Announcement

Collapse
No announcement yet.

PCI DSS Compliance

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    that's what i thought . . . . so basically anyone could tick yes to everything they want to hear and we're honky dory . . . . not exactly 'policed' in any way then is it lol . . . . well this should be a breeze then, they're calling me back monday to arrange the scanning side, one change to our mail order form so i can slice off and shred customer details and i'm done . . . . thanks for the replies.

    Comment


      #17
      It's true that mercahnts are classified into levels, the majority of Actinic customers being level 4 merchants. At this level you "self certify". However, the actual PCI DSS requirement is the same.

      This is a sort of contradiction, which is one of the reasons for confusion.

      So yes, if you have the correct procedures in place, as a relatively low volume merchant all you have to do is state that you have them.

      If, however, any breach is ever proved, you automatly become a level 1 merchant. Compliance activities at this level will put pretty much everyone out of business. Creditcall (Actinic Payment's backbone provider) announced at the Actinic conference that it cost them over £250k to comply.

      Chris

      Comment


        #18
        I'd have to assume that the level 1 compliance costs for Creditcall are significantly higher than they would be for the rest of us because they store and process credit card details on computers and systems that are widely interconnected with public access.

        To make these systems safe, verify and test them, put secure systems and procedures around them, document and audit is going to be far more expensive than doing the same thing for a simple paper procedure.

        But Chris is making a valid point. The whole point of PCI-DSS is to ensure companies that handle credit card details do so responsibly and safely. Clearly self-certifying isn't policed, but you won't be able to deny awareness or responsibility if any breaches do occur.

        As far as I can remember there are significant fines for breaches as well as tighter certification requirements.

        Mike
        -----------------------------------------

        First Tackle - Fly Fishing and Game Angling

        -----------------------------------------

        Comment


          #19
          "If, however, any breach is ever proved, you automatly become a level 1 merchant"

          I've come a bit late to this discussion. Say a merchant is currently level 4, validation 4, SAQ C, passes all web transactions to a PSP, but is 4/4/SAQ C because they have chosen to use the PSP's virtual terminal as well (but does not collect card details on their own website).

          If a breach is proven as a result of a failure related to the more stringent requirements of SAQ C over SAQ A, and the merchant automatically becomes level 1, is the worst that can happen (apart from fines etc) that the merchant has to "become SAQ A" ie stop using the virtual terminal?

          Or is this outcome really so bad (including fines etc) that it really isn't worth using the virtual terminal from the start, avoiding SAQ C and sticking with SAQ A??

          Aquazuro - designer stainless steel accessories

          Comment


            #20
            "Level 1" complaince means level 1 - fully audited. Not Level 4 in any flavour.

            At the end of the day this is a commercial agreement between two companies. The penalties you face depend on how badly the card companies view your breach.

            Mike
            -----------------------------------------

            First Tackle - Fly Fishing and Game Angling

            -----------------------------------------

            Comment


              #21
              Daft question probably, but how do you arrange to get scanned if you don't have a fixed IP address (like most of us...)?

              Also, any more on the "scanned until compliant" thing? I would have thought that compliance was a "regular, forever" process of testing even when you become compliant.

              Also (sorry ), has anyone considered/implemented a page on their site which allows a customer to enter an amount and address, then get taken to the PSP to enter their card details. This might get round the MOTO problem for us, since most MOTOs are done because we are dealing with none standard amounts on products which aren't on our site (eg special orders). So we tell the customer the amount and tell them to go and pay for it on a certain page.....?

              Aquazuro - designer stainless steel accessories

              Comment


                #22
                I've done this for Paypal and Nochex (http://w w w.paysecurely.c o.u k) , you could use that as a backup under those curcumstances perhaps.

                Comment


                  #23
                  Also, any more on the "scanned until compliant" thing? I would have thought that compliance was a "regular, forever" process of testing even when you become compliant.
                  The scans until you're compliant bit just means that if you fail you can run repeated scans until you sort out the problem. After that it's done quarterly.

