I rcvd a letter from my CC processing bank, Elavon (formerly Nova) stating that we must comply with this set of standards related to accepting and processing of credit cards.

I've checked out the standards website, pcisecuritystandards.org, and aside from dizziness and watery eyes, I've not gotten much out of it. It's primarily directed at the people that actually do the processing, although we are still affected by it. In our case the ISP hosting our store. As a sr admin in the IT field (my day job) I am quite familiar with this type of thing, and been envolved in various compliance events, and I can't begin to imagine the number of manhours expended in that process.

I've dropped the ball, and missed the deadline to submit documentation to show that we are in compliance (a generous 2 week notice), and now subject to a 'fine' of $135, and monthly charges until we submit the documentation. Since I don't own, or control the computers that actually handle the processing I clearly can't show compliance, but my ISP must. I've contacted them, and so far they don't seem to be on top of this, either.

Because of all the legal double speak on the PCS-DSS website, I'm not even sure what I have to do. We have 1 laptop, 1 wireless router (WEP enabled), and don't store any CC data. Most CC processing happens in MivaMerchant on the ISP computers, but we do process some manually via the virtual terminal on the Authorize.net site. From what I read we may have to have security and vulnerability scans on the 2 pieces of our hardware. And on top of it all, each card issuer (Visa, MC, Amex, etc) has different requirements that you must meet.

Has anyone in a similar situation dealt with this yet, or weeded through all the details to figure out what is needed at 'our' level?

John