Forums: Discussions for entrepreneurs and small business.

Has anyone received a letter from your processing company that claims your system has to be tested for PCI compliance for $99 year?
I'd like to hear feedback concerning this. Please share.

Thanks & God Bless,

Tyra

Typically if you accept credit card on your website, you will need to be PCI Compliant. Without knowing your exact situation I can't say what level of compliance is required (depends on sales). But this involves quarterly security scans of your website to ensure that basic (and some not so basic) vulnerabilities are closed.

I have used Scanalert (now owned by Mcafee) to run PCI scans. Cost varies by the PCI scanner. These are 3rd party services. If your website is running at a 3rd party hosting provider you will need to work with the hosting provider to resolve any issues found in the scan report. Typically these scans find new things every time they are run (the good one's will learn over time). The vulnerabilities range from poor SSL/HTTPS encryption to "hackable" form fields.

It can be daunting.  But one word of caution....a scanner should only have access that is equal to what the public gets. Don't give them any passwords, etc. It is not needed.

If you need professional assistance, then let me know.

Best of luck!

S. McKelvie

Webmaster

mckelvis@ymail.com

I wouldn't give such a blanket statement. It is quit possible that you offer the ability for people to pay via credit card and not be under PCI Compliance.

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

If you are a small business, and uses another company (PayPal or whatever) to take the money from your customer and then pay you. They will be under PCI, you will not be.

In order to actually satisfy the requirements, I do not see how a $99 scan of your site will satisfy the requirements? One requirement is that you have to encrypt data at rest. That means they would need to verify that when you store customer credit card numbers it is encrypted. An external scan will not show that. One requirement is that you need to use a web application firewall or a yearly security scan. That is what they are selling you probably. In my opinion. I have yet to review any of that software, because my employer spends a few million a year in order to stay PCI compliant. That is why I find it hard to believe a $99 software solution will enable someone to actually be compliant. Due to risk, I would never suggest to one of my clients that they use their own merchant account to take credit cards. Use one of the third party companies that actually due this as a business. They will then ensure that the correct controls are in place. You can spend allot more just protecting this data, controlling access to this data.

Also remember that PCI is just about credit card data. You can be PCI compliant, and not be secure. There are also numerous state regulations from a privacy perspective that could impact your business. Example, Mass. Is planning on implementing controls similar to PCI for social security number and other data on your customer you may save. So if you use social, I would change to another identifier if possible.

Clarification for merchants is rather cloudy. I have been told that if you do not keep credit card information on your site that you are covered by your merchant account's PCI Compliance. We do not plan on keeping any credit card information stored on our systems, but rather will use other companies for our payment gateway and merchant account services (PayPal, Authorize.net, etc.)

If you have any suggestions for companies that offer great merchant account and payment gateway services, please let me know.

Thanks & God Bless,

Tyra

Here is a good paper about PCI, what controls you need to implement if you handle PCI data, and have less than 20,000 transactions a year. The vendor sells a solution to allow you to tokenize the credit card info and send it to them for processing. That way the data does not hit your servers. That is when you become responsible for it.

Which was one of the reasons I stated if you use a third party for credit card processing and do not store their info, you should not need the $99 solution?

http://www.braintreepaymentsolutions.com/pdf/PCI-Compliance.pdf

Being a suspicious person by nature, are you sure the notice was actually from the company you accept payment through.  That company should already know you don't have to be PCI compliant since you do not store the credit card information.   This sounds like those phony bank account emails people receive.

All,

A few hard truths.

PCI DSS compliance has minimum standards that all credit card processors must meet and advancing levels of protection based on the number of transactions.

There is no law that requires PCI compliance.  Only the offended anti-fraud departments of major credit card companies that have literally had it and will not take it any more.

The ideal target for identity thieves is a small company with less than 240 customer/employee identities to loose and next to no ability to detect they have been hit.  Each of major credit card companies independently woke up, smelled the coffee and created this industry standard.  They track it and create updates in the technical standard requirements and enforcement methods each year.  They are prepared to cut off your upstream credit card processor and so kill their business.  So, you get letters because this is getting serious.

The PCI DSS standards were created to combat fraudulent transactions.  The leaner times get the harder credit card companies are going to look at avoidable costs like losses to credit card fraud and identify theft.  Which means, this will not only not go away, it will get more blunt in the coming years.

Caring about the fate of your customer's identity just makes good business sense. Good for your business reputation with your customers.  Good for your business accounts and credit.  Good relations with the credit card companies that help you do business online.

Correct, but if you follow the standards of PCI, you are not actually secure. If you are a large corporation PCI has allot weight. We can be fined by the credit card companies. They can take away your ability to accept credit cards, or charge you a higher transaction fee. When you deal with 10 billion dollars a year in revenue that can mean a charge of tens of millions. If you are a little company and they feel you did somethign wrong, your bank can freeze your account and take the money lost in the fraud from your account.

The original question of has anyone else got a letter, and are the $99 dollars scans worth anything most of us agreed, it is probably a scam at worst, at best it will do nothing but maybe make you feel like you did something. You won't be safe in my opinion.

If you are a small company, do not save or store customer credits cards, it will cause you grief. Do not require or ask for social security numbers it will cause you grief.

If you are a small company, hire a company to do a simple scan using something like appscan. It will only catch the low hanging fruit, but it is better than nothing and probably better than this pci tool

If you have a business that can afford 10+ developers, pay for them to get some secure coding training. Make them follow a full SDLC; make sure you do simple things like limit access to production servers. Implement code reviews that map back to functional and non-functional requirements. I do this in my own small company and I have only 2 developers and 2 offshore developers. It saves you money and grief in the long turn.

If you hire 20+ developers, good for you. You have a little money. Spend some money hiring someone like Don Turnblade. It will save you grief, money and the potential loss of your company. Even if you do not take credits cards. At my full-time gig I manage people like Don, and they protect my companies arse every day.