                  Mike
                  -----------------------------------------

                  First Tackle - Fly Fishing and Game Angling

                  -----------------------------------------

                  Comment


                    #24
                    How often do other Streamline users get a scan done as their own PCI-DSS Merchant Guide http://www.streamline.com/downloads/PCIDSSGuideV3.pdf states that for Level 4 merchant they require a 'Vulnerability scan at least annually' but when completing the SAQ C Question 11.2 asks 'Are internal and external network vulnerability scans run at least quarterly'.
                    Darren Guppy
                    Golf Tee Warehouse
                    Golf Tees and Golf Accessories.

                    Comment


                      #25
                      Originally posted by drounding View Post
                      I've done this for Paypal and Nochex (http://w w w.paysecurely.c o.u k) , you could use that as a backup under those curcumstances perhaps.
                      Hmm. Thanks Duncan, I like that. The problem I can foresee is that the people who phone for MOTO often do so because they don't like/trust putting their details into a website. For us to then tell them to go to a payment page because "it's more secure" isn't going to wash at this stage of the development of ecommerce.......

                      Aquazuro - designer stainless steel accessories

                      Comment


                        #26
                        I suggest a quick re-read of my article referenced in the root of this thread (and below).

                        Security Metrics and other providers can provide the external scan for the third case (Type 4 / SAQ C) at a reasonable cost, even if you are connected to the Internet by broadband and don’t have a fixed IP address.
                        From a sales perspective, it's much better to get the payment details while you are on the phone. This can be done safely and easily using a virtual terminal, you just need to follow the correct procedure.

                        Actinic ourselves use a virtual terminal. We had an external scan from Security Metrics, we run virus checkers on every PC. We also use several anti-spyware products. We followed the procedure that I outlined. Job done.

                        See http://www.actinic.co.uk/services/pci-dss.htm .


                        Chris

                        Comment


                          #27
                          Do I need PCIDSS

                          We have a B&B and have a PDQ connected to a phone line. I do CNP over the phone and face to face transactions. We have no staff.

                          I also deal with firms like Laterooms & bookings.com who send me Fax's with CC details, but not the 3 digits from the reverse of the CCard. If I need these I log onto their site and get them.

                          Do I need to go through the PCIDSS system and if so which level, type am I

                          Comment


                            #28
                            Yes you will.

                            My wife has a PDQ from Barclays and has recently been informed of an increase in transaction pecentages if she does not comply, all of this after being told by them that she didn't have to do it ?

                            If you only swipe cards using someone elses PDQ, e.g. Barclays/HSBC, etc and do not collect any information whatsoever, the compliance form is quite straight forward - (2 forms #1 Version 1.2 and #2 SAQ.A v.1.2).

                            However as someone is sending you paper copies of details, the problem on security etc grows, and you will have to select a different form, see here for overview.
                            https://www.pcisecuritystandards.org...ions_dss.shtml


                            All that being said , for £12 pa, these people
                            https://www.pcisecuritystandards.org/index.shtml

                            will do it for you over the phone and set you up with a web link to fill in the correct form electronically with your own password etc. Its a Yes/No form with instant RED/GREEN acknowledgment of your answers, so you can get on with it and get a green light straight away (assuming your systems and procedures comply - esle you have to submit an action plan, of improvements etc).

                            To be honest its £12 a year - do it IMO?

                            OK £12 pa feels like a TAX, but what are you gonna do? Well what you can do is sign up for 1 year and simply "learn by example" what these guys tell you for subsequent years assuming no changes in your procedures or setups, and then do it yourself.

                            Simon.
                            esafetysigns.co.uk
                            your instant download portal for self printable health and safety signs and posters
                            ... download once use as many times as you like !


                            http://www.esafetysigns.co.uk/index.html
                            http://www.esafetysigns.co.uk/acatalog/index.html

                            Comment


                              #29
                              vulnerability scan

                              Started the process yesterday and the scan showed 4 issues all to do with open shh with strange solutions I am yet to investigate.

                              The bottom line says non compliance - quite worrying as there seems to be no proper guidelines or indeed how long I have before losing the ability to take card payments!
                              https://www.harrisontelescopes.co.uk/

                              Ed Harrison - Menmuir Scotland

                              Comment


                                #30
                                I assume this was a scan of the office network and not the website.
                                Darren Guppy
                                Golf Tee Warehouse
                                Golf Tees and Golf Accessories.

                                Comment

                                Working...
                                X