Re Mike's post

Do we agree if you only take credit card payment via a PCI compliant providers such as HSBC, SagePay, Worldpay, AP on your website - you do not need to involve SM.

BUT

if you take phone orders via Virtual Terminal you need to have your PC/network scanned? This is because their is a human typing in the info in your office.

Does anyone know why SM are still insisting on scanning hosting space?

To make money from people who don't know better?

Jo, that is correct. For instance, SecureTrading say:

"If you are using SecureTrading Payment Pages and only take payments via your website, you will not need to be PCI DSS compliant in your own right. However, if you take payments by any other method, such as through our Virtual Terminal over the telephone or by mail, our PCI compliance will not cover you as we are not responsible for or in control of the environment in which these card details are handled."

The question is, then, is a merchant prepared to give up the convenience of entering card details onto a Virtual Terminal in order to avoid PCI DSS compliance?

Being pedantic here....

Everyone has to be compliant but... if you only take website payments you inherit compliance from your PSP but you still need to fill in a form to declare this.

Yes i know of several peeps who have dropped phone orders for this reason.

Its a flippin pain thats all I can say.

Yes, you're right, I didn't mean avoid PCI DSS compliance, I meant avoid the extra steps involved in being validation 4 (SAQ C) compliant in order to use a virtual terminal.

Continuing with the pedantic theme, apparently level 4, validation 1 (SAQ A) merchants (ie those who pass to a PSP and inherit, as you mention) don't have to complete the form (SAQ A) unless they are required to by their acquiring bank, but they do have to be compliant. PayPal apparently don't require the merchant to complete this form.

Ah good, i didnt know that.

Presumably anyone who uses a PSP that integrates merchant will be the same ie Paypal, GC and Worldpay (where you dont have a separate merchant acct)

PayPal is listed on the PCI-DSS list:

https://www.pcisecuritystandards.org...on=0&perpage=0


Please also keep in mind that MasterCard has mandated that any merchant accepting Maestro as a form of payment must run SecureCode (3D-Secure) on all Maestro transactions processed online.

PayPal, as the PSP, then pushed that mandate onto their merchant community.

HSBC is a good PSP and they as well are subject to this mandate. It would be in good interest to contact HSBC and inquire about their requirements for accepting Maestro.

In regards to PCI compliance, you most likely qualify at Level 4 which a simple questionaire is all that is needed. HSBC should instruct you on what they need from you. You can always find the forms and requirements here as well: https://www.pcisecuritystandards.org/saq/index.shtml

If I can answer any other questions around 3D-Secure, feel free to contact me.

Cheers,

Eric Goodman
CardinalCommerce Corp
MerchantSupport

This post started with a rant about Actinic not supporting 3d secure with PayPal Pro which I want to pick up on, as it was quashed by webD without any proper consideration.

To the best of my knowledge:
Paypal Pro is PCI-DSS compliant. The difficulty is for the merchant to be compliant in handling the card data on their site and passing this data to Paypal. It's not accurate to say that "PayPal Pro is not PCI-DSS compliant", it is more likely the merchant that is not compliant. But it is possible for the merchant to acheive compliance if they are prepared to jump through the right hoops, and for these customers the question of 3D secure implementation still remains.

There seems to be a policy within Actinic to just steer people away from PPP citing compliance issues. IMO, if Actinic users want to keep using PPP with or without compliance, Actinic should support it, and support 3D secure integration. Alternaitvely Actinic have got to pull down the "Paypal Pro compatable" marketing, drop support for this product, and compensate their customers who have purchased Actinic for it's PPP integration.

I think it is disingenuous to claim to support it, not actually support it and then blame the problem on PayPal.

I'm sure it might be possible to achieve PCI compliance using paypal pro. The problem here isn't with actinic but your web hosting which will need to be meet the pci-dss security requirements. This is not easy but you're welcome to go ahead and try. There is a long thread about this somewhere from another member who wanted to achieve this (not with paypal pro but another payment method if I remember correctly).

