Announcement

Collapse
No announcement yet.

PCI DSS Compliance

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    PCI DSS Compliance

    We've updated our advice and information on PCIDSS at http://www.sellerdeck.co.uk/index.php/ecommerce-services/category/pci-dss-compliance

    Chris

    #2
    Chris,

    I've read the updated response from Actinic and from what it says I fall into this category:
    If you take card payments for ecommerce orders using the web page of a compliant PSP, and also use the compliant PSP's web form for taking mail order related payments, you must get an external scan of your office network (to make sure hackers can’t get in from outside) and you are required to run a virus checker on every PC. You are a SAQ validation type 4, and need to complete SAQ form C.
    But when I go to complete SAQ form C I get stuck with "Part 2d. Eligibility to Complete SAQ C", the second statement:
    The payment application system/Internet device is not connected to any other system within the merchant environment.
    I am interpreting this as meaning the PC that I am using to enter card details on our compliant PSP's web form for mail order payments must be standalone and not connected to the server in our office or any other PC's. Which means as all our PC's are networked and connected to a server we can't complete SAQ form C.

    Is this correct or did you interpret it differently ?

    Peter
    Printerbase - Colour & Mono Laser Printers

    Comment


      #3
      I read it differently. The payment application isn't connected to your environment any more than it is connected to every other device in the world that is in turn attached to the Internet. From my discussions with the PCI DSS teams in the banks, I believe that this is how they interpret it too.

      Chris

      Comment


        #4
        Here's an interesting list of validated service providers (dated 3/11/09):
        http://www.visaeurope.com/documents/...dss.pdf?011009

        Comment


          #5
          Had a letter from RBSWorldPay re PCI DSS compliance so just getting my ducks in a row. Reading the advice in the Actinic link above, I think I come under validation type 3 as we only link to Sagepay and take PDQ payments for those that think the telephone is more secure!!!!! Can someone confirm that I only have to complete SAQ form B or do I have to complete form A as well to cover the Sagepay bit? Many thanks.

          Oh, by the way I think the link to the Visaeurope site in Alan's post should be:

          http://www.visaeurope.com/documents/...dss.pdf?191109
          www.silvermoonbeads.com - Gemstones, Pearls, Hill Tribe sterling silver, Swarovski and Findings.

          Comment


            #6
            i'm a bit baffled here, so no suprise to some of you . . . as none of these people issuing information for pci dss compliance are members of the plain english society . . . . . i have come to the conclusion we're level 4, we process some card payments through the actinic payments site for MOTO transactions with the virtual terminal, and we have a streamline terminal downstairs for regular transactions which we can also manually input card details - so we have the customers CC/DC details on paper.

            so we need to
            •Submit a completed annual Self Assessment Questionnaire
            get the network tested by someone (they, RBS, suggest Arsenal but i'd like to know if this is recommended or someone else)

            then do we need to get a certificate or some sort of assesment for the office where all records are kept and who does this?

            Comment


              #7
              this bit too

              •Complete an External Vulnerability Scan at least annually. An Approved Scanning Vendor (ASV) will carry out vulnerability scans –
              the somewhere else it said quarterly or until compliance has been achieved or words to that effect - which means what? you don't need any more scans once you're certified?

              i'm gonna be certified by the time i get through this . . . .

              Comment


                #8
                Vulnerability Scans need to be done quarterly.

                Whoever is doing the certification will need to see the Questionaire and Vulnerability scan results. Obviously the easiest way is for them to do it all. HSBC use Security Metrics as a recommended vendor (at a big discount) for this and with them you can complete the questionaire online and run the scans automatically.

                I've no idea how the other companies are doing this.

                Mike
                -----------------------------------------

                First Tackle - Fly Fishing and Game Angling

                -----------------------------------------

                Comment


                  #9
                  cheers mike, i take it you must have looked into paying for scans from independants then? i found their approved list of people but i didn't want to start making enquiries with them yet until i know i wasn't setting anything up that wasn't required.

                  Comment


                    #10
                    If you can eliminate putting any card details onto paper that will simplify things. If you mention card details on paper to any of the scanning companies you are likley to get an adverse reaction.

                    Why not use the virtual terminal for all payments? We do this in our sales and credit control teams - no card details ever get written down inside Actinic itself.

                    Chris

                    Comment


                      #11
                      I did quickly look at the independent testers. The trouble was that they all looked more expensive than the Security Metrics deal of £74.99 / year so in the end I just went with that.

                      Mike
                      -----------------------------------------

                      First Tackle - Fly Fishing and Game Angling

                      -----------------------------------------

                      Comment


                        #12
                        If you can eliminate putting any card details onto paper that will simplify things. If you mention card details on paper to any of the scanning companies you are likley to get an adverse reaction.

                        Why not use the virtual terminal for all payments? We do this in our sales and credit control teams - no card details ever get written down inside Actinic itself.
                        This usually isn't a problem. All you need to do is self certify that access to the paperwork is restricted, that it's properly destroyed when no longer needed, that any transfer/movement outside of the business is only done when necesary (and properly secured) and that you have policies and training in place to ensure these are enforced.

                        Mike
                        -----------------------------------------

                        First Tackle - Fly Fishing and Game Angling

                        -----------------------------------------

                        Comment


                          #13
                          mike, rbos have quoted me about £80 per year for quarterly scans so i guess it's about right, how long do they go on for though? i still don't understand the quote of 'quarterly scans until compliance has been achieved '.

                          chris, we take orders over the phone downstairs and i also take orders up in the office, they have to be written down as its not always possible to process it there and then. i also use actinic to make invoices for products i know are on the site and if not i create dummy products with a title and a price which only takes seconds, to create an invoice. either way we write the customers cc/dc details down.

                          Comment


                            #14
                            This usually isn't a problem. All you need to do is self certify that access to the paperwork is restricted, that it's properly destroyed when no longer needed, that any transfer/movement outside of the business is only done when necesary (and properly secured) and that you have policies and training in place to ensure these are enforced.
                            how do you do this? surely that's not that saq_c form i've filled in?

                            Comment


                              #15
                              how do you do this? surely that's not that saq_c form i've filled in?
                              Requirement 9.

                              https://www.pcisecuritystandards.org/docs/pci_saq_c.doc

                              Mike
                              -----------------------------------------

                              First Tackle - Fly Fishing and Game Angling

                              -----------------------------------------

                              Comment

                              Working...
                              X