Announcement

Collapse
No announcement yet.

PCI-DSS Compliance

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    PCI-DSS Compliance

    I rcvd a letter from my CC processing bank, Elavon (formerly Nova) stating that we must comply with this set of standards related to accepting and processing of credit cards.

    I've checked out the standards website, pcisecuritystandards.org, and aside from dizziness and watery eyes, I've not gotten much out of it. It's primarily directed at the people that actually do the processing, although we are still affected by it. In our case the ISP hosting our store. As a sr admin in the IT field (my day job) I am quite familiar with this type of thing, and been envolved in various compliance events, and I can't begin to imagine the number of manhours expended in that process.

    I've dropped the ball, and missed the deadline to submit documentation to show that we are in compliance (a generous 2 week notice), and now subject to a 'fine' of $135, and monthly charges until we submit the documentation. Since I don't own, or control the computers that actually handle the processing I clearly can't show compliance, but my ISP must. I've contacted them, and so far they don't seem to be on top of this, either.

    Because of all the legal double speak on the PCS-DSS website, I'm not even sure what I have to do. We have 1 laptop, 1 wireless router (WEP enabled), and don't store any CC data. Most CC processing happens in MivaMerchant on the ISP computers, but we do process some manually via the virtual terminal on the Authorize.net site. From what I read we may have to have security and vulnerability scans on the 2 pieces of our hardware. And on top of it all, each card issuer (Visa, MC, Amex, etc) has different requirements that you must meet.

    Has anyone in a similar situation dealt with this yet, or weeded through all the details to figure out what is needed at 'our' level?

    John

    #2
    Re: PCI-DSS Compliance

    John,

    First things first, I would suggest dumping Elavon and going to a processor that isn't hiding extra fees under the guise of compliance. This is becoming more commonplace in the industry but there's no fee or requirement from Visa and Mastercard that they are recouping, they're simply charging you more since they know you can't prove compliance.

    Second (and of more importance to Miva Merchant customers) we've contracted with a payment industry firm to certify Miva Merchant 5