Payment Card Industry Data Security Standard (PCI DSS)

[hargreaves56]

Hi

Has anyone had experience of this?

Something to do with Barclaycard. We use Barclays and Sagepay.

I did have a call about this a while ago and kind of ignored it because the call was from a third party trying to sell me something that cost about £100. He was calling from america and it just sounded dodgy.

Barclaycard must be out sourcing it to them. Seems a bit of a joke really.

Got an email today:

Payment Card Industry Data Security Standard (PCI DSS)
IMPORTANT: Failure to demonstrate progression towards PCI DSS compliance can lead to the termination of your merchant account

Dear Sir/Madam

Please be advised that if you are not PCI DSS compliant, or fail to demonstrate progression towards PCI DSS compliance, you can face:

• termination of your merchant account

• non-compliance fee charges

• significant Card Scheme fines in the event of a data compromise.

You need to send SecurityMetrics validation of your compliance, or an update on your progress, by no later than 26 April 2011.

Please note that SecurityMetrics are responsible for managing and reporting the compliant status of all Barclaycard merchants to Card Schemes whether you choose to enrol for their services or not.​

 

[CharityClear]

Hi,

You may find some useful information on here https://www.pcisecuritystandards.org/merchants/

Marc.

 

[hargreaves56]

Thanks. So do I need do anything other than read the info and follow what it says?

 

[SecureTrading]

All merchants selling online need to be PCI DSS compliant. PCI DSS covers the capture, transmission and storage of credit card data, so if you are using a hosted solution from your payment provider then it is likely that all you will need to do is complete a self assessment questionnaire to confirm compliance. Most of the acquirers are launching these schemes to protect themselves from fines from the PCI Security Council/card schemes when one of their merchants is found in breach.

More information can be found at http://j.mp/e4TxMa and you can see our range of PCI solutions at http://j.mp/g8rX4U

 

[KateCB]

Actually it is a con, but a legal one

If you are using a hosted solution i.e. SagePay, then they are the worlds MOST PCI DSS Compliant company; however you have to complete a questionnaire stating that they comply with PCI DSS and therefore so do you, and for providing this information you get a certificate (which you download and print out yourself) an image to display on your website, and a bill for £80+ for filling in the form.....its just another tax on ecommerce really!

 

[hargreaves56]

Thanks Kate!

Any idea where I can get this questionnaire from?

I love it when small businesses are charged for something that takes them time to do.

 

[TotalWebSolutions]

Some of the banks these days will want you to become PCI Level 4 compliant if you process MOTO transactions. So even though you use a PCI Level 1 gateway like SagePay, or indeed ourselves, for website payments you will need to check with the bank on their requirements for MOTO compliance as well.

You can get the questionnaire from your bank or any QSA (Qualified Security Assessor). We use ECSC as our QSA for our annual audit, network scans and pen tests etc.

 

[KateCB]

Talk to Sagepay - they have a relationship with a PCI DSS supplier - I use Trustwave, as were recommended by SagePay 2 years ago......they were talking about changing suppliers, but they will direct you to the form and help you to complete it (It isn't hard, just oddly worded!).

We use MOTO and HSBC are very happy with whatever level we have through trustwave as the MOTO payments are made through the SagePay terminal anyway.....

 

[smo]

PCI-DSS isnt entirely compulsary. Our merchant doesnt give a stuff about if we are compliant or not, we had a letter many years back about it coming in and that was the last we ever heard. Its not even compulsary to collect CVC numbers and they came in many years before PCI was dreamt up.

Essentially its a waste of time making the banks more money - it wont cut fraud as even those who are highly compliant have breaches of security, its more dependant on how big the company is and how determined the people they upset are!

 

[kulture]

PCI-DSS isnt entirely compulsary. Our merchant doesnt give a stuff about if we are compliant or not, we had a letter many years back about it coming in and that was the last we ever heard. Its not even compulsary to collect CVC numbers and they came in many years before PCI was dreamt up.

Essentially its a waste of time making the banks more money - it wont cut fraud as even those who are highly compliant have breaches of security, its more dependant on how big the company is and how determined the people they upset are!

This forum should come with a health warning. Following some advice can seriously damage your business. PCI is not strictly compulsory, nor is accepting credit cards. If you are not PCI compliant then sooner or latter you will not be accepting credit cards.

