VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 PCI Security Standards
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

dwight
VP-ASP New User

USA
143 Posts

Posted - April 29 2008 :  06:29:00  Show Profile  Reply with Quote
Has anyone run a Payment Card Industry scan from an approved vendor such as COMODO (hackerguardian) on there webhost runing VPASP. My credit card merchant sent me a letter requesting that I start running scans on my website to prove there are no vulnerabilities.
I also use Authorize.net as a payment gateway and don't collect any credit card information.
Would be nice a reassuring to hear that others have run these without any major setbacks.

OF COURSE, don't post any vulnerabilities here that may be exploited. Just want to know if others have done this.

thanks
Dwight

Steve2507
VP-ASP Expert

590 Posts

Posted - April 29 2008 :  07:37:07  Show Profile  Reply with Quote
That seems strange because as you do not take credit card details then the place to do the scans is on the autorise.net servers.

Does your merchant account providerrealise you use a third party to process the payments? It could be they don;t realise this so tell them and then see what they say.


Steve
Sex toys from a UK sex shop
Go to Top of Page

dwight
VP-ASP New User

USA
143 Posts

Posted - April 29 2008 :  09:07:45  Show Profile  Reply with Quote
Thanks for your response.
The credit card merchant (bank that collects the money) does know that I don't accept credit cards and that the transactions are done throught authorize.net. However, the credit card industry has standards that are being enforced now more than ever. They too, realize that small companies may not accept credit cards or store information.
There are different levels depending on the number of credit card orders you process. There are a number of websites that discuss this standard that your bank may force you to start using. Search for PCI standard or vist a credit card company website.
Unfortunately, I think mine has started enforcing because they are trying to sell their own ASV software (Authorize Scanning Vendor software I think).

The companies I use are Authorize.net as the payment gateway, and IPayment as the entity that collects the money and deposits in my bank account.

Yes I do lack in the technical gargon, but you should be able to follow.

thanks
Dwight
Go to Top of Page

Steve2507
VP-ASP Expert

590 Posts

Posted - May 02 2008 :  03:53:53  Show Profile  Reply with Quote
Wow, I understand what you are saying, it just seems strange that they are putting the pressure on you rather than the credit card processor.

In the UK as long as the section that actually takes the card details is secure banks are happy.


Steve
Sex toys from a UK sex shop
Go to Top of Page

dwight
VP-ASP New User

USA
143 Posts

Posted - May 14 2008 :  07:03:31  Show Profile  Reply with Quote
To continue on. I have received a second notification from my merchant bank and must comply by selecting an approved scanning vendor. I think I will use Hackerguardian. I'm surprised that no one else has run in to this.
Any negative or positve feed back will be nice.
I guess after I run the scan I'll let you know how VPASP chalks up to the test without giving out any weaknesses found.
thanks
Dwight
Go to Top of Page

Lori Titus
VP-ASP New User

126 Posts

Posted - June 17 2008 :  10:38:22  Show Profile  Visit Lori Titus's Homepage  Reply with Quote
I also use Ipayment + authorizenet. From the last letter I received from Ipayment, I thought they were going to charge us $20 to implement their scanning vendor of choice, and that we were going to get another letter from the vendor explaining how to setup the scans. Then I never saw another letter. Maybe I should contact Ipayment for clarification.....

I also think it is bogus to have to run these scans when we don't collect the cc info, but I think part of it has to do with testing the encryption between our servers and authorizenet. $20 a month seems a bit steep for us small merchants, though. Makes me think of using just PayPal.

The Internet's #1 supplier of honey and beeswax.
Go to Top of Page

elammers
VP-ASP Super User

USA
256 Posts

Posted - June 17 2008 :  14:37:24  Show Profile  Visit elammers's Homepage  Reply with Quote
Or just switch to a different bank behind Authorize.net. I haven't heard of any of this from my client's that I've got running Authorize.net. Off the top of my head I don't know who the various banks are that have been assigned to these clients because it's been hands-off no problems.



Regards,
Eric Lammers
www.KrackMedia.com
Building More Than Web Sites . . . Building a Web Presence
Go to Top of Page

Lori Titus
VP-ASP New User

126 Posts

Posted - June 20 2008 :  13:15:25  Show Profile  Visit Lori Titus's Homepage  Reply with Quote
I don't know who the bank is - I run through a service called Merchant Warehouse. They do a great job with my offline sales (we do a lot of craft shows with a wireless unit). When I realized how much our online service had started charging us over the years, I asked Merchant for a quote for our online sales, and I guess they farm out to (or own) iPayment.

The Internet's #1 supplier of honey and beeswax.
Go to Top of Page

saki
VP-ASP New User

82 Posts

Posted - June 22 2008 :  01:12:52  Show Profile  Reply with Quote
If you use the AIM module for Authorizenet you do "handle" and pass through the creditcard information. Under PCI that requires you to be compliant.

