Announcement

**EdHarrison** · 03-Apr-2024, 01:02 PM

Yes I'm remaining with PayPal cards for as long as practical but I fear a requirement to upgrade will become necessary at some point. I believe support is removed from older versions as new ones are released.
A race towards retirement in a few years so I'm hoping I can avoid the hassle.

**Mantra** · 06-Apr-2024, 11:35 AM

Originally posted by John Ennals View Post

Martin,

This table refers to PCI DSS V3.2.1 which I understand was finally retired at the end of March, and replaced by PCS DSS V4.0. The SAQ requirements for V4.0 are different.

I think the point Security Metrics are making, quoted in post #9 above, is that the ASV scan is NOT a future-dated requirement. It is an existing requirement that is simply being extended to SAQ A.

Thank you, John for the response.

Our Security Metrics SAQ A/C-VT V3.2.1 compliance certificate expires third week May 2023 at which time I will need to have completed a SAQ V4.0.

I am waiting to see if an SAQ A V4.0 is made available in the PCI Security Standards Organisation document library so I can review the changes to be addressed ready to complete the SAQ V4.0 and if not to consider the changes as published in the Security Metrics Guide to PCI Compliance.

Using SD V18.2.2 Sellerdeck Payments by ClearAccept

As you have stated the ASV will be required for SAQ V4.0 so I arranged for Security Metrics to run an external vulnerability scan (out of scope for SAQ V3.2.1) in advance.

Not surprisingly this has thrown up some failures that are receiving attention hopefully to get resolved soon.

Security Metrics are very helpful and make available much added value.

**mje** · 01-May-2024, 10:14 PM

My business has a valid compliance certificate renewed 20^th November 2023 by Saferpayments (my retail shop uses a terminal provided by WorldPay) so I thought we were all good until renewal.

Website was PayPal, PayPal cards and bank transfer until we signed up to “ClearAccept” a few months ago. I now offer Clearaccept, PayPal, Apple Pay and bank transfer

I got the first email discussed above back in March and to be honest ignored it as I thought the ASQ certificate I already hold was sufficient until November 2024 at least.

Today I came home to a “friendly reminder” email from ClearAccept, so used the “guided” questionnaire and result was “your are not compliant”

I found the questions complicated, one size fits all, and not all applicable, with no consideration to those of us that are one man bands – it was all very “corporate and “your organisation” with very little help, may as well of been written in Chinese…. Tiny white text on a black background is not easy to read.

As with folk above, I find the entire process draining, 5 hours this evening after a 10 hour working day reading stuff that makes little or no sense to me.

I never had, don’t have any of these particular issues, worries or extra work burden with PayPal, or WorldPay to date come to that.

Since January 1^st this year, there has been 135 orders placed on my website, of 135, 5 were paid for by a bank transfer, 38 chose ClearAccept and the remaining 92 preferring PayPal

71% of my customers choose to pay by a method other than Clearaccept, it does beg the question is all this additional work, expense and aggravation worth it ?

To check, this evening I logged into my Saferpayments portal, I've had no email notifications of any required action. There is however a note relating to 4.0 asking me to complete "business profile" but it'll have to wait until tomorrow now !

So am I compliant or not ? Depends who you ask it would seem.

**EdHarrison** · 02-May-2024, 06:31 AM

PCI compliance and all the associated organisations around providing their services is a mess, always has been.
I found security metrics the easiest but they keep adding more layers of pointless hoops to jump through now.
The only way left to completely avoid the fiasco is by only using PayPal...tempting.

**mje** · 02-May-2024, 01:25 PM

Bit more positive now.

I spoke with Saferpayments this morning, re-did my user profile and failed.

What had changed since November 23, and I missed it, was the ditching of PayPal cards and the addition of Clearaccept, it is this that triggered the failure.

I did a full scan using Clearaccept and got the results an hour ago – 20 vulnerabilities.

So, called them again and spoke to a very helpful man called Alex. He did his best to explain in layman’s terms what the issues are, he took a look at the failures and said in many cases it would simply be a case of updating various “versions” from 1.1 to 1.2 for example….. sounded all rather simple, although he did say it’s not the sort of thing most people could do, and said best send the report to your “web developer”

The report (the issues) are downloadable, which I have done, and it’s very comprehensive, (365 pages !) but crucially failures are highlighted in red and it does tell you, or whoever has the relevant skills / knowledge, how to fix it.

Likewise he said some people would challenge the results if they felt them to be inaccurate.

I would like to fix this without paying the fees they are quoting to “help”, but quite how the industry expects folk to understand much of it is frankly beyond me.

**Mantra** · 02-May-2024, 09:38 PM

..... he took a look at the failures and said in many cases it would simply be a case of updating various “versions” from 1.1 to 1.2 for example….. sounded all rather simple, although he did say it’s not the sort of thing most people could do, and said best send the report to your “web developer”

The report (the issues) are downloadable, which I have done, and it’s very comprehensive, (365 pages !) but crucially failures are highlighted in red and it does tell you, or whoever has the relevant skills / knowledge, how to fix it.

I think the reference to updating various "versions" from 1.1 to 1.2 may be a reference to the TLS (Transport Layer Security) version applied on the domain server.

I suggest you have a look through the failures on the scan report to see if there are any references to TLS 1.0 or 1.1 vulnerabilities and if so your domain host should be able to fix this by upgrading to TLS 1.2 or later.

