PCI DSS Compliance

greyster

yeah we're talking about different parts of PCI... although I am wondering where the info we got from work has come from now. Probably from the QSA.

I was referring to system classifications:

Lv1 No credit card data or last 4 digits of PAN (not sensitive)
Lv2 Card handling system (not storing or processing)
Lv3 Processes PAN
Lv4 Stores PAN

I'll post when I found out where I got this from.

But yes don't worry you're level 4 in terms of transactions. I work for a level 1 company, ouch.

greyteam1959

scarymary wrote: »

Hi mervyn,
I am having the same problem. I refused to pay a 3rd party to help me fill out a form, so I filled it out last year and posted it. Now I've been sent a letter saying if I don't 'comply' I will be charged an extra0.098% on ALL transactions from 1st May.....sigh
I have now downloaded another set of forms and filled them out....again...and will be posting them. let me know how you get on but I can assure you they will send you this letter too..

Yes I got my letter yesterday.......I just knew that they would do this !!!
I have got completely p*ssed off with Barclays Merchant Services and Securitymetrics........
I got in touch with them again....made them ring me back from the USA (hehe) tried to keep my temper ( and failed only once) paid my £11.99 and took 20 minutes of them paying for the phone call to complete the forms and now I am PCI DSS *******ing Compliant.
I am NOT PLEASED.
I do not store or transmit any card data whatsoever I do not trade online or on the phone yet I have to provide all what I regard as sensitive data to some company in the USA that I have never heard of to become compliant......more data has had to be transmitted to become compliant than I have ever transmitted for the last 20 years MADNESS

scarymary_2

Hi mervyn,
I sent my forms off......oh they seem to have not arrived at the address I sent them to, they are now going to email them to me....this has been going on for over 5 months.
Sorry to hear you had to pay. I'm still holding-out. Got some woman at 'customer complaints' to deal with it for me.
I don't expect they will email the forms. I sent some by email right at the beginning of all of this.
Seems madness I agree. And personally, I don't think they should be taking money from teeny sole-traders:(
Mary

greyteam1959

Scarymary.....Its not that I HAD to pay its just that I was wasting so much time and effort I decided to pay my £11.99 and get it finished with.
By the way that will be £11.99 per year !!!

Tea3

Hi, how did you manage to get it for £11.99 per year? So far most places I have checked are quoting in the £100's to get it all completed. I agree that even £11.99 and all the hassle and fuss is not great but its better than several £100 +hassle and fuss. If you can pm me the usa phone number I would appreciate it (unless its just a barclays related phone number).

greyteam1959

We are classed as a Level 4 merchant...ie we only process cards through a PDQ terminal connected to a phone line......the £11.99 is I think a discounted price for Barclays Merchant Services but the top line price was I think about £60.00..
I cant find a link to the charges page sorry
But this is the link to Securitymetrics ( ie !!!!!! Turpins ) home page
http://www.securitymetrics.com/

Tea3

Thanks - I think we would be level 4 also - we process cards through our website which is fully encrypted and secure with ssl etc so we dont see actual card details and none are stored. Some customers phone their card details through if they dont want to pay online (entering card details still makes some people nervous), so in those cases we process the cards through protx system as normal and then shred the details keeping nothing on file. I will check the link you gave and hopefully soon either merchant bank or protx will get back to me as it was about 6 months ago they first said to leave it and they will contact us when its needed, but I am worried I get slapped with some fine for not submitting some form etc or for non compliance.

ADDED - my husband had a look at a pci dss form a while back and was really worried as something in it made him think we would fail a check as we dont have our website hosted on our own servers - most small companies are unlikely to have their own server anyway so I think there must be a way round this - does anyone know or has someone passed when using a server with a web hosting company? For the record we use a vps server (virtual private) and have all the ususal encryption and blowfish etc installed and also have dedicted ip with own ssl (supplied and secured through hosting company) - can you tell i'm a worrier lol..?

Tracker_Shaun

PCI DSS is all about securing confidential data, thats it, its not rocket science. Ensuring that confidential data is held securely and encrypted. e.g. not having boxes of customer receipts with full credit card details around your business.

cottager

Sorry to resurrect this old thread, but we're struggling
Also apologies for the length...

