI compliant last year and amazingly nothing seemed to happen to them. No Charge. No Fee!

It's enough to make you cynical

As a UK payment gateway we have to adhere to PCI Level 1 compliance and perform regular scans both internally and externally to make sure our systems remain compliant in the eyes of the card industry/PCI DSS. We have used ECSC for our accreditation for the last few years and have found them to be a lot more fair and accommodating compared to some other QSA's (Qualified Security Assessor) who seem to be on a power trip.

It seems wholly unfair that smaller independent payment gateways such as ourselves should have to adhere to these standards (or face huge fines) whilst larger providers continue to get away with not following the same standards and are awarded leniency for not following the rules and guidelines set out in the industry.

The same thing happened when the card industry introduced 3D Secure. They set a deadline for compliance which time and time again was ignored by the bigger online retailers but nothing was done.

Hi

I have recently spoken to Security Metrics due to HSBC changing to Global Fortress (this is just a billing change really as they still use Security Metrics and all the systems are exactly the same).
I raised a concern about the quartery scan they run becase I have a dynamic IP address and they always run the test on the same IP address.
I have mentioned my concern to them on several occasions in the past, starting back in 2008 when I first signed up with them, but they seemed to think all was OK, they ran the tests which passed and so I have been compliant up til now!!

After 2 1/2 hours on the phone to different people I convinced them that they did need to change the IP address to the one that I was on in order for the test to be run correctly. They ran the scan which I promptly failed!!

I am now non-compliant, I should have kept my mouth shut!!!

Any way this got me thinking are there any others out there that are in the same position as me, in that Security Metrics are running useless scans.
Even if you have a fixed IP, will the tests stil pass if your equipment is not turned on as Security Metrics could run the scan at any time of the day.
How good is the actual test they run and can anyone understand what the scan results mean when you fail?

Cheers

Jerry

Greetings!

Hello!

My name is Jake Roberts and I've just joined this forum. I work in the Head Office at Payment Sense UK, as many of you may or may not know, we are the UK's largest merchant service provider for SME's.

I hope to be able to answer any questions anyone may have about our services and provide helpful insights and tips on card processing for fellow users.

PCI can be quite a handful and a confusing thing to become compliant on but it's not that scary. It's there to protect you and give a basic guideline on how card payments should be taken and what not to do in the industry.

We've also put security up as a high priority in the business and that's why we offer to cover our merchants PCI Compliance fee's for the first 12 months of the contract. We also offer a dedicated support line for our merchants to help them through the compliance questionnaires. We believe this helps make the whole process less intimidating and lets you focus on what really matters.. Running a Business!

I hope to speak to more of you out there soon!

Jake,

You best have a read of this thread Jake

http://community.sellerdeck.com/show...t+sense&page=3

I'm afraid we've had the same "review" word for word on many other forums and sites. The fact the user has only ever posted once and its a copy-paste of a review on more than 1 forum shows it's either an isolated incident or someone simply out to sully our good work in saving SME's money on their Merchant Service Costs.