 

[smo]

This forum should come with a health warning. Following some advice can seriously damage your business. PCI is not strictly compulsory, nor is accepting credit cards. If you are not PCI compliant then sooner or latter you will not be accepting credit cards.

I am simply stating the FACTS of the situation. Our merchant, Streamline, does NOT require PCI compliance or CVV numbers, this is a FACT - ask them if you dont believe me!

 

[kulture]

LOL, OK let us talk about FACTS

Please read the page on the STREAMLINE web site

http://www.streamline.com/content.php?page=products&sub=pci

In it it says (just in case you miss it)
"This standard is called the Payment Card Industry Data Security Standard (PCI DSS) and is also endorsed by American Express, JCB and Diners Card.
Merchants are required to adopt the new standard and to review the guidelines against their current business practices"

So just because they have written to you and not yet got back to you does not mean that they won't. It just means that you are too small a merchant for them to worry about for now. They will however chase you up, and they will require you to be PCI compliant. Its not hard to do either.

 

[kulture]

As for your continued mention of CVV numbers, it is simply showing your ignorance. The CVV number is an additional security check that an online merchant can use if they choose, to better validate that the customer is genuine. If the merchant chooses not to use the number then the chance of fraud and successful charge backs increase. The use or not of this number does not have any affect on your requirement to be PCI compliant. The one thing that PCI compliance does say on CVV numbers is that you MUST NOT STORE this number. Once used it must be erased.

 

[smo]

LOL, OK let us talk about FACTS

Please read the page on the STREAMLINE web site

http://www.streamline.com/content.php?page=products&sub=pci

In it it says (just in case you miss it)
"This standard is called the Payment Card Industry Data Security Standard (PCI DSS) and is also endorsed by American Express, JCB and Diners Card.
Merchants are required to adopt the new standard and to review the guidelines against their current business practices"

So just because they have written to you and not yet got back to you does not mean that they won't. It just means that you are too small a merchant for them to worry about for now. They will however chase you up, and they will require you to be PCI compliant. Its not hard to do either.

Having spoken to them just last week i'd bet a lot of money they DONT require it, and they wont be chasing anyone up about it. I guarentee you.

 

[kulture]

Ok if you would rather believe a person on the end of the phone than their own web site so be it. I hope you took their name and position and authority to override their own procedures.

For the rest of us please see

http://www.hftp.org/Content/Forms/EHTEC/EHTECPresentations/2010/PCIDSS.pdf

and
http://www.visaeurope.com/en/businesses__retailers/payment_security.aspx

In particular Visa Europe says
"Acquirers are responsible for ensuring that all of their merchants comply with the PCI DSS requirements. Merchant compliance validation, however, has been prioritised based on the volume of transactions and the potential risk and exposure introduced into the payment system."

 

[SecureTrading]

There is obviously a lot of confusion around the subject of PCI. Firstly it is a card scheme requirement, so in turn an acquirer one. Card schemes are Visa, MasterCard, American Express etc. and they allow banks to acquire on their behalf. However they impose a whole raft of rules to this.

PCI was set up to ensure there were agreed security standards across the industry. This is not to prevent fraud per se, but to ensure credit card data is protected from hackers and theft.

Please visit the PCI website at http://j.mp/e4TxMa to see what you need to do. The fact of the matter is you do need to be compliant by the card schemes and should the worse happen and any card data you are capturing, transmitting or storing be compromised you will be subject to a hefty fine (as will Streamline) and risk losing the ability to accept cards.

 

[KateCB]

It wasn't our payment processor that wanted it, it was the bank.......in order to continue to use their merchant services, they wanted a copy of the PCI DSS certificate.......

 

[sphynx]

It's like a risk assessment and is well worth doing anyway due to the fines one could receive from the card providers if you're unlucky enough to have a security breach. For the sake of £100 per year, it's best to cover ones rear

 

[SecureTrading]

It wasn't our payment processor that wanted it, it was the bank.......in order to continue to use their merchant services, they wanted a copy of the PCI DSS certificate.......

Apologies if I wasn't clear, but I wasn't suggesting it would be your payment processor. If any merchant suffers a card breach and is subsequently found to have not been PCI compliant they will be liable to severe fines from the card schemes and so will their acquiring bank. So it is in the bank's best interest (and the merchant's) to ensure all their merchants are PCI compliant.

