PCI Compliance

[macmacman]

We have a typical eCommerce set up:
Magento
Sagepay

Worldpay seem to think this is a unique set up! Classed as high risk by the idiots at worldpay. So have to answer endless questions. One is...

How is the card information transferred from our site to sagepay? Silent order post, direct or js.
What do you think it is? We are using the Sagepay plugin for magento that everyone uses.

Any help, much appreciated.

 

[TotalWebSolutions]

Have you asked SagePay? They should be able to tell which method you are using with them.

 

[pentel]

We had a similar issue when using the online compliance checker.

I got myself in such a mess in trying to answer the sometimes oddly worded and multi layered questions that I picked up the phone and gave them a call.

This was a totally different experience, the person I spoke too asked sensible questions and explained the implications and having described our system to her filled in most of it herself with only small amounts of input from myself.

I would recommend giving them a call.

 

[altwebdesign]

Is it Security Metrics doing the PCI compliance?

One thing that can make a difference is whether you use "remote" or "hosted" payment pages.

If when someone is entering their card details, you redirect them to sagepay, to an HTTPS/SSL protected domain then you may find you have very little PCI compliance to do. Typically they will run a scan on your website and may require you to close certain open ports on your web server.

If, however, you host the actual page where users enter their card details to on your website then you will have stricter PCI guidelines to follow.

If you are sending customers to enter their payment details on sagepay and dont store any sensitive data or take payments offline then your PCI requirements will be minimal and usually just come down to answering their questionaire and running an audit to check for vunerable open ports.

You will be required to do this each and every year that you are trading but its less work once you get the first year out the way. You apparantly get fined for each transaction you take that you are not PCI compliant.

 

[GraemeL]

We had a similar issue when using the online compliance checker.

I got myself in such a mess in trying to answer the sometimes oddly worded and multi layered questions that I picked up the phone and gave them a call. This was a totally different experience, the person I spoke too asked sensible questions and explained the implications and having described our system to her filled in most of it herself with only small amounts of input from myself.
I would recommend giving them a call.

Exact same experience for me. Call them.

G

 

[macmacman]

Thanks. Yeah the url stays as ours so guess it is Direct according to Sagepay.

PCI is compliance is another scam to get more money out of us,in my opinion.

 

[bharris]

If you login to your Admin then system>configuration on the left hand side under sales you should see sagpay click on that and should show a list of all the different types of integration. Just look to see what one is active. Personally i use form, which sends the customer off to Sagepay, who take the payment details.
That makes PCI compliance very simple for me. You can actually self certify for free, however i have not been able to get the merchant processors to accept it and they basically force you to use there chosen checker provider at a price, as you say a complete scam!

 

[macmacman]

Cheers @bharris. We are Direct in that case. I dread this every year. In fact I dread speaking to Worldpay, complete bunch of monkeys.