OH is a sole trader, single workplace, one card terminal connected to a phone line; no card data held on a computer; no website selling goods/taking payments (the work premises don't even have an online connection); no till, so no electronic system of any sort where this kind of data is stored; manual invoicing. Just a one-man band operation (well, one employee, but you get the gist). At home I computerise our accounts from manual records/paperwork, but no card details or even customers' addresses.

We're with BOS Merchant Services. Before the new year OH 'produced' 4 letters and literature from BOS (sent to the premises, so I'd never seen them) and asked me to take a look and see if I could make head or tail of it. When I checked, the first were dated towards the end of October! He'd been 'meaning to' look at them properly and do something about it, but at first glance didn't understand or much like what he saw and put it off (now I can understood why). It involved doing stuff online anyway, and he loathes computers! But then a reminder had arrived, sent just before Christmas.

I took a quick look and didn't much like it either. I'd never heard of PCI DSS. A bit of online 'research' then, so I know broadly what it's about and that we're obliged to comply. Inward groan at another 'burden' to take on board, but from a quick first look it didn't seem too bad, as the first letter said:
On your behalf, Bank of Scotland Merchant Services will monitor and manage your compliance status including administering reports to Visa and MasterCard.
It (hopefully) seemed we might only have to confirm a few details and all the rest would be taken care of for us.

But we needed to enrol first, and that's what BOS were now agitating about. The reminder said they'd 'noticed' we hadn't enrolled and:
Should you fail to enrol or contact us to discuss your plans to be compliant with PCI DSS by 01/02/2010 an Inactivity Fee of £20 will be applied to your Merchant Services account on a monthly basis ...

So today I settled down with it properly and dived in to this enrolment, or tried to. It was almost double-Dutch, but muddled along as best I could with the aid of help prompts for each question. Even then I struggled because (this will sound naive and pathetic to all who know and do more with the world of plastic) I didn't even know what many of the terms and abbreviations were... mostly not a clue what they were on about or wanted to know. Handling electronic payments is at such a basic level in our case that it's literally only "He takes cards – it works" and that's all we've ever needed to know or concern ourselves with over the years.

Apparently what I was struggling with was only the Profile Summary! Not actually very long or onerous for most I'm sure, but there were parts I left blank as I didn't know if they applied, one entire section in particular.

Anyway after that I ended up at a screen with the following.

PCI Level: 4
SAQ Type: SAQ B

PCI DSS Compliance Status: X (Non Compliant)
and three red buttons (i.e. non-compliant) against Validation, Scan Compliance and Report Compliance.

Then under Next Actions:
-- Confirm and attest to a fully compliant SAQ and scan.
-- Complete outstanding SAQ clauses and Compliance Maintenance Tasks.
-- Run a fully compliant scan.

Two boxes:
SAQ Result: No SAQs currently exist
Scan Result: You have not yet completed a scan or provided us with details for a third party scan.
+ a few other bits and pieces.

I gave up then, completely at a loss, and started this. An email's come to say he's now successfully enrolled, so I must have got enough of it right to avoid the fine from beginning of Feb for not doing so.

I have a printout of the summary screen and will give that to OH, but he's going to have to 'take courage' and force himself to log in and look at what I've seen/done, then he'll need to phone BOS and see what's involved now, because I'm out of my depth and so will he be.

Hopefully there'll be a kind person at the other end who'll be able to 'walk him through' or better still, do whatever's needed at their end by asking questions. Wouldn't you know it though... only open 9-5 Mon-Fri, less than he is, so he won't be best pleased, or find it easy, to spend work time on this.

Meanwhile I looked for something on MSE, found this thread, and wanted to ask what horrors are likely to be in prospect, and what these non-compliance issues actually mean in terms of what we must do. Any general guidance or reassurance appreciated. Having now had a glimpse of what's involved, I'm really worried about it.

One thing, reading the earlier posts here about the different levels, why have we been put at Level 4?

BOS are charging an annual PCI DSS management fee of £35.99. I'd seen the charge on the December bill, didn't have a clue what it was and was going to ask OH to ring and find out... little knowing then he'd had these letters about it!

Many thanks, and sorry again this got so long

Leoc_2

Does any one have a copy of what they have successful submitted for a simple retail outlet?