PCI Compliance... So Confused..

[elvis44]

So I have been tearing my hair out trying to find out what I need to do to be PCI Compliant. I have gone to the different websites and read tons of information but I am still unclear about if what I am doing is not right... This is what I do now:

Running Zen Cart 1.3.8a
PHP Version: 5.2.8 (Zend: 2.2.0)
Hosted by Bluehost.com
Using an SSL Cert

When I get an order I get the middle digits of the credit card sent in an email and the other part is stored on the server. I do not use the CVV code because my processor does not need it. After I get the order I take the CC info and input it into quickbooks and then I manually put it into my credit card machine that is set up specifically for purchases without the card being present.

I have the current Quickbooks software.

I recently got a letter from my merchant service provider telling me that they are going to start charging me $12 per month to "cover the costs associated with managing a PCI compliance program" on all of my three accounts. They say they are using SimplyPCI.

From all that I have read I can not figure out what I need to do to start to become compliant and if this $12 fee is ridiculous or not? Is there some kind of list or something that tells me exactly what I need to do?

[Merlinpa1969]

you need to contact your merchant and see who the recommend for pci compliance scan ( dont have to use who they tell you but its less hassles if you do )

purchase a scan package from them and run the scan then take the failure report to your host and let them get it fixed....

[Vger]

1. Storing credit card details, encrypted or not, full details or not, on a Shared Server is illegal in the USA (full stop).

2. Running orders taken online through a service meant for offline payments (an EPOS machine) is either illegal (depends on the country) or just violates your legally binding agreement with the card companies. If caught the least that will happen is that you lose your EPOS machine, cannot take credit/debit cards and end up on a blacklist run by the Payment Card Industry. "Cardholder Not Present" transactions which are taken offline via MOTO (Mail Order/Telephone Order) are different from online "Cardholder Not Present" transactions.

3. Email is the most insecure method of transmitting data that could possibly be used.

Having said that, I fail to see why anyone should be charged anything by a payment processing company for the costs involved in making their service PCI compliant. It's necessary for their business that they update their systems. That's all there is to it.

Vger

[elvis44]

1. Storing credit card details, encrypted or not, full details or not, on a Shared Server is illegal in the USA (full stop).

2. Running orders taken online through a service meant for offline payments (an EPOS machine) is either illegal (depends on the country) or just violates your legally binding agreement with the card companies. If caught the least that will happen is that you lose your EPOS machine, cannot take credit/debit cards and end up on a blacklist run by the Payment Card Industry. "Cardholder Not Present" transactions which are taken offline via MOTO (Mail Order/Telephone Order) are different from online "Cardholder Not Present" transactions.

My credit card machine was set up specifically for taking online or over the phone orders. My merchant knows what that that machine is only used for this purpose.

Your saying that it is illegal for me to be running my zen cart the way it is set up by default (storing half the information in the database and half on email)?

My merchant service company is having me fill out a form through SimplyPCI which I assume is for the scan part. Which I am doing now but am confused with that as well.

One questions says "Are you or your vendor PCI/DSS compliant? "
Who is my vendor???

My three diff merchant accounts, one is for retail, one is a wireless cc machine for trade shows, and the other is for mail order. I dont think that either one of the others besides mail order would even need to be pci compliant?

[Vger]

It says "Are you or your vendor", and the answer to "you" is that you're not PCI compliant.


You cannot become PCI compliant whilst you store card details on a shared server.

When you refer to "your merchant" are you referring to the company that provides your Merchant ID? Did they provide you with a Merchant ID or an Internet Merchant ID (they are markedly different animals).

Vger

[DrByte]

Your safest place to get answers related to your specific questions is the PCI scan company you're working with.
You can take information offered by volunteers into consideration, and can use it as extra information when trying to intepret some things.
But ... taking information from people who are not making the final decision on whether you "pass" or not ... is merely conjecture.

Vger is right on several points. But your scan company may have some different (and more helpful, less restrictive) points of view to work from. Best to ask THEM, since THEY have the final say.

[elvis44]

Well, yes I know that I'M NOT PCI Compliant, but I do not know who they are referring to when they say vendor.

How is everyone else processing credit cards without storing the info? Is everyone using some kind of software like Authorize.net? Why would my Merchant Service provider not have mentioned this to me and still allow me to process transactions online?

Yes, I am referring my Merchant as the company that handles my credit card transactions and that gave me my merchant ID. As far as I know I only have a merchant ID rather than a Internet Merchant ID....

[elvis44]

DR,
Thanks for the input. I am trying to work with them now...

[elvis44]

After completing a questionaire to figure out what form I need it is now telling me that I need Form D and that its going to cost me $545 and $60 for my IP to be scanned and another $60 for a vulnerability scan (but they giving me one ip vuln scan free -$60) is this insane or is everyone going through this?

[Vger]

In anwer to one of your questions - about what everyone else is doing - some are doing the same as you and running Internet transactions through an EPOS terminal. But that's not to say it's right to do so. I was just trying to warn of the consequences.

With regard to storing card info on a Shared Server there's no room for ambiguity or different interpretations - if you are USA based it's against the law. This is because in the USA the PCI/DSS rules and regulations were passed into law. In other countries you may just be violating the rules and regulations of the card companies.

What you have been quoted is a ridiculous price. Although we are UK based we use a USA based company, called Security Metrics, and their book price is around £350 a year but oddly enough, as they are recommended as a preferred partner by UK banks, that price drops to just £75 if you have an Internet Merchant ID form one of those banks. This would equate to around $106.50 at todays exchange rate. And that includes all of the scans.

Vger