PCI DSS Compliance

greyteam1959

Does anybody know where I can find a copy of the Level 4 PCI Self-Assessment Questionnaire which Security Metrics want to charge me for filling in and emailing to them ????

Anybody retailers that take credit card payments now have to be Compliant.
Any online retailers or businesses that store credit card data will now have to pay several hundreds of pounds a year to be Compliant.
Like it or not
:mad: :mad: :mad:

lsm1066

You should be able to get it from the Security Standards Council website at https://www.pcisecuritystandards.org/saq/index.shtml

I'm in the same position as you. Securitymetrics gave me the impression I had no choice over paying them to help me fill in the questionnaire and even after spending half an hour on the phone to someone from Barclaycard I still can't get to the bottom of why traders are having to pay for something we haven't asked for and (almost certainly) don't need. Although apparently if someone illegally hacks into our pc and picks up card information from our system and uses it illegally, even if we don't store the data ourselves but only look at it for long enough to process a transaction, we can be fined for that.

Does that sound fair or reasonable to anyone else?

Tracker_Shaun

Sounds fair enough to me. If you are a retailer then you owe a duty of care to your customers to be PCI DSS compliant, how else will a customer know if you are being careful with their credit card details?

lsm1066

The trouble is, we have to fill in a questionnaire which we are more than welcome to do ourselves but which is so full of jargon that we have no choice but to pay someone to help us fill the form in. Then we have to pay someone to scan our systems remotely 4 times a year in order to ensure that our system is secure. I'm not comfortable with a third party, whoever they are, having access to scan my system. I don't actually store any credit card information; it's all done by my web hosts who are compliant. However because I look at someone's details on the screen for about 20 seconds, I have to pay (currently nearly £100 for the first year, which may not sound like much but which is a lot to a small business). I agree that customers should feel secure about how their card details are used, but the onus is being put on the traders when something goes wrong, not the card issuers.

Incidentally, despite originally being compliant, Worldpay have had to undergo re-assessment after a security breach. They wouldn't have been held liable but they do have to undergo early re-assessment and are apparently not currently compliant. So does this system even work, I wonder? (Google PCI DSS +Worldpay for info)

greyteam1959

Update
I found the forms online and filled them in....twice....
still not correct !!!!!!!!
The complexity of the forms is unbelivable and full of
'Americanised' jargon I get the feeling that they are so complex on purpose so you have to pay to have them filled in.
I totally agree with Ism1066.........
I am not at all comfortable with Barclaycard and their attitude to passing my company data the an American third party
My business does not store any data at all yet we are still supposed to be compliant.....the worlds gone mad !!
After been bombarded by emails from Securitymetrics I have told them in no uncertain terms that the complexity of the forms is ludicrous and that I will not fill them in again.
My status is now Non Compliant..........watch this space

scarymary_2

Hi mervyn,
I am having the same problem. I refused to pay a 3rd party to help me fill out a form, so I filled it out last year and posted it. Now I've been sent a letter saying if I don't 'comply' I will be charged an extra0.098% on ALL transactions from 1st May.....sigh
I have now downloaded another set of forms and filled them out....again...and will be posting them. let me know how you get on but I can assure you they will send you this letter too..

Tea3

Hi,
I received an email from my merchant gateway (protx) last year saying they will be sending out further emails about pci dss compliance however as i'm a bit of a worrier I contacted my merchant bank to ask them and they said protx were over-reacting as we would be level 4 and they would contact us with their own details and costs etc in due course - so far nobody has got back to me and I still dont know if I should sit and wait as they both told me this but I dont want to get slapped with fines etc.

I run a website that processed cards on my site but the site is secure and at no time do I see any card info at all (thats all done by protx) - its all excrypted and not viewable by me at anytime - I have even set it so if a customer enters their details wrong the system does not remember when it brings up the error message and they have to re-enter all card details - theres absolutely no storing of info at all.

We used to have offsite card processing where it went to protx website which apparently means we would not need to be pci compliant however due to slow speeds back from protx we kept getting time-outs on payments so had to integrate it so customers pay on our site (with https and all regular security features enabled) - should I be compliant by now or wait until protx or the merchant bank get back to me?

Can you tell i'm confused?

greyster

i feel your pain. I've worked on pci dss for over a year for my company (international telecomm) and it won't go away.

tea3, when you switch back to taking payment yourself, are you storing the customer PAN?

Tea3

No (if thats Primary Account Number).
The customers enter all details on our website but we cant see anything and nothing at all is stored on our system. When we login to the protx website to authorise payments etc we are shown the last 4 digits only of the card number etc, the same as you would get on a normal supermarket receipt etc and also the bank the card is registered too. Everytime the customer visits the website (even if seconds later) they need to re-enter all card info as we dont store or keep anything. Some customers dont like ordering online so phone us with their card details which we then enter on the protx system but again we dont keep or store the details and they are shredded and securely disposed of (but many companies process phone orders even non website ones and it seems only companies taking internet payments need to be pci compliant as far as I can tell - but its a minefield so I may be wrong lol)

The following is from the dude who set up the payment system originally (about security of card info etc):
They're stored in the session, encrypted with ***. As soon as the
customer leaves the checkout they are deleted. This includes if the
customer doesn't complete checkout but goes to another page of the
site. If you want complete peace of mind, you can disable the storing of the details in the session. This will mean however that if a customer makes a mistake entering their details or there is a card problem that they have to enter all their details all over again.

After this reply months ago we then disabled the storing of the card details in the session so at no time are they stored or seen by us.

(sorry for long answer)

greyster

if you are not storing PAN then it isn't a level 4 system, it would be level 2. I can't see how you would be storing or processing PAN in the scenerio above.

Tea3

Eeks - I was under the impression that level 2 meant a higher rate of compliance than level 4, 4 being the lowest one that does not need urgent compliance like the larger companies - this being more or less what was said from merchant bank (although I may have picked that up wrong).

Does level 2 mean higher level of compliance?
We definately dont store card information but customers do enter their card details on our secure checkout section and from what I believe the card info is then encrypted to protx to process or reject the payment -we see nothing but we do need to send them the data (this is all done through a secure module set-up, and details are encrypted using a program protx and other companies apparently approve of).

The following websites both say that Level 4 is lowest with under 20,000 transaction a year (we are below this just now as some payments are taken via paypal also):
http://www.itgovernance.co.uk/pci_dss.aspx
http://pci.evolve-online.com/pci-for-merchants.asp

Not saying you are wrong as I appreciate your help and advice on this, just worried we are talking about different parts of pci as according to these I have a fair way to go to reach level 2 (1,000,000+ transactions a year would be very pleasing )