Author |
Topic |
|
dwight
VP-CART New User
USA
143 Posts |
Posted - April 29 2008 : 06:29:00
|
Has anyone run a Payment Card Industry scan from an approved vendor such as COMODO (hackerguardian) on there webhost runing VPASP. My credit card merchant sent me a letter requesting that I start running scans on my website to prove there are no vulnerabilities. I also use Authorize.net as a payment gateway and don't collect any credit card information. Would be nice a reassuring to hear that others have run these without any major setbacks.
OF COURSE, don't post any vulnerabilities here that may be exploited. Just want to know if others have done this.
thanks Dwight |
|
Steve2507
VP-CART Expert
590 Posts |
Posted - April 29 2008 : 07:37:07
|
That seems strange because as you do not take credit card details then the place to do the scans is on the autorise.net servers.
Does your merchant account providerrealise you use a third party to process the payments? It could be they don;t realise this so tell them and then see what they say.
Steve Sex toys from a UK sex shop |
|
|
dwight
VP-CART New User
USA
143 Posts |
Posted - April 29 2008 : 09:07:45
|
Thanks for your response. The credit card merchant (bank that collects the money) does know that I don't accept credit cards and that the transactions are done throught authorize.net. However, the credit card industry has standards that are being enforced now more than ever. They too, realize that small companies may not accept credit cards or store information. There are different levels depending on the number of credit card orders you process. There are a number of websites that discuss this standard that your bank may force you to start using. Search for PCI standard or vist a credit card company website. Unfortunately, I think mine has started enforcing because they are trying to sell their own ASV software (Authorize Scanning Vendor software I think).
The companies I use are Authorize.net as the payment gateway, and IPayment as the entity that collects the money and deposits in my bank account.
Yes I do lack in the technical gargon, but you should be able to follow.
thanks Dwight |
|
|
Steve2507
VP-CART Expert
590 Posts |
Posted - May 02 2008 : 03:53:53
|
Wow, I understand what you are saying, it just seems strange that they are putting the pressure on you rather than the credit card processor.
In the UK as long as the section that actually takes the card details is secure banks are happy.
Steve Sex toys from a UK sex shop |
|
|
dwight
VP-CART New User
USA
143 Posts |
Posted - May 14 2008 : 07:03:31
|
To continue on. I have received a second notification from my merchant bank and must comply by selecting an approved scanning vendor. I think I will use Hackerguardian. I'm surprised that no one else has run in to this. Any negative or positve feed back will be nice. I guess after I run the scan I'll let you know how VPASP chalks up to the test without giving out any weaknesses found. thanks Dwight |
|
|
Lori Titus
VP-CART New User
144 Posts |
Posted - June 17 2008 : 10:38:22
|
I also use Ipayment + authorizenet. From the last letter I received from Ipayment, I thought they were going to charge us $20 to implement their scanning vendor of choice, and that we were going to get another letter from the vendor explaining how to setup the scans. Then I never saw another letter. Maybe I should contact Ipayment for clarification.....
I also think it is bogus to have to run these scans when we don't collect the cc info, but I think part of it has to do with testing the encryption between our servers and authorizenet. $20 a month seems a bit steep for us small merchants, though. Makes me think of using just PayPal.
The Internet's #1 supplier of honey and beeswax. |
|
|
elammers
VP-CART Super User
USA
256 Posts |
Posted - June 17 2008 : 14:37:24
|
Or just switch to a different bank behind Authorize.net. I haven't heard of any of this from my client's that I've got running Authorize.net. Off the top of my head I don't know who the various banks are that have been assigned to these clients because it's been hands-off no problems.
Regards, Eric Lammers www.KrackMedia.com Building More Than Web Sites . . . Building a Web Presence |
|
|
Lori Titus
VP-CART New User
144 Posts |
Posted - June 20 2008 : 13:15:25
|
I don't know who the bank is - I run through a service called Merchant Warehouse. They do a great job with my offline sales (we do a lot of craft shows with a wireless unit). When I realized how much our online service had started charging us over the years, I asked Merchant for a quote for our online sales, and I guess they farm out to (or own) iPayment.
