Announcement

Collapse
No announcement yet.

Blindsided by PCI compliance changes

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Blindsided by PCI compliance changes

    Okay, I admit. I'm a moron. Somehow I managed to be blindsided by PCI compliance changes in the USA that requires all businesses of any size to be PCI compliant. That means that even if I own a small website that uses PayPal Professional as a means of collecting payment, I will need to have both my website and my place of business (even if it's my home network) scanned for compliance.

    How are others handling this?

    As a bonus question, how many of you are using shared web hosting for your sites and are suddenly in need of moving to either a PCI compliant shared host or a VPS?
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

  • #2
    Re: Blindsided by PCI compliance changes

    PCI, like ISA? Huh?
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Blindsided by PCI compliance changes

      Originally posted by Wired View Post
      PCI, like ISA? Huh?
      No, like NuBus.

      (That joke wasn't funny when shawnp0wers said it either. )
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: Blindsided by PCI compliance changes

        I have to admit that I'm confused. Is PCI compliance the law (in the U.S.)? If it's not the law, then is it required by the PCI members (Visa, MasterCard, etc)? If it's not the law but it is required, does that mean that you could lose the ability of using one of the members payment processing "privileges" (meaning, you can no longer process Visa, MasterCard, etc. payments)? We take credit card information over the phone and process it using a credit card machine connected via a modem. We don't store credit card information so it looks like we're at level 4, but to be honest I'm totally flummoxed.

        Comment


        • #5
          Re: Blindsided by PCI compliance changes

          Originally posted by joeqwerty View Post
          I have to admit that I'm confused. Is PCI compliance the law (in the U.S.)? If it's not the law, then is it required by the PCI members (Visa, MasterCard, etc)? If it's not the law but it is required, does that mean that you could lose the ability of using one of the members payment processing "privileges" (meaning, you can no longer process Visa, MasterCard, etc. payments)? We take credit card information over the phone and process it using a credit card machine connected via a modem. We don't store credit card information so it looks like we're at level 4, but to be honest I'm totally flummoxed.
          I'm woefully undereducated about it because the places I've worked at have either not been bound by it or I wasn't in any position to have any part in the PCI compliance process.

          My understanding is that PCI is the standard and non-compliance will cause you to either lose ability to transact business using credit cards or be fined or both. Looks like I'll be getting a totally unexpected crash course in PCI compliance. Also looks like this place I'm doing some work for is going to have quite a few unexpected bills.
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: Blindsided by PCI compliance changes

            I know in the UK, PCI compliance is split into levels. The levels are based on the number of card transactions the business carries out and whether the card transactions are stored on file shares, are processed via an on-line payment method or through Chip-and-pin machine down a phone line.

            It is enforced by the card providers and some levels are obliged to now have to be compliant. However, I believe that no company can ever be truelly 100% compliant. Providing there isn't a security breach and best practices are adhered to, with PCI used as a guideline, a company should be ok.

            However, I believe fines can be enforced for non-compliant companies and in some cases, the card providers can refuse for card transactions to be processed, so potential loss of revenue.

            Like with anything, providing there are no breaches to security, there shouldn't be any repercussions. Also, if you keep the card providers informed that steps are being taken to enforce PCI, they are on your side straight away.

            Comment


            • #7
              Re: Blindsided by PCI compliance changes

              Thanks for the reply Virtual. Those are pretty much my impressions as well of what's going on based on my recent and continuing crash course. I think the place I work for would be considered a level 4. Our website failed miserably at the test, just because we're on a shared host and the thing is as bulwarked as Swiss cheese. Doh!

              Time to look at a VPS...
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment


              • #8
                Re: Blindsided by PCI compliance changes

                Another consideration is to isolate the computers that need to PCI compliant, so maybe saves a considerable amount of money and time.

                Comment


                • #9
                  Re: Blindsided by PCI compliance changes

                  I got nailed a couple of months ago. The facility I work at has a nightly batch of credit card processes through PCCharge as a subsystem to the main hospital information system we run. One night out of nowhere, all of the batches fail.

                  We called the bank and they cut us off because PCCharge was non-compliant with new PCI regulations.

                  Called PCCharge, they did not know of any PCI changes. Called the primary software vendor, they were not aware either.

                  We spent about a week trying to get our CCs processing again. Nightmare to say the least, especially with the CFO on your butt about the lack of income.
                  MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

                  Comment


                  • #10
                    Re: Blindsided by PCI compliance changes

                    Sucktastic! Amazing that there was so little known about it among the people and organizations involved.
                    Wesley David
                    LinkedIn | Careers 2.0
                    -------------------------------
                    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                    Vendor Neutral Certifications: CWNA
                    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                    Comment


                    • #11
                      Re: Blindsided by PCI compliance changes

                      Everyone thinks of banks and imagines sparkling servers in immaculate datacentres leading the fight against security threats.

                      If people saw the systems behind their banks, maybe they'd want to go back to hiding their money under their mattress.

                      One UK bank's online banking site for instance has an SSL certificate which allows insecure communication - 'nuff said.
                      Gareth Howells

                      BSc (Hons), MBCS, MCP, MCDST, ICCE

                      Any advice is given in good faith and without warranty.

                      Please give reputation points if somebody has helped you.

                      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                      Comment


                      • #12
                        Re: Blindsided by PCI compliance changes

                        Originally posted by gforceindustries View Post
                        Everyone thinks of banks and imagines sparkling servers in immaculate datacentres leading the fight against security threats.
                        And others of us think of sparkling servers in immaculate datacenters. Datacenters that have more care given them than a theatre stage, less colour than a operating room and blondes. Can't forget the blondes.

                        Originally posted by gforceindustries View Post
                        One UK bank's online banking site for instance has an SSL certificate which allows insecure communication - 'nuff said.
                        Hmmm... to whistleblow or blackmail... that is the question.
                        Wesley David
                        LinkedIn | Careers 2.0
                        -------------------------------
                        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                        Vendor Neutral Certifications: CWNA
                        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                        Comment


                        • #13
                          Re: Blindsided by PCI compliance changes

                          Center... centre... we're divided by a common language
                          Gareth Howells

                          BSc (Hons), MBCS, MCP, MCDST, ICCE

                          Any advice is given in good faith and without warranty.

                          Please give reputation points if somebody has helped you.

                          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                          Comment


                          • #14
                            Re: Blindsided by PCI compliance changes

                            Originally posted by gforceindustries View Post
                            Center... centre... we're divided by a common language
                            No, you speak English and they speak Merrycan.
                            1 1 was a racehorse.
                            2 2 was 1 2.
                            1 1 1 1 race 1 day,
                            2 2 1 1 2

                            Comment

                            Working...
                            X