Our staff has been working towards this for the past two months and we hope to have it wrapped up soon. We had the site scanned right away to get that piece passed. Based on the rules regarding saving cc numbers we have changed our systems. We no longer save cc numbers and no one in house ever touches a web order cc number now. We also had to switch out some of our wireless network equipment to support WPA encryption. Right now we are looking for equipment / software to do the quarterly wireless scan. I figure our labor and equipment costs are going to run around $10k.

We've been compliant through Security Metrics for over a year now, and although the initial compliance was a pain, our server managers did most of the work, so now it's just tweaking it every quarter when the scan is done. If you manage your own servers then it's a right hassle.

One thing you may find is that even though you have the most up to date software etc, the scans say you don't. You can then email them and they'll adjust your scan manually.

The new questionaire is better than it was, as you select the options specific for your business - the old one you had to complete everything, some of which didn't really apply.

As far as the fee goes, we applied through our merchant account, and ended up paying about half of the quoted fee. Might be worth checking.

Thanks guys I am going through our merchant account and it is free but 10 to 1 next year is gonna cost me.
My firewall blocked them about 1/2 way through the scan so now I have to allow the ip range to scan my system. Not really keen on that but I don't a choice.

The wireless requirements were a big problem so we got rid of the wireless network and made sure all of our equipment was not wireless capable. Even if you don't have a wireless access point you can still have an ad-hoc wireless network so we got rid of everything with built in wireless support just to be on the safe side.

Chances are, you were probably billed around $120 from your merchant account provider. And they set something up with securitymetrics to help you get compliant. There are a number of companies out there that will provide the scan and then you can download the self-assessment questionnaire from the PCI Security Standards website.

If you use another company, like Comodo instead of Security Metrics for PCI compliance, contact the merchant account provider to see if you can get a refund.

I went through this about 6 months ago - HUGE headache for the programmers, but most of the guidelines were very good suggestions that would probably not have been done without a mandate. Good luck!

arieng do you know how many scans were run before you came into guidlines?

We were working with ScanAlert. I think there was dozens, if not hundreds, of on-demand scans that were run to get our initial compliance. Every couple of weeks they find a new vulnerability that we have to address, so its not a one-time fix.

arieng thanks for the reply I am not looking forward to this that is for sure, like I don't have enought to do as it is.

I wonder how all these smaller sites without dedicated hosting are going to get this done that use a shopping cart not connected to the hosting company.

Or the hosting company doesn't pass the scan.

It's not like I had a choice in this I am required if I want to keep my merchant account or face possible fines.

Unfortunately it is the card associations that helped to push this along and mandate some of the deadlines. A lot of the larger merchants had to comply a lot earlier - months ago (some even back in 2004).

Level 4 merchants are now seeing the providers pushing to get them compliant now. This will actually help you if you are compromised. If you are compromised before you are compliant, you could be fined $500,000 by one card brand. Being compliant will help at least get that fee possibly waived.

The scan was the simple part for us. Our firewall passed the first scan and our website passed after just a couple minor tweaks. I think our web host actually made the configuration changes that were needed to pass. Don't sweat it until you actually have the scan done. You might be pleasantly surprised.

I think it is a good thing myself just wish I had more notice to get it done. I got the letter last week and had to get it done before the 25th of this month. I got 2 week notice to get this done but they now extended it till the 25 of January.

If you call the tech support line now those guys are stressed out to the max.

If you have wireless, we came up with Airdefense and Wifi Owl as two software providers that can be used to scan your wifi network.

I have ran the scan 2 times already Getting my server is off line error. My host says all is ok with the firewall but securitymetrics says it is being blocked. I have sent another email to my provider with the ip range of the scanner. We will see.

something very fishy with securitymetrics. We are PCI compliant using mcafeesecure .. we have the questionairre complete, all scans passed including our office network and certification stating this yet our merchant provider insists we pay to use securitymetrics. In fact if you call our merchant provider and select the PCI option you are transferred direct to SM and they refuse to even hear that we are already compliant. They insist we pass their test and pay them.

ssgumby - if you are PCI compliant, contact customer service (or your agent). Tell them you are compliant and you should hopefully have some of the money refunded that was debited a couple of months ago. This was to pay securitymetrics for the quarterly scan.

Unfortunately Security Metrics was not prepared it seems for the thousands of merchants that had to contact them for compliancy. There are other ASV (approved scanning vendors) that you choose from.

ssgumby who is your merchant provider?
Firstdata waved our first year but I know next year we will have to pay for the certification process.

Unless I'm mistaken, you don't have to be PCI compliant unless your doing $50k/month or more. Might want to check into that.

Unless I'm mistaken, you don't have to be PCI compliant unless your doing $50k/month or more. Might want to check into that.

Unfortunately this is not the case. The PCI DSS requirements apply to merchants, network members, and service provider that store, hold, process, or transmit cardholder data.
MasterCard Worldwide: Standard Data Protection (SDP) [mastercard.com]
American Express: Data Security Operating Policy (DSOP) [americanexpress.com]
Discover Financial Services: Discover Information Security & Compliance (DISC) [discovernetwork.com]
Visa Incorporated: Cardholder Information Security Program (CISP) [visa.com]
JCB International: JCB Data Security Program [jcb-global.com]

A lot of merchants are Level 4 - processing less han 20,000 transactions a year. While the standard set dates for Levels 1,2,3 merchants, it left the Level 4 merchants somewhat out in the open unfortunately. (The merchant levels are mainly based on the number of transactions with the exception of those merchants who have had a compromise - they are Level 1 merchants.) And it is these merchants who can be more at risk for breaches. The standard basically allowed providers to set their own date for these merchants. And it is these merchants who face the largest pitfalls - being fined $500,000 or more by the card associations, and probably putting these businesses out of business.

It is these merchants that need to comply more than ever right now. If you are in compliant and have a breach, the fines might be waived. Remember though, even if you are compliant does not mean you are "secure".