The Internet's #1 supplier of honey and beeswax. |
|
|
saki
VP-CART New User
82 Posts |
Posted - June 22 2008 : 01:12:52
|
If you use the AIM module for Authorizenet you do "handle" and pass through the creditcard information. Under PCI that requires you to be compliant. |
Edited by - saki on June 22 2008 01:13:25 |
|
|
dwight
VP-CART New User
USA
143 Posts |
Posted - August 28 2008 : 11:52:23
|
Since someone else mentioned it. I used Merchant Warehouse and they are HORRIBLE. Watch them. They are famous for "no option charges". Even though they boast about no cancellation fee they charged me $250. However, they always credit the account back. It's as if they wait to see if they get caught. Their fees are a lot higher than you think once you start looking around. My problem was solved by switching companies and like everyone thinks, as long as a payment gateway such as Authorize.net is processing all the credit card information and your not collecting any numbers you don't need to go through all the cr@! companies like Merchant Warehouse tries to put you through. |
|
|
PhilWilliams
Starting Member
USA
8 Posts |
Posted - September 26 2008 : 15:41:53
|
I capture credit card information, and also use Paypal. I received the dreaded notification about PCI compliance about 2 years ago, and the scan certification cycles went from about 1 year to once per quarter. I use Security Metrics for the scanning service. They appear to be pretty reasonable to deal with although I had to go through several quarterly "events" with them regarding what they called vulnerabilities which turned out to be bad scripts in their testing. Several days of tightly clutching my chest finally gave way to relief. I've not had any issues for the past six months or so. I use Comodo for the SSL certificate. Cost from Security Metrics is about $200/year if I remember correctly. It's a pretty tough hit for smaller businesses, but I think the alternatives are worse...Punishment fines are ridiculous, so the costs are tolerable.
Phil Williams http://www.photosolve.com |
|
|
Lori Titus
VP-CART New User
144 Posts |
Posted - February 15 2009 : 12:06:46
|
Thought some of us might be interested in the following link. It is the final posting of a blog that discusses one company's journey to pick a PCI vendor. They named it the PCI Compliance Project. Took them several months, but I think their methodology was pretty good.
http://www.rackaid.com/resources/rackaid-blog/racktips/pci_compliance_project_control/
The Internet's #1 supplier of honey and beeswax. |
|
|
Lori Titus
VP-CART New User
144 Posts |
Posted - February 24 2009 : 12:56:05
|
New update - I just spoke with Merchant Warehouse, who I go through for my internet CC processing. The bills come in under the name iPayment, and the gateway is Authorizenet.
Merchant Warehouse tells me that they charged a one-time fee back in June for PCI compliance, that all compliance scans and paperwork are handled on their end, and they specifically stated, "You do not have to do anything, we take care of it all for you." He also stated that they would notify me if there was a problem, but that I did not have to go find a vendor or fill out the questionaire.
Whew. That is a load off my mind!
As a disclaimer - other providers may have other policies, so check. A simple phone call quickly resolved all my questions.
(As a side note - I also asked them to review my history, and see if I qualified for a lower discount. I did, they applied it, dropping non-qualified rates by almost 0.5%, and qualified and mid-qualified rates by a bit less! I do this once a year, and they have always obliged, getting back to me within a few days with the results.)
The Internet's #1 supplier of honey and beeswax. |
|
|
tom.jolly
Starting Member
United Kingdom
1 Posts |
Posted - May 14 2009 : 05:33:49
|
I have just been caught out, in my naivety, by this after switching from Paypal standard to PayPalPro. Even though I do not store any third party financial details I have to comply with PCI according to PayPal. They have been very helpful though, coaching me through what needs to be done. PayPal have a deal with McAfee which I duly signed up to because I have only got a couple of days to sort things out. It is free for the first year. I guess PayPal insist on it for a variety of reasons. They obviously have an interest in working with secure partners, but they may also make a tidy referral buck from McAfee. In my case despite not storing data, it is entered onto a VP-ASP page on my site and this data is then sent to Paypal. I presume it is that fraction of a second's exposure that may not seem a lot but is enough for hackers to exploit.
The Model Catalogue - www.themodelcatalogue.com - "All you need to get the greatest fun out of plastic kit modelling!" |
|
|
support
Administrator
4679 Posts |
Posted - May 14 2009 : 09:37:34
|
Hi all
PCI is a bit of a mine field as providers all seem to have different requirements.
A very broad rule of thumb however is that if you are using a hosted gateway, one where the card details are entered on the payment gateways site, then your PCI requirements are minimal as you are not handling, storing or transmitting card data.
If however you use an integrated gateway such as ANAIM and you take card details on your site and transmit them in the background to the gateway so everything remains under your banner you will be required to have your site be scanned before you can receive certification.
We have touched on PCI in our blog at: http://www.vpasp.com/vpasp_shopping_cart_blog/default.asp?Display=5
I would be very interested to hear other peoples experience with this.
Thanks Cam
VPASP Support |
|
|
|
Topic |
|