Do paypal claim anywhere that Paypal Pro is PCI compliant? I seem to rmemeber seeing somewhere that they couldn't claim this and had been given special dispensation to operate without it temporarily. have they fixed thsi yet?

I'd also disagree that 3D integration is an actinic issue. To me this is really Paypal passing the buck. The proper procedure for this would be:

1. your website passes the CC data to paypal.
2. They pass it to the bank (as currently)
3. Bank initiates 3D Secure checking.
4. Banks pass result back to paypal.

To suggest that Actinic should link directly to the banks for 3d Secure seems very odd.

If all paypal want is an updated 1st stage then that would seem appropriate. In that case Actinic should either get it done or stop claiming compatibility. I don't know what is needed for 3d secure with paypal Pro so can't say either way.

I'm not sure why you're so concerned about Paypal Pro. All it adds above standard paypal is the card payments on your website and you can do card payments securely with lots of other psps without having to get a PCI complaint web server.

If you have concerns over the way you were sold actinic then that is really something you'll have to take up with Actinic directly.

Mike

Most people report a reduction in charges by moving away from PPP, if the PCI DSS crusade is not enough to get you to move immediately, surely the costs can be. What is the attraction with this solution? Processing on your own store is very very rare in ecommerce terms nowadays, so why would you want to use a solution that is expensive, confusing on screen, non-PCI compliant and bucks the ecommerce trend of most other stores.

Questioning and dissecting is good, it breeds good conversation and we all get a great picture of things, but this needs doing 18 months previous to this, which it was and 99% of us are all happy with the situation.

Levelling this at actinic is bizarre IMO, just like with the java applet, they cannot simply pull solutions from their software, because the people seriously lagging behind would all be instantly stuffed. Software just doesn't do that.

I've reasearched pricing from several different PSP and IMA providers and Paypal is as or more competetive than most of them, certainly at the monthly value of transactions we put through.

I disagree, most respectable companies I buy from take my card details on their own site. When you get into the small merchant sites, you do go away to their PSP's, but that in itself tells you something about the size of organisation you are dealing with. For my company I want to be able to handle the card transactions on site, and for this PPP integration works well.

I also disagree with your last point. By not working with Paypal to find a solution to the 3D secure issue, they are essentially not supporting PPP in a way which makes it usable, as soon all transactions will need 3D secure integration. Whether Paypal or Actinic are to blame, I don't understand how Actinic can still promote this feature of their product, and then behind the marketing simply tell everyone not to use PPP.

Clearly PPP is not very popular on this forum, but using a third party PSP is not popular with me. Assuming we can acheive PCI compliance for our own network, and our hosts, then is there an Actinic solution for taking card details on site that works with 3D secure?

I think you'll find that while it *looks* as if they are taking card details on their own sites, a lot are actually using a PSP custom integration.
No.

The main reason for this being a large company has the resources to do their own compliance, and they are probably using their own dedicated server (s) to run their site.

The cost of compliance to a small business (CC processing inhouse) probably doesn't weigh up - thus they use PSP.

Ok. I've taken a quick lood at the Paypal Pro 3D integration. It requires a new process flow and integration of 3rd party 3d scripts. Nothing too onerous but definitely development work required.

Paypal's PCI compliance is pretty much what I thought:

In other words if you use paypal pro you need to ensure PCI-DSS compliance for your web server, software and anything else in the flow of card data.

I don't think you're going to find much support for Paypal Pro here on the forum as the vast majority are more than happy with the other options available.

Actinic's marketing of Paypal Pro is not something most forum members are happy with either. It's not something we tend to favour and I believe Chris Barling's statement is pretty clear that it's not something they recommend either.

On the other hand it is there for people who want to use it. You just have to put in a lot of work to get PCI compliance and there is no support for 3d Secure which means no Maestro cards (at present) and probably fewer card types in the future.

Mike

Can you explain this further? Do you mean they customise the PSP checkout page to have the same appearance as their own store? Do all PSP's offer checkout page customisation? Does Actinic Payments support this?