Edited by - saki on June 22 2008 01:13:25
Go to Top of Page

dwight
VP-ASP New User

USA
143 Posts

Posted - August 28 2008 :  11:52:23  Show Profile  Reply with Quote
Since someone else mentioned it. I used Merchant Warehouse and they are HORRIBLE. Watch them. They are famous for "no option charges". Even though they boast about no cancellation fee they charged me $250. However, they always credit the account back. It's as if they wait to see if they get caught.
Their fees are a lot higher than you think once you start looking around.
My problem was solved by switching companies and like everyone thinks, as long as a payment gateway such as Authorize.net is processing all the credit card information and your not collecting any numbers you don't need to go through all the cr@! companies like Merchant Warehouse tries to put you through.
Go to Top of Page

PhilWilliams
Starting Member

USA
8 Posts

Posted - September 26 2008 :  15:41:53  Show Profile  Visit PhilWilliams's Homepage  Reply with Quote
I capture credit card information, and also use Paypal. I received the dreaded notification about PCI compliance about 2 years ago, and the scan certification cycles went from about 1 year to once per quarter. I use Security Metrics for the scanning service. They appear to be pretty reasonable to deal with although I had to go through several quarterly "events" with them regarding what they called vulnerabilities which turned out to be bad scripts in their testing. Several days of tightly clutching my chest finally gave way to relief. I've not had any issues for the past six months or so. I use Comodo for the SSL certificate. Cost from Security Metrics is about $200/year if I remember correctly. It's a pretty tough hit for smaller businesses, but I think the alternatives are worse...Punishment fines are ridiculous, so the costs are tolerable.

Phil Williams
http://www.photosolve.com
Go to Top of Page

Lori Titus
VP-ASP New User

126 Posts

Posted - February 15 2009 :  12:06:46  Show Profile  Visit Lori Titus's Homepage  Reply with Quote
Thought some of us might be interested in the following link. It is the final posting of a blog that discusses one company's journey to pick a PCI vendor. They named it the PCI Compliance Project. Took them several months, but I think their methodology was pretty good.

http://www.rackaid.com/resources/rackaid-blog/racktips/pci_compliance_project_control/

The Internet's #1 supplier of honey and beeswax.
Go to Top of Page

Lori Titus
VP-ASP New User

126 Posts

Posted - February 24 2009 :  12:56:05  Show Profile  Visit Lori Titus's Homepage  Reply with Quote
New update - I just spoke with Merchant Warehouse, who I go through for my internet CC processing. The bills come in under the name iPayment, and the gateway is Authorizenet.

Merchant Warehouse tells me that they charged a one-time fee back in June for PCI compliance, that all compliance scans and paperwork are handled on their end, and they specifically stated, "You do not have to do anything, we take care of it all for you." He also stated that they would notify me if there was a problem, but that I did not have to go find a vendor or fill out the questionaire.

Whew. That is a load off my mind!

As a disclaimer - other providers may have other policies, so check. A simple phone call quickly resolved all my questions.

(As a side note - I also asked them to review my history, and see if I qualified for a lower discount. I did, they applied it, dropping non-qualified rates by almost 0.5%, and qualified and mid-qualified rates by a bit less! I do this once a year, and they have always obliged, getting back to me within a few days with the results.)

The Internet's #1 supplier of honey and beeswax.
Go to Top of Page

tom.jolly
Starting Member

United Kingdom
1 Posts

Posted - May 14 2009 :  05:33:49  Show Profile  Visit tom.jolly's Homepage  Reply with Quote
I have just been caught out, in my naivety, by this after switching from Paypal standard to PayPalPro. Even though I do not store any third party financial details I have to comply with PCI according to PayPal. They have been very helpful though, coaching me through what needs to be done.
PayPal have a deal with McAfee which I duly signed up to because I have only got a couple of days to sort things out. It is free for the first year. I guess PayPal insist on it for a variety of reasons. They obviously have an interest in working with secure partners, but they may also make a tidy referral buck from McAfee. In my case despite not storing data, it is entered onto a VP-ASP page on my site and this data is then sent to Paypal. I presume it is that fraction of a second's exposure that may not seem a lot but is enough for hackers to exploit.

The Model Catalogue - www.themodelcatalogue.com - "All you need to get the greatest fun out of plastic kit modelling!"
Go to Top of Page

support
Administrator

4266 Posts

Posted - May 14 2009 :  09:37:34  Show Profile  Visit support's Homepage  Reply with Quote
Hi all

PCI is a bit of a mine field as providers all seem to have different requirements.

A very broad rule of thumb however is that if you are using a hosted gateway, one where the card details are entered on the payment gateways site, then your PCI requirements are minimal as you are not handling, storing or transmitting card data.

If however you use an integrated gateway such as ANAIM and you take card details on your site and transmit them in the background to the gateway so everything remains under your banner you will be required to have your site be scanned before you can receive certification.

We have touched on PCI in our blog at:
http://www.vpasp.com/vpasp_shopping_cart_blog/default.asp?Display=5

I would be very interested to hear other peoples experience with this.

Thanks
Cam

VPASP Support
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000