My Sellerdeck Account | Free Trial

Sellerdeck Community & Knowledge Base

Old 28-Jun-2010, 10:12 AM
fergusw's Avatar
fergusw fergusw is offline
Registered User
Join Date: Mar 2004
Full Name: Fergus Weir
Posts: 1,584
Thanks: 75
Thanked 111 Times in 91 Posts
Originally Posted by cbarling View Post
The problem seems to arise from people with too little training and too much incentive to find issues.
I wholeheartedly agree with that statement.
I've given up counting the number of times we've had to reassure people and restate the facts regarding PCI compliancy and the "security" scans undertaken by 3rd parties (for a fee).

I liken these scanning companies to the marketeers promoting hygiene products i.e. the ones who suddenly inform you that the soap pump dispenser you've been using happily for years without any negative health impact is suddenly BAD for you and full of bacteria and you MUST buy the hands free dispenser.
e.g. suddenly the server or network systems you've had running happily (that had previously passed all their scans) suddenly are no longer secure as a *new* vulnerability has been discovered.

I completely subscribe to ensuring maximum protection and security and recommend a belt and braces approach to dealing with data protection and card information, however a not-for-profit body operating for the benefit of the consumer would be a much more reliable source of what is and what is not compliant as opposed to these kind of "scary" warnings and alerts.

On another note when someone breaches the PCI requirements they are supposed to be penalised? Also, if a company that breached the standards was accountable for £millions and hundreds of thousands of transactions daily you would hope that the PCI authorities (VISA, Mastercard) would make some kind of stand?
I had to laugh when WorldPay (RBS) we not PCI compliant last year and amazingly nothing seemed to happen to them. No Charge. No Fee!

It's enough to make you cynical
Reply With Quote
Old 26-Nov-2010, 04:38 PM
totalweb's Avatar
totalweb totalweb is offline
Registered User
Join Date: Nov 2010
Full Name: Simon Lowe
Posts: 6
Thanks: 4
Thanked 0 Times in 0 Posts
As a UK payment gateway we have to adhere to PCI Level 1 compliance and perform regular scans both internally and externally to make sure our systems remain compliant in the eyes of the card industry/PCI DSS. We have used ECSC for our accreditation for the last few years and have found them to be a lot more fair and accommodating compared to some other QSA's (Qualified Security Assessor) who seem to be on a power trip.

It seems wholly unfair that smaller independent payment gateways such as ourselves should have to adhere to these standards (or face huge fines) whilst larger providers continue to get away with not following the same standards and are awarded leniency for not following the rules and guidelines set out in the industry.

The same thing happened when the card industry introduced 3D Secure. They set a deadline for compliance which time and time again was ignored by the bigger online retailers but nothing was done.
Payment Gateway 300 transactions per month just £10 (10p/trans if over 300)
No Setup Fee - No Charge for Declines - PCI Level 1 - Integrates easily with Actinic - Virtual Terminal option - UK Support
Reply With Quote
Old 11-Feb-2012, 04:04 PM
smileeej smileeej is offline
Registered User
Join Date: May 2008
Full Name: Jerry Cripps
Posts: 41
Thanks: 1
Thanked 5 Times in 1 Post

I have recently spoken to Security Metrics due to HSBC changing to Global Fortress (this is just a billing change really as they still use Security Metrics and all the systems are exactly the same).
I raised a concern about the quartery scan they run becase I have a dynamic IP address and they always run the test on the same IP address.
I have mentioned my concern to them on several occasions in the past, starting back in 2008 when I first signed up with them, but they seemed to think all was OK, they ran the tests which passed and so I have been compliant up til now!!

After 2 1/2 hours on the phone to different people I convinced them that they did need to change the IP address to the one that I was on in order for the test to be run correctly. They ran the scan which I promptly failed!!

I am now non-compliant, I should have kept my mouth shut!!!

Any way this got me thinking are there any others out there that are in the same position as me, in that Security Metrics are running useless scans.
Even if you have a fixed IP, will the tests stil pass if your equipment is not turned on as Security Metrics could run the scan at any time of the day.
How good is the actual test they run and can anyone understand what the scan results mean when you fail?


Reply With Quote
Old 17-Dec-2012, 11:08 AM
JakeRoberts's Avatar
JakeRoberts JakeRoberts is offline
Registered User
Join Date: Dec 2012
Full Name: Jake
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts


My name is Jake Roberts and I've just joined this forum. I work in the Head Office at Payment Sense UK, as many of you may or may not know, we are the UK's largest merchant service provider for SME's.

I hope to be able to answer any questions anyone may have about our services and provide helpful insights and tips on card processing for fellow users.

PCI can be quite a handful and a confusing thing to become compliant on but it's not that scary. It's there to protect you and give a basic guideline on how card payments should be taken and what not to do in the industry.

We've also put security up as a high priority in the business and that's why we offer to cover our merchants PCI Compliance fee's for the first 12 months of the contract. We also offer a dedicated support line for our merchants to help them through the compliance questionnaires. We believe this helps make the whole process less intimidating and lets you focus on what really matters.. Running a Business!

I hope to speak to more of you out there soon!

Reply With Quote
Old 17-Dec-2012, 12:41 PM
mje mje is offline
Registered User
Join Date: Apr 2010
Full Name: Mark Evenden
Posts: 203
Thanks: 77
Thanked 25 Times in 15 Posts
You best have a read of this thread Jake
Reply With Quote
Old 17-Dec-2012, 03:14 PM
JakeRoberts's Avatar
JakeRoberts JakeRoberts is offline
Registered User
Join Date: Dec 2012
Full Name: Jake
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
I'm afraid we've had the same "review" word for word on many other forums and sites. The fact the user has only ever posted once and its a copy-paste of a review on more than 1 forum shows it's either an isolated incident or someone simply out to sully our good work in saving SME's money on their Merchant Service Costs.
Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT. The time now is 02:43 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.