Announcement

**cbarling** · 29-Jan-2011, 08:44 AM

It's not easy to tease out exactly what is required, but we (Actinic) ran our advice past the PCI DSS teams at a couple of banks before we published it. Compliance is your responsibility so if you interpret the rules differently, that's up to you.

The scan required is only an external scan. That is, the external scan tries to see your internal network and provided you have an external firewall turned on it will see nothing and job done.

The reason for doing more if you enter card details through a terminal within your own local LAN is because a piece of rogue software sitting on your own PC has the possibility of capturing card data as you enter them into a web form. In contrast, the card details from web orders aren't concentrated on any one PC.

Hope that makes sense.

Chris

**mgm** · 29-Jan-2011, 01:17 PM

Chris, I understand what you are saying. You're considering the possibility of something like a keylogger being present on my PC, capturing card details as they're manually typed in. That could be countered by having anti-virus / anti-malware software installed on my PC, as it already is.

So are Actinic interpreting the following PCI SSC's SAQ Form C requirements:

"Such merchants validate compliance by completing SAQ C and the associated Attestation of Compliance, confirming that: Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);

as "a payment application system" = Actinic's eCommerce software on the merchant's PC, rather than a standalone card reading terminal or separate virtual terminal?

If I complete a SAQ Form C or A and the Attestation, what do I do with the Form? Who do I send it to?

**Neil Bayton** · 31-Jan-2011, 04:02 PM

Actinic.co.uk PCI-DSS

Hi,

Here at Actinic we take internet payments and MOTO payments. I took advice from Security Metrics and used this with my understanding on the PCI-DSS guidelines ( Yes they can be confusing, your argument for your understanding should be a strong one however )

Because Actinic.co.uk uses a PCI-DSS compliant payment service provider ( Actinic Payments ) then the internet payments are compliant.

We also take MOTO payments and this required a network scan to determine if we had a robust and secure connection to the internet ( I.E. no vunerabilities which could allow access to the machines being used to input MOTO card details ) We passed this and completed the SAQ 1.2. We were then certified as being PCI-DSS compliant.

One thing I picked up on was your proposed practice of taking credit card details down on the phone and entering them on your website. This does not constitute as an internet payment and an authorised CNP terminal is recommended.

Rgds
Neil Bayton
Admin Manager

**mgm** · 01-Feb-2011, 04:07 AM

Neil,

Thanks for your reply. Regarding my proposed method for taking MOTO card payments, which you picked up on. I'm not intending entering card details which I will receive by phone at my website, I will be entering them directly into the Actinic Payments secure payments page within my Actinic v10 eCommerce application. I thought this was the normal practice for taking CNP MOTO card payments rather than through a standalone CNP virtual terminal and this counts as an internet payment, doesn't it? I thought that was the way you just described Actinic's method for taking MOTO orders. Actinic's website states on the Actinic Payments page, "Take mail or telephone (MOTO) orders without going to a virtual terminal"

Can you please advise me what I do with a completed SAQ Form and Attestation? Do I submit it to PCI Security Standards Council or who?

**Golf Tee Warehouse** · 01-Feb-2011, 09:05 AM

Originally posted by mgm View Post

Can you please advise me what I do with a completed SAQ Form and Attestation? Do I submit it to PCI Security Standards Council or who?

Who you submit to will usually depend on who your merchant bank account is with. We use Streamline who use a company called 'Arsenal Security Group' to deal with the PCI.
I also take MOTO payments so have a quarterly scan of my network using the McAfee Secure PCI scan (free for 12 months) and upload the result (a pdf summary) to the Arsenal website. The SAQ is also uploaded once a year.

Your bank may have similar requirements or might simply state that you shoudl be compliant (by completing the questionnaire and scan where necessary) but not submitting it, although they might in future request proof of your compliance.

I would check with your merchant bank or tells us who you use and someone here might be able to tell you.

**mgm** · 01-Feb-2011, 01:41 PM

Thanks for the PCI-DSS SAQ information. I use Barclays Merchant Services. Digging through some recent mail from them I have found a note which says they have assessed me as a Level 4 merchant and that reagrding PCI-DSS compliance I should either enlist the help of Security Metrics (at Barclays negotiated preferential rates) or independently complete a SAQ and that I should also get a quarterly network vulnerability scan. No request from Barcalys to actually see the completed SAQ Form though.

**Mike Hughes** · 01-Feb-2011, 02:56 PM

With Secruity Metrics you now complete the forms online and they then validate the PCI-DSS compliance.

Mike

**mgm** · 01-Feb-2011, 05:16 PM

I've just had a very helpful discussion with SecurityMetrics about my PCI-DSS compliance. They are partnered with my acquiring bank, Barclays and could offer preferential rates, �11.99, for arranging my PCI-DSS compliance for me.

I answered a number of questions about my business setup over the phone and they confirmed that If I was going to take MOTO card payments, I would be required to complete SAQ Form C-VT for my office setup, which is a single PC using Actinic v10 eCommerce software and using Actinic Payments as my PSP. I queried whether using Actinic Payments through v10 eCommerce software qualified as being a Virtual Terminal under PCI-DSS rules and they confirmed it would be. We don't use any other card readers or Virtual Terminals.

MOTO card details would only be received over the phone, typed into the secure Actinic Payments webpage directly or possibly temporarily written on paper until typed in, then shredded immediately after use and not stored anywhere on my system.

Security Metrics has comfirmed that I would not need annual or quarterly website scans and neither would external office network vulnerability scans be necesasry, due to my single PC office setup combined with Actinic Payments for all card transactions. Although SecurityMetrics offered to do one for approx �74. (However, I noted that there is a free external vulnerability scan available on SecurityMetrics website, so why pay the �74).

All I need to do now is complete the emailed questionaire they've sent me and they will confirm I'm PCI-DSS compliant, they will notify my bank that I'm PCI-DSS compliant for me and will send me a certificate and logo to post on my website, all for �11.99 (no VAT). I think that's a very good deal. Job done!

All I need to deicde now is whether it's actually worth taking MOTO orders because of the increased risk of chargeback on fraudulant transactions, as CNP MOTO transactions cannot be authenticated by 3D secure, only validated by AVS and CSC/CVV2. It might be best to just stick to eCommerce online transactions only for peace of mind, but at least I'll be PCI-DSS compliant if I do decide to take MOTO orders.

Thanks for all your help guys! I hope this info helps others too!

**Mike Hughes** · 01-Feb-2011, 05:24 PM

Security Metrics has comfirmed that I would not need annual or quarterly website scans and neither would external office network vulnerability scans be necesasry, due to my single PC office setup combined with Actinic Payments for all card transactions.

I'm not convinced this is correct.

Your PC is connected to the internet and is a vulnerable element in this scenario. As I understand it you will need your computer network connection to be scanned for vulnerabilities.

Mike

**mgm** · 01-Feb-2011, 06:21 PM

Mike,

I thought that was the case too but the person I spoke to at SecurityMetrics said it would not be necessary. I just called them back to verify this and we went over my setup again and I queried the need for an external vulnerability scan. The answer was the lawyers have decided recently in the latest PCI-DSS standards that a standalone PC connected to the internet and not networked to any other office PCs does not require a vulnerability scan. I queried what if a keylogger was hidden on that standalone PC? The answer was under the latest rules and the fact that I'm using a third-party PSP i.e. Actinic Payments for all card transactions and we don't use any other virtual terminals or card readers, a scan is not required and we are definitely SAQ C-VT not straight SAQ C. I queried that too because the PCI-DSS website says Form C-VT would not be applicable to eCommerce businesses (we accept eCommerce online payments as well as MOTO), but the answer again was our business setup and the use of a third party PSP puts us in that classification. Maybe if a business uses other card readers, has an office network and uses other virtual terminals, that would move you into the straight SAQ Form C classification. It does seem that the classification is highly dependent on each business's setup and it's not 'one size fits all'.

Thinking about it, it also makes sense because the external vulnerability scan wouldn't detect a keylogger either if the firewall blocked it. However, I agree that a port attack on an unprotected PC could be vulnerable to outsiders gaining access to the PC. However, if no card details are stored on the PC (other than possibly captured by a keylooger which could be accessed via a Port attack) there is no potential vulnerability/access to purchasers card details. We are double firewalled running Internet Security with antivirus/antimalware software. It's strange that SecurityMetrics PCI-DSS requirements don't ask about firewalls and antivirus software though. (Or maybe they do, I haven't filled in the SAQ Form C-VT yet)

**Mike Hughes** · 02-Feb-2011, 09:04 AM

Hi Martyn,

That's interesting. It just shows how rapdily these things change. Hat's off to Security Metrics for telling you this and not saying you needed the �74.99 scanning.

I assume the thinking behind this is that if the PC has a proper firewall and anti-virus installed then that should pick up any keylogger type software before it has the chance to do much damage. As long as there's nothing else on the network, then there's nothing that could sniff the data on the network so it's as secure as it needs to be.

You will be asked to certify the Firewall and AV software on the SAQ. Nothing too complicated though.

I do have more than just the one PC on the network, so will continue to need my quarterly scan.

Mike

PS. Slightly off topic, but relevant to the single PC topic. It's worth considering the implication of just having a single PC available. We all start out this way but you need to think about what will happen when things go wrong with it (and they will). Make sure you have a good plan for backups and what you're going to run them on if the PC stops working.

**mgm** · 02-Feb-2011, 01:59 PM

Hi Mike,

Yes, I've completed the SAQ Form C-VT and I'm now PCI-DSS compliant. There were indeed a number of questions on the form related to my firewall and antivirus arrangements.

Yes, you're also right about the need for a backup PC. There is one available (not networked at present) and we are and will be making regular backups.

Good to share the knowledege on this forum.

Regards,
Martyn

Announcement

Actinic's Advice Regarding PCI-DSS Compliance Appears Incorrect

Actinic's Advice Regarding PCI-DSS Compliance Appears Incorrect

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment