My Sellerdeck Account | Free Trial

Sellerdeck Community & Knowledge Base

  #1  
Old 20-Oct-2009, 07:41 AM
cbarling's Avatar
cbarling cbarling is offline
Administrator
Join Date: Nov 2002
Full Name: Chris Barling
Posts: 904
Thanks: 7
Thanked 51 Times in 31 Posts
PCI DSS Compliance

We've updated our advice and information on PCIDSS at http://www.sellerdeck.co.uk/index.php/ecommerce-services/category/pci-dss-compliance

Chris
__________________
Co-founder, SellerDeck

Ecommerce web site by SellerDeck
Reply With Quote
  #2  
Old 08-Nov-2009, 11:59 AM
printerbase printerbase is offline
Registered User
Join Date: Jun 2003
Full Name: Peter Knight
Posts: 166
Thanks: 1
Thanked 9 Times in 7 Posts
Chris,

I've read the updated response from Actinic and from what it says I fall into this category:
Quote:
If you take card payments for ecommerce orders using the web page of a compliant PSP, and also use the compliant PSP's web form for taking mail order related payments, you must get an external scan of your office network (to make sure hackers can’t get in from outside) and you are required to run a virus checker on every PC. You are a SAQ validation type 4, and need to complete SAQ form C.
But when I go to complete SAQ form C I get stuck with "Part 2d. Eligibility to Complete SAQ C", the second statement:
Quote:
The payment application system/Internet device is not connected to any other system within the merchant environment.
I am interpreting this as meaning the PC that I am using to enter card details on our compliant PSP's web form for mail order payments must be standalone and not connected to the server in our office or any other PC's. Which means as all our PC's are networked and connected to a server we can't complete SAQ form C.

Is this correct or did you interpret it differently ?

Peter
Reply With Quote
  #3  
Old 08-Nov-2009, 03:36 PM
cbarling's Avatar
cbarling cbarling is offline
Administrator
Join Date: Nov 2002
Full Name: Chris Barling
Posts: 904
Thanks: 7
Thanked 51 Times in 31 Posts
I read it differently. The payment application isn't connected to your environment any more than it is connected to every other device in the world that is in turn attached to the Internet. From my discussions with the PCI DSS teams in the banks, I believe that this is how they interpret it too.

Chris
__________________
Co-founder, SellerDeck

Ecommerce web site by SellerDeck
Reply With Quote
  #4  
Old 16-Nov-2009, 02:14 PM
acompton's Avatar
acompton acompton is offline
Registered User
Join Date: Feb 2006
Full Name: Alan Compton
Posts: 980
Thanks: 0
Thanked 2 Times in 2 Posts
Here's an interesting list of validated service providers (dated 3/11/09):
http://www.visaeurope.com/documents/...dss.pdf?011009
Reply With Quote
  #5  
Old 29-Nov-2009, 05:47 PM
orcahouse orcahouse is offline
Registered User
Join Date: Oct 2005
Full Name: Tom Riddell
Posts: 95
Thanks: 13
Thanked 9 Times in 6 Posts
Had a letter from RBSWorldPay re PCI DSS compliance so just getting my ducks in a row. Reading the advice in the Actinic link above, I think I come under validation type 3 as we only link to Sagepay and take PDQ payments for those that think the telephone is more secure!!!!! Can someone confirm that I only have to complete SAQ form B or do I have to complete form A as well to cover the Sagepay bit? Many thanks.

Oh, by the way I think the link to the Visaeurope site in Alan's post should be:

http://www.visaeurope.com/documents/...dss.pdf?191109
__________________
www.silvermoonbeads.com - Gemstones, Pearls, Hill Tribe sterling silver, Swarovski and Findings.
Reply With Quote
  #6  
Old 11-Dec-2009, 02:10 PM
trafford trafford is offline
Registered User
Join Date: Oct 2009
Full Name: dave kelly
Posts: 154
Thanks: 0
Thanked 1 Time in 1 Post
i'm a bit baffled here, so no suprise to some of you . . . as none of these people issuing information for pci dss compliance are members of the plain english society . . . . . i have come to the conclusion we're level 4, we process some card payments through the actinic payments site for MOTO transactions with the virtual terminal, and we have a streamline terminal downstairs for regular transactions which we can also manually input card details - so we have the customers CC/DC details on paper.

so we need to
Quote:
•Submit a completed annual Self Assessment Questionnaire
get the network tested by someone (they, RBS, suggest Arsenal but i'd like to know if this is recommended or someone else)

then do we need to get a certificate or some sort of assesment for the office where all records are kept and who does this?
Reply With Quote
  #7  
Old 11-Dec-2009, 02:15 PM
trafford trafford is offline
Registered User
Join Date: Oct 2009
Full Name: dave kelly
Posts: 154
Thanks: 0
Thanked 1 Time in 1 Post
this bit too

Quote:
•Complete an External Vulnerability Scan at least annually. An Approved Scanning Vendor (ASV) will carry out vulnerability scans –
the somewhere else it said quarterly or until compliance has been achieved or words to that effect - which means what? you don't need any more scans once you're certified?

i'm gonna be certified by the time i get through this . . . .
Reply With Quote
  #8  
Old 11-Dec-2009, 03:04 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 8,029
Thanks: 272
Thanked 466 Times in 411 Posts
Vulnerability Scans need to be done quarterly.

Whoever is doing the certification will need to see the Questionaire and Vulnerability scan results. Obviously the easiest way is for them to do it all. HSBC use Security Metrics as a recommended vendor (at a big discount) for this and with them you can complete the questionaire online and run the scans automatically.

I've no idea how the other companies are doing this.

Mike
Reply With Quote
  #9  
Old 11-Dec-2009, 03:11 PM
trafford trafford is offline
Registered User
Join Date: Oct 2009
Full Name: dave kelly
Posts: 154
Thanks: 0
Thanked 1 Time in 1 Post
cheers mike, i take it you must have looked into paying for scans from independants then? i found their approved list of people but i didn't want to start making enquiries with them yet until i know i wasn't setting anything up that wasn't required.
Reply With Quote
  #10  
Old 11-Dec-2009, 03:27 PM
cbarling's Avatar
cbarling cbarling is offline
Administrator
Join Date: Nov 2002
Full Name: Chris Barling
Posts: 904
Thanks: 7
Thanked 51 Times in 31 Posts
If you can eliminate putting any card details onto paper that will simplify things. If you mention card details on paper to any of the scanning companies you are likley to get an adverse reaction.

Why not use the virtual terminal for all payments? We do this in our sales and credit control teams - no card details ever get written down inside Actinic itself.

Chris
__________________
Co-founder, SellerDeck

Ecommerce web site by SellerDeck
Reply With Quote
  #11  
Old 11-Dec-2009, 03:30 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 8,029
Thanks: 272
Thanked 466 Times in 411 Posts
I did quickly look at the independent testers. The trouble was that they all looked more expensive than the Security Metrics deal of £74.99 / year so in the end I just went with that.

Mike
Reply With Quote
  #12  
Old 11-Dec-2009, 03:34 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 8,029
Thanks: 272
Thanked 466 Times in 411 Posts
Quote:
If you can eliminate putting any card details onto paper that will simplify things. If you mention card details on paper to any of the scanning companies you are likley to get an adverse reaction.

Why not use the virtual terminal for all payments? We do this in our sales and credit control teams - no card details ever get written down inside Actinic itself.
This usually isn't a problem. All you need to do is self certify that access to the paperwork is restricted, that it's properly destroyed when no longer needed, that any transfer/movement outside of the business is only done when necesary (and properly secured) and that you have policies and training in place to ensure these are enforced.

Mike
Reply With Quote
  #13  
Old 11-Dec-2009, 03:41 PM
trafford trafford is offline
Registered User
Join Date: Oct 2009
Full Name: dave kelly
Posts: 154
Thanks: 0
Thanked 1 Time in 1 Post
mike, rbos have quoted me about £80 per year for quarterly scans so i guess it's about right, how long do they go on for though? i still don't understand the quote of 'quarterly scans until compliance has been achieved '.

chris, we take orders over the phone downstairs and i also take orders up in the office, they have to be written down as its not always possible to process it there and then. i also use actinic to make invoices for products i know are on the site and if not i create dummy products with a title and a price which only takes seconds, to create an invoice. either way we write the customers cc/dc details down.
Reply With Quote
  #14  
Old 11-Dec-2009, 03:42 PM
trafford trafford is offline
Registered User
Join Date: Oct 2009
Full Name: dave kelly
Posts: 154
Thanks: 0
Thanked 1 Time in 1 Post
Quote:
This usually isn't a problem. All you need to do is self certify that access to the paperwork is restricted, that it's properly destroyed when no longer needed, that any transfer/movement outside of the business is only done when necesary (and properly secured) and that you have policies and training in place to ensure these are enforced.
how do you do this? surely that's not that saq_c form i've filled in?
Reply With Quote
  #15  
Old 11-Dec-2009, 04:01 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 8,029
Thanks: 272
Thanked 466 Times in 411 Posts
Quote:
how do you do this? surely that's not that saq_c form i've filled in?
Requirement 9.

https://www.pcisecuritystandards.org/docs/pci_saq_c.doc

Mike
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT. The time now is 04:14 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.