Most users of Actinic Shared SSL who are still processing card details themselves should be grateful of this stance, it's true they might waste a few months payment (if they choose to not take actinic up on the alternatives), but this will bear into insignificance if any of them ever get fined for failing PCI guidelines. These are 3 year old guidelines now, with hundreds still not complying, i think the industry (and i see actinic as part of that label), now needs to take steps to try and make it impossible to trade unless within the regulations, as too many loopholes can be exploited by lazy, complacent or just badly informed and up to date people, and more importantly - the online crooks themselves.

You certainly used to get a rebate for the pro rata part against their next service you took out, i can't see why they'd have changed that. If you move away and take no alternative solutions, i don't expect that a refund would be the norm there, unless it was literally days or just a few weeks since you bought it.

Hi Alan

This is a very sour subject with us as well. Actinic are hard on the decision that they will not refund or credit any unused hosting time.

I have to disagree with a few of your points Lee, you are being very technical about it. Have you had a chat with your bank or sage pay lately about what are the requirements are for pci dss systems? They don't really have a clue themselves and after spending a considerable time on the line with Sage pay they don't really have a clear idea what the rules are either. When you are a real company, running multiple warehouses and having to use differed payments as the only option because you cannot guarantee that your items are in stock and it's against the law to take money for items out of stock. This makes things very difficult for the business, then you have the issues of if you take payments over the phone you need a different moto account to your online one. Then you need another moto account to handle deferred payments, then to make matters even worse Actinic restricts you to Actinic Payments only if you want to use deferred payments as they have not built vsp direct into any other payment gateway. On top of that issue then, say you don't use actinic to process you orders as it can't handle the amount of orders. Actinic payments doesn't work with third party integration, so you are back at square one with PCI DSS compliances that are not set with real business's in mind. It really makes me cross when people rant about this system, it's just a new phase to make some more money on technical issues that people don't understand.

Ok after that little rant, anyone got any suggestions for us?

Hi Shannon, i can certainly relate to the problem with all the confusion and getting some concise info without other companies jumping on the band wagon trying to make a pound. But that doesn't excuse head in the sand tactics surely, it's clear with actinic that you need to use a PSP to process payments and not touch the details yourself - there is no confusion whatsoever in that area now.

By just doing that, you will be almost there, i don't subscribe to the idea because you're not fully sure what to do, then do nothing, there's enough help and guidance out there now.

I disagree about it being a money making ploy, far from it. Just a few years ago i could receive a snapshot from a client with thousands of orders included, all the address details and card details i could ever need if i wanted to commit a fraud. A database of card details and people's addresses you might say. A wise criminal could have setup an actinic design agency and within 2 years have probably 10-50,000 examples of this data. People writing card details on pieces of paper that then get thrown in the bin once transaction complete, yet again another bad one. You simply cannot combat fraud if you don't take difficult steps towards stopping those kind of loopholes.

Hi Lee

Fully agree with you from that front, as a web developer it's a different ball game all together. I'm just really ticked off with how this whole thing has been handled, we have had the bank manager in at least 3 times trying to explain it to us. We've had Actinic and Keystone Software and SagePay trying to work out the best solution to no avail. In the end we've just had to go with Sage Pay with charge transaction immediately and handle the refunds as we go. Our bank manager just turned around and said that he has no idea really and we must just make it as secure as we can. I don't mind being pci compliant, the idea itself is good. But the implementation has been unbelievable and I have to say for people that run mid to large business in our sector are all complaining about the same thing.

It's just interesting to hear how other people are handling the switch. Companies like sage pay and actinic should have been more prepared and the banks need to get their head around what they actually asking what they want us to do.

Sorry for the rant. Just angry that no one that should know really has any proper answers for us.

You're certainly not ranting, you make some really good points. I think the info and confusion from all parties has been the problem, it seems such a difficult area to manage with so many different companies and viewpoints in the mix. What they're trying to do is right, its the way in which its been done as the real issue. Its an area where confusion reigns supreme.

My own 2p worth,

Another customer of mine uses HSBC Secure Payments which works happily with Actinic. On their behalf I handled a 90 minute phone interview with Security Metrics in Utah USA who talked me through an online questionnaire step by step, watching at their end while I was led through the process and ticked the necessary boxes guided by them. My customer has several such ECommerce accounts that Security Metrics helped to group under one 'account' for PCI DSS compliance. They couldn't have been more helpful actually. The cost of compliance was £9.99.

A key part of gaining compliance (which we did) was the concept of 'future promises', ticking Yes that you agree to comply with certain outstanding issues by the next renewal. Things started off easily enough but became more complex, due to the customer also having a retail store for processing CC's in person. So I have staff training and written manuals to sort out too. Security Metrics have sent a typical staff manual.

We can write CC details down on paper and certify that they are not stored and get shredded immediately after use; we certify that all details are locked away and are transported securely when everything is under lock and key, and that access to PCs etc is restricted and controlled and that the PCs are secure. Even the Chip & Pin machines (quoting brand & model numbers) had to be certified. And so on.

The thrust of it all is that if a data breach is discovered (by them) and it's down to poor housekeeping (infringement of PCI DSS) then the merchant can be hit for all losses.

I don't blame the industry for a long overdue tightening up of procedures and security, but it's gone from one extreme to the other. The result is a mini ISO9000-level quality standard to work with, which will be beyond the average Joe (or Jo). It's only because I worked in ISO standards that I'm comfortable implementing a documented quality system anyway, which is almost what PCI DSS is. I feel a new career coming on...

What I have a real problem with is the principle of Actinic Software recently billing one of my customers a full year for something that they cannot deliver after October anyway, then trying to shunt them onto Actinic Payments. I think that is very poor, as Actinic had generally been very reasonable with eg initial setup support and generous levels of Email support afterwards. I would have no problem paying for SSL up to (say) October.

I am sure this will end in a row (later today probably).

Cheers!
Alan