 

[privateer]

This one goes round and round.

It is a card scheme, and only directly affects those who see the long credit card number. Those companies that do see this number must comply with PCI-DSS.

All other merchants need not comply - except insofar as filling in a bit of paper that tells their merchant account provider that they are outside the scope of PCI-DSS.

This is NOT compliance! But it is asked for and is something that some (many? most?) merchant account providers are now using as a way to raise a disproportionate amount of money - all the while hiding behind "PCI-DSS compliance."

 

[Skateboard Express UK]

Hello - I have two ecommerce sites, both use different PCI-DSS compliant payment gateway providers.

on one site we process transactions by collecting customer details on the checkout page. on the other site, we have an externally hosted payment gateway - so if the customer selects the "credit card" option then they go off our site to the gateway provider's site where they enter their credit card details.

for the first site, we have our hosting provider telling us the we should move to the external method (which we could do with our current provider) because "your cart does collect cc info (despite not storing cc data, but instead only momentarily holds it as it pushes it down the gateway) so you still have the security risk of interception of that data on your cart, and as such PCI DSS compliance would be required."

for the second site, we have our website designer telling us that it is preferable to process transactions within the site because some customers will abandon the transaction when they are sent to an external site because they are concerned about fraud and getting sent to another site increases the abandonment rate.

so i'm getting conflicting advice here - should I move both sites to having external credit card processing ? by not doing so, am I non-complaint with PCI-DSS ? It would be great to get some advice on this issue and also whether the view that external cc processing increases abandonment is correct. Thanks..

 

[SecureTrading]

PCI covees the capture, storage and transmission of card data, so you do need to be compliant on your first site.

With regards to your second site, what you can do is use something like our Payment Pages + solution where we host the payment page, but also host a domain for you, so it doesn't look like the customer has left your site. Best of both worlds! See http://www.securetrading.com/pci-dss-solutions.html

 

[kulture]

Currently Visa Europe has not put a deadline by which all merchants have to be PCI compliant. The acquirer, the likes of streamline and HSBC, are likely to insist on PCI compliance before any deadline arrives to protect themselves.

Now if you are an e-commerce merchant and you have a hosted page (i.e. the likes of a sagepay form) then all you need to do to be compliant is fill in a simple questionnaire once a year. I agree with others here who say that the banks charge way to much for this simple paper exercise.

Now if your site hosts the collection of the card details (e.g. sagepay direct) then even though you never actually SEE the long card number etc. Your server sees it and transmits it. In this case becoming PCI compliant is a bit more expensive. You have to fill in a longer and more demanding questionnaire and your server has to pass a quarterly security scan. You thus need decent hosting, and you pay about £100 a year for the privilege of doing this.

If however you use a in frame solution like the sagepay server interface, then although to the casual customer you never leave your site, the card detail capture is actually done on the sagepay servers and thus is as secure as the sagepay form. Thus in theory you only need to do the simple annual questionnaire. The problem you will have is persuading the first line monkeys of any of the PCI providers that the card capture is not done on your server.

Now many people think that when you leave your site to capture card details, the customer gets concerned and there is a higher level of card abandonment. I have not seen any actual research done on this. However in my opinion I believe that this may have been true in the past BUT is less likely to be true now. I think that as customers grow more aware of data breaches and security, many of them may be more likely to feel secure if their card details are captured by a well known site (like say HSBC) rather than the shop's site. The only way to be certain is to actually test it over time trying out both methods and seeing which has the higher abandonment rate. I would be very interested in any such results.

 

[silklink]

This is a scam. We use Streamline who provide a PDQ, and are now writing to us to get compliant by Christmas. Oh, and by the way, Streamline can save you £10 and reduce the annual compliance fee from £30 to £20 !!!

I headed over to the PCI Security Standards Council and started completing a Self Assessment form. I'm about half way through and conclude that the questions are written in a way that most merchants simply will not understand the question and the terms that they use in the question. We are being deliberately misled.

This scheme can be implemented with a very simple list of 10 or so easy-to-understand commandments that we as merchants can sign a declaration at the end. Job done.

We already pay card companies significant fees. Our government should be stepping in and saying, 'we do not need scams like this.' especially now in a frozen economy.

 

[kulture]

It is not a scam. It is a legitimate way for banks to screw more money out of you!

 

[silklink]

I stand corrected LOL