My domain host confirmed that they were using TLS 1.2 a while back so I did not have this failure type appear on my vulnerability scan report but I did have 9 other scan failures that are receiving attention.

For further information on TLS standards see the guide in the link below:
https://www.ssl.com/guide/tls-standards-compliance/

**zgap111** · 03-May-2024, 08:35 AM

I also got the email with

Friendly reminder to complete your mandatory certification with the PCI DSS

Not really looking forward to dealing with this... we used to also use SaferPayments / Worldpay during the SellerkdeckPay days.

I kept this post bookmarked:
https://community.sellerdeck.com/for...s-pci-dss-scan

which will be the begining of this task...

**mje** · 07-May-2024, 07:23 AM

And this morning .........

1st reminder for mandatory certification according to the PCI DSS

Merchant ID:

We refer to our friendly reminder to report your compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Our records show that you have not yet confirmed your compliance.

As part of our regular reporting to the card organisations (such as Visa International and Mastercard International) we are required to report this status of non-compliance.

A data breach can leave your business open to significant losses, including; fines from the card schemes, the cost of a forensic investigation, not to mention damage to your reputation.

As a business accepting card payments, be it over the counter, telephone or online, this procedure is mandatory and our certification portal will help you achieve and report your compliance with the PCI Data Security Standard.

Important note: Compliance with the PCI DSS is a mandatory requirement as set out in your merchant agreement with us. Failure to do so may lead to non-compliance fees. These fees cannot be reclaimed, even in the event of you not receiving our reminders.

**John Ennals** · 07-May-2024, 05:15 PM

This morning a post appeared on this forum from Gary Green at Sellerdeck highlighting 3 things that need to be in place for PCI-DSS compliance. I started implementing these, when all of a sudden the post disappeared again.

One of the things was a Content Security Policy entry to prevent naughty people providing access to your website via an iframe on their website, and hijacking payments being made through the hosted fields in the PSP iframe on your website (at least I think that's what it was). In case it's of use to anyone else, I've added this to my .htaccess file, which apparently prevents that happening (who knows?):

Code:

Header add Content-Security-Policy "frame-ancestors 'none';"

I didn't get details of the other 2 things before the post disappeared, but I do remember that none of the them were highlighted as failure points in the compliance scans I've done recently. So presumably you get different scan results from different ASVs,

Pretty much all the advice I've had so far about PCI-DSS V4 compliance has been fragmented, inconsistent and largely incomprehensible. And in the meantime ClearAccept are supporting their customers by sending out threatening emails.

What a complete and utter shambles.

John

**PJ ENG** · 07-May-2024, 09:00 PM

I have been putting this off for a while, i am not happy with the lack of support from SD about this, i feel a bit hung out to dry.

The question i keep asking myself is, we dont store any payment info, all of this is handled by clear accept, we have no way to see the customers card info, so why do "we need to be secure"

Taken from CA website

Do I need to be PCI compliant if I use ClearAccept?

Yes, any organisation that accepts, transmits or stores any cardholder data is responsible for ensuring their business is PCI compliant.

I assume it's the "accepts/ transmits" part that they are getting us on ?

**Mantra** · 2024-05-08T06:20:16

P

Originally posted by John Ennals View Post

ClearAccept are introducing a mandatory, chargeable PCI compliance portal from 1st June (better late than never)...

Does this mean that all SD users that signed up for payments by ClearAccept now have to sign up to the ClearAccept PCI validation service including those that have been maintaining and paying for an existing more comprehensive PCI compliance service providing SAQ, ASVs, PCI Guidance, user training etc. to achieve compliance certification by other established PCI validation service providers???

**mje** · 2024-05-08T07:23:16

Originally posted by PJ ENG View Post

I assume it's the "accepts/ transmits" part that they are getting us on ?

Is it because the customer when choosing Sellereckpay / Clearaccept enters their card details on the sellers website, as opposed (like PayPal) being redirected ?

PayPal is just so much user friendly for small business, for sure plenty not to like with PayPal but so far at least none of this time consuming torture.

It's the "being forced" from PayPal Cards to Clearaccept (or pay reduculous suport fee increase for not signing up) that dosn't sit well with me, as a retailer for over 30 years I believe one of the key factors to keeping the door open is to offer customers "a choice" ..... pretty sure if we sold just one brand of dog food folk would shop elsewhere.

**graphicz** · 2024-05-08T07:41:51

John - was it this: https://community.sellerdeck.com/for...s-pci-dss-scan

Plus some bedtime reading!

https://developer.mozilla.org/en-US/...rame-ancestors

https://devdoc.net/web/developer.moz...ancestors.html

**John Ennals** · 2024-05-08T08:13:38

Originally posted by graphicz View Post

John - was it this: https://community.sellerdeck.com/for...s-pci-dss-scan

Hi Jonathan,
No, it was a different post about 3 different issues. Of the two I missed, one was to do with "Sniffing" and the other, I think, was to do with Strict-Transport-Security.

**John Ennals** · 2024-05-08T08:14:26

Originally posted by Mantra View Post

P

Does this mean that all SD users that signed up for payments by ClearAccept now have to sign up to the ClearAccept PCI validation service including those that have been maintaining and paying for an existing more comprehensive PCI compliance service providing SAQ, ASVs, PCI Guidance, user training etc. to achieve compliance certification by other established PCI validation service providers???

Yes, I believe so.

Announcement

PCI DSS 4.0 External Compliance Scan

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment