Saturday, January 10, 2009

PCI Compliance for Level 3 Vendor

I'm a level 3, 20K-1M online transactions vendor, none stored.

The requirements for me are, I think:

1. Filling out and sending to my bank a PCI Self-Assessment Questionnaire.
2. A quarterly scan by an approved vendor. Here is a partial list of vendors:

Mcafeesecure.com - 807 322-9965
ControlScan.com
SecurityMetrics.com

3. Ensuring your gateway provider is PCIDSS compliant. Here is where it's a little gray for me. My vendor is not on the list. But, he has submitted a letter to me showing that he is compliant under an arrangement with another company. If I wanted the validity of that reviewed, who would I check with? Am I being too nerdy in wanting to check?

Friday, January 9, 2009

Google Checkout is no longer free

Durn. I just read on the Merchant Account Blog that No More Free Checkout from Google. Until now, Google Checkout merchants who advertise on Google’s Adwords platform, have received credit for use toward Google Checkout fees they incur.

But Google Checkout is no longer free or even reduced for Adwords users. I'm disappointed since as a large adwords advertiser (large in terms of my credit card processing fees), this was looking like a no-brainer way to save money.

I did think it was a little too good to be true. It's terribly 500 pound guerillaish for google to have started squashing the credit card processing industry by this type of cross marketing. Given their troubles as a potential monopolist, I think this was really heavy-handed of them.

As it is, they are going to get grief for taking over Madison Avenue and most of the advertising industry

Thursday, January 8, 2009

the PCI Self-Assessment Questionnaire

A copy of the PCI Self-Assessment Questionnaire is available from your processing bank or:
https://www.pcisecuritystandards.org/saq/index.shtml.

For a quarterly scan there are several companies that offer a free scan or you can subscribe to their yearly service. Examples:

http://www.hackerguardian.com/hackerguardian/buy/pci_free_scan.html
http://www.mcafeesecure.com/us/pci-intro.jsp
https://www.controlscan.com
https://www.securitymetrics.com/sitecertinfo.adp

Wednesday, January 7, 2009

February deadline for PCI Compliance

I've been reading a post called SaaS Compliance and Levels in the PCI compliance, a very professional blog and found that I'm pretty late to the game to figure out compliance. I read that:

...in February 2009 that is all changing. Visa Inc. (all regions except Europe) has defined new level definitions for service providers and removed the usage of ‘gateway’ from this definition. This change does not take effect until Feb. 1, 2009 so companies wishing to validate now should do so under the current rules.

Now, the context there was about some type of aggregators of merchant services such as:
... a shared e-commerce provider or independent sales organization (ISO) that aggregates transactions

I think this includes hosting companies, shopping cart vendors, and software service vendors that offer credit card processing as a component of their service. BTW - none of this applies to me. I'm still looking for what my compliance issues as a:

- an online retailer of online services
- paid by credit card
- handling over 100K transactions per year
- not keeping any credit card data in electronic or paper form.

PCI Compliance Required?

When I log into my merchant account, I see this message:

We're getting many questions about the requirements for PCI certification.
The requirement for merchants processing less than 20,000 transactions per year is just a PCI Self-Assessment Questionnaire as long as you don't store any credit card numbers.



I don't store credit cards, I did it all thru others but I do over 10K transactions per month which is a great deal more than 20K transactions per year. Do I need to fill out the PCI Self-Assessment Questionnaire? Do I need to do more?

To figure this out I should probably contact my vendor. Here's the truth about my vendor, I almost never talk to the bank. Sometimes, I forget who it is. My entirely relationship is with ------- who I guess is an ISO for them. They're a pretty small company for me to be running over 120K transactions (mostly small in the $20 - $60 range) through.

This is where I admit that I've never created or discovered a truly great glossary to help me understand the roles of the merchant bank, the gateway, the network, third party processors, ISOs, and so on.

Returning to the question of PCI compliance, I'll call my processor. I didn't make it to the PCI compliance webinar that I said that I would. I did, through consulting http://www.merchantaccountblog.com/, discover two blogs about PCI compliance. I'll read them next:
PCI Answers
Payment Card Security & IT Controls Explained