Welcome to WebmasterWorld Guest from 35.171.45.91

Forum Moderators: buckworks

Message Too Old, No Replies

Trying to get PCI Compliance

Anybody completed the new PCI Compliance

     
2:35 am on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3598
votes: 52


securitymetrics com sent me a couple letters that this is a must do to keep from being fined or losing my merchant account. It is free this time but I see were it is going next year it will be 199.00.

I am having a tough time getting this taken care of has anybody else gone through the compliance test yet?

3:24 am on Nov 18, 2008 (gmt 0)

Full Member

10+ Year Member

joined:Aug 21, 2001
posts:206
votes: 0


Our staff has been working towards this for the past two months and we hope to have it wrapped up soon. We had the site scanned right away to get that piece passed. Based on the rules regarding saving cc numbers we have changed our systems. We no longer save cc numbers and no one in house ever touches a web order cc number now. We also had to switch out some of our wireless network equipment to support WPA encryption. Right now we are looking for equipment / software to do the quarterly wireless scan. I figure our labor and equipment costs are going to run around $10k.
11:32 am on Nov 18, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 8, 2005
posts:68
votes: 0


We've been compliant through Security Metrics for over a year now, and although the initial compliance was a pain, our server managers did most of the work, so now it's just tweaking it every quarter when the scan is done. If you manage your own servers then it's a right hassle.

One thing you may find is that even though you have the most up to date software etc, the scans say you don't. You can then email them and they'll adjust your scan manually.

The new questionaire is better than it was, as you select the options specific for your business - the old one you had to complete everything, some of which didn't really apply.

As far as the fee goes, we applied through our merchant account, and ended up paying about half of the quoted fee. Might be worth checking.

2:06 pm on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3598
votes: 52


Thanks guys I am going through our merchant account and it is free but 10 to 1 next year is gonna cost me.
My firewall blocked them about 1/2 way through the scan so now I have to allow the ip range to scan my system. Not really keen on that but I don't a choice.
3:00 pm on Nov 18, 2008 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 10, 2003
posts:678
votes: 4


The wireless requirements were a big problem so we got rid of the wireless network and made sure all of our equipment was not wireless capable. Even if you don't have a wireless access point you can still have an ad-hoc wireless network so we got rid of everything with built in wireless support just to be on the safe side.
3:57 pm on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 28, 2004
posts: 1786
votes: 0


Chances are, you were probably billed around $120 from your merchant account provider. And they set something up with securitymetrics to help you get compliant. There are a number of companies out there that will provide the scan and then you can download the self-assessment questionnaire from the PCI Security Standards website.

If you use another company, like Comodo instead of Security Metrics for PCI compliance, contact the merchant account provider to see if you can get a refund.

4:35 pm on Nov 18, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2006
posts:410
votes: 0


I went through this about 6 months ago - HUGE headache for the programmers, but most of the guidelines were very good suggestions that would probably not have been done without a mandate. Good luck!
6:25 pm on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3598
votes: 52


arieng do you know how many scans were run before you came into guidlines?
6:51 pm on Nov 18, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2006
posts:410
votes: 0


We were working with ScanAlert. I think there was dozens, if not hundreds, of on-demand scans that were run to get our initial compliance. Every couple of weeks they find a new vulnerability that we have to address, so its not a one-time fix.
7:37 pm on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3598
votes: 52


arieng thanks for the reply I am not looking forward to this that is for sure, like I don't have enought to do as it is.

I wonder how all these smaller sites without dedicated hosting are going to get this done that use a shopping cart not connected to the hosting company.

Or the hosting company doesn't pass the scan.

It's not like I had a choice in this I am required if I want to keep my merchant account or face possible fines.

8:17 pm on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 28, 2004
posts: 1786
votes: 0


Unfortunately it is the card associations that helped to push this along and mandate some of the deadlines. A lot of the larger merchants had to comply a lot earlier - months ago (some even back in 2004).

Level 4 merchants are now seeing the providers pushing to get them compliant now. This will actually help you if you are compromised. If you are compromised before you are compliant, you could be fined $500,000 by one card brand. Being compliant will help at least get that fee possibly waived.

