Announcement

**Mantra** · 14-May-2024, 11:21 AM

Originally posted by 4children2enjoy View Post

We are making progress with resolving the problems flagged up by the ClearAccept PCI scan...

Hello Andy
I haven't come across the vulnerabilities you mention but would just like some clarification on your opening statement.
Was your scan actually undertaken by ClearAccept or some other ASV?

**graphicz** · 14-May-2024, 04:24 PM

Well Clearaccept is the gift that keeps on giving. It seems shared hosting is not PCI compliant which might rip the guts out of my reselling business.

Sellerdeck hosting is on shared platforms, can anyone hosting with them do a PCI compliance check to see if they are compliant?

**4children2enjoy** · 15-May-2024, 07:51 AM

Our scans are being carried out ClearAccept Payment Guard. We use Sellerdeck 8.2.2.

We had only three vulnerabilities, the first regarding the DB subfolder, and the second requiring upgrading to Jquery 3.5.1 - see Gary's post "Sellerdeck site fails PCI-DSS scan".

Gary's post "HTTP Headers required for PCI Scan Compliance" was also very helpful.

The third vulnerability is still outstanding - see above. We are hoping to persuade Clear Accept that it is a false positive.

ClearAccept PCI compliance seems to be just another annoying hurdle to overcome. It is nowhere near as hostile as Worldpay PCI compliance used to be.

**graphicz** · 15-May-2024, 08:08 AM

Thank you Andy

**Mantra** · 15-May-2024, 09:40 AM

Originally posted by 4children2enjoy View Post

Our scans are being carried out ClearAccept Payment Guard. We use Sellerdeck 8.2.2.

Thank you Andy for the confirmation.
The only information I received from ClearAccept was dated 28 March and this concerned the setting up of the PCI Compliance Validation Service from 1 June and as far as I can see there was no mention of a ClearAccept ASV being made available.
The communication from ClearAccept stated

From 1st June, you can contact our PCI Compliance Validation Service team directly by calling ### ### ### ####

I called the number today and was surprised to get though to speak to a person who was helpful in checking out the position with ClearAccept customer services.
During the call I was informed that the ClearAccept ASV would not be available until I get access to the online portal after login detail email(s) scheduled to be sent out later this month have been received.
That's really useful to know as our existing PCI compliance SAQ expires on 23 May so I need to have a passing SAQ and vulnerability scan completed by this date to maintain compliance!

**graphicz** · 17-May-2024, 01:00 PM

For your interest...

I have opened a reseller account with Brixly which is PCI compliant hosting.

One of my customers has moved onto it and their PCI scan is now:

Overall PCI Status PASS

Yay

It is quite affordable too. Visit Brixly

Click image for larger version Name: pcidss-240.jpg Views: 0 Size: 9.1 KB ID: 557162

**mje** · 21-May-2024, 08:23 AM

Finally compliant, best part of 3 weeks after 1^st scan and 5^th one last Friday.

No way could I of waded through the complexities of this myself,

However, ticket with Sellerdeck, a minor adjustment to something in the site folder as a result made sure the software side of things were good, and a massive shout out to Jonathan @ graphciz for very pro-actively sorting the server side of things.

All hoops jumped thorough for now, but no doubt more rolling this way.

**4children2enjoy** · 23-May-2024, 06:16 AM

Yes, we are also now complaint via the ClearAccept scan.
ClearAccept were very helpful on the phone.

**graphicz** · 23-May-2024, 01:24 PM

I have written a review article at https://www.graphicz.co.uk/blog/pci-...y-clearaccept/

Please feel free to send feedback and if I have left anything out or got anything wrong please let me know and I will amend it with acknowledgement.

Thank you!

**Buzby** · 23-May-2024, 05:58 PM

I have never been asked to scan before, and now I am.

is it where PCI has become stricter, or is it the way ClearAccept works?

**graphicz** · 24-May-2024, 08:12 AM

Hi Jason. See my article as above:

With Sellerdeck Pay by ClearAccept your website customer enters their card details in the last checkout page of the Sellerdeck website. This change means that the Sellerdeck Website and its hosting needs to be PCI compliant.

**mje** · 24-May-2024, 08:36 AM

Slightly off thread topic, but other than a bit of text is there a way to convey to visitors that your payment gateway is PCI DSS complient to lastest standard ?

I assume adding the PCI DSS logo would infringe copyright ?

**Buzby** · 28-May-2024, 02:53 PM

That was easier than I was expecting.

Many thanks to those who posted, and Jonathan for his guide.

**graphicz** · 30-May-2024, 07:06 AM

mje Lots of companies use the logo with an explanation. I cannot find an automatic compliance badge.

https://maceinnovations.com/trust/ does this for example - just got to keep it current:

Click image for larger version

Name: pcidsscompliant.jpg
Views: 205
Size: 73.2 KB
ID: 557206

**graphicz** · 31-May-2024, 11:10 AM

Please can someone point me to a thread about Clear accept fields not appearing?

Thank you!

Announcement

PCI DSS 4.0 External Compliance Scan

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment