I am now running PayPal commerce platform for all website payments, does that potentially mean I can ditch the awful PCI compliance fiasco going forward?
-
-
Hi Ed,
I believe you will still need to complete the appropriate forms; however it should be simple.
We do not capture or hold any card details (all telephone orders are processed by the customer through our billing system online) and we still need to complete the appropriate forms and run the scans.
There is more information here - https://www.sellerdeck.co.uk/sellerd...on-compliance/
-
Thanks Josh, would have been nice to avoid all that each year and the quarterly scans!Comment
-
Definitely, it does feel like a tax to be honest.Comment
-
If you do not process or store any credit card data on your systems then I would question the need to have quartelry scans when all card payments are processed through a third party payment service provider that has to maintain its own high level of PCI DSS compliance.Originally posted by EdHarrison View Post
Martin
Mantra Audio
Martin
Mantra AudioComment
-
I think it maybe the names, addresses and contact details but will check with security metrics before they fleece me againComment
-
Yes it is worth checking out and could save you money if you can opt out of the GDPR assessment.Originally posted by EdHarrison View Post
I noticed this about 3 years ago when my payment for the PCI compliance renewal more than doubled without any prior notification or explanation.
This co-incided with the implementation of the GDPR and I did wonder then why suddenly GDPR compliance had been wrapped up under the PCI compliance umbrella, particularly as this was already covered by requirements for registration with UK ICO and I had put a lot of time and effort into re-configuring our systems to ensure the security of personal data (order, names, addresses etc.) that we are legally obliged to retain for tax records.
I ran the PII scan just once and it did pick out some false positive data on what appeared to be credit card or NHI numbers and US Health record numbers which was re-assuring as we do not knowingly hold any such data on our systems and have no intention of so doing.
If you do not retain any data of the type that the scans are searching for then they should not be needed.
The PII scan is not the same as a PCI vulnerabilty scan which should not be required when you use a third party payment service provider but you will still need to complete the PCI assessment questionaire.
MartinMartin
Mantra AudioComment
Comment