8:22 pm on Nov 18, 2008 (gmt 0)

Full Member

10+ Year Member

joined:Aug 21, 2001
posts:206
votes: 0


The scan was the simple part for us. Our firewall passed the first scan and our website passed after just a couple minor tweaks. I think our web host actually made the configuration changes that were needed to pass. Don't sweat it until you actually have the scan done. You might be pleasantly surprised.
8:25 pm on Nov 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3598
votes: 52


I think it is a good thing myself just wish I had more notice to get it done. I got the letter last week and had to get it done before the 25th of this month. I got 2 week notice to get this done but they now extended it till the 25 of January.

If you call the tech support line now those guys are stressed out to the max.

8:26 pm on Nov 18, 2008 (gmt 0)

Full Member

10+ Year Member

joined:Aug 21, 2001
posts:206
votes: 0


If you have wireless, we came up with Airdefense and Wifi Owl as two software providers that can be used to scan your wifi network.
1:11 am on Nov 19, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3598
votes: 52


I have ran the scan 2 times already Getting my server is off line error. My host says all is ok with the firewall but securitymetrics says it is being blocked. I have sent another email to my provider with the ip range of the scanner. We will see.
3:34 pm on Dec 12, 2008 (gmt 0)

Full Member

10+ Year Member

joined:Aug 31, 2006
posts:317
votes: 0


something very fishy with securitymetrics. We are PCI compliant using mcafeesecure .. we have the questionairre complete, all scans passed including our office network and certification stating this yet our merchant provider insists we pay to use securitymetrics. In fact if you call our merchant provider and select the PCI option you are transferred direct to SM and they refuse to even hear that we are already compliant. They insist we pass their test and pay them.
6:07 pm on Dec 12, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 28, 2004
posts: 1786
votes: 0


ssgumby - if you are PCI compliant, contact customer service (or your agent). Tell them you are compliant and you should hopefully have some of the money refunded that was debited a couple of months ago. This was to pay securitymetrics for the quarterly scan.

Unfortunately Security Metrics was not prepared it seems for the thousands of merchants that had to contact them for compliancy. There are other ASV (approved scanning vendors) that you choose from.

2:01 pm on Dec 15, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3598
votes: 52


ssgumby who is your merchant provider?
Firstdata waved our first year but I know next year we will have to pay for the certification process.
5:26 pm on Dec 25, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 3, 2003
posts: 170
votes: 0


Unless I'm mistaken, you don't have to be PCI compliant unless your doing $50k/month or more. Might want to check into that.
8:49 pm on Dec 25, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 28, 2004
posts: 1786
votes: 0


Unless I'm mistaken, you don't have to be PCI compliant unless your doing $50k/month or more. Might want to check into that.

Unfortunately this is not the case. The PCI DSS requirements apply to merchants, network members, and service provider that store, hold, process, or transmit cardholder data.
MasterCard Worldwide: Standard Data Protection (SDP) [mastercard.com]
American Express: Data Security Operating Policy (DSOP) [americanexpress.com]
Discover Financial Services: Discover Information Security & Compliance (DISC) [discovernetwork.com]
Visa Incorporated: Cardholder Information Security Program (CISP) [visa.com]
JCB International: JCB Data Security Program [jcb-global.com]

A lot of merchants are Level 4 - processing less han 20,000 transactions a year. While the standard set dates for Levels 1,2,3 merchants, it left the Level 4 merchants somewhat out in the open unfortunately. (The merchant levels are mainly based on the number of transactions with the exception of those merchants who have had a compromise - they are Level 1 merchants.) And it is these merchants who can be more at risk for breaches. The standard basically allowed providers to set their own date for these merchants. And it is these merchants who face the largest pitfalls - being fined $500,000 or more by the card associations, and probably putting these businesses out of business.

It is these merchants that need to comply more than ever right now. If you are in compliant and have a breach, the fines might be waived. Remember though, even if you are compliant does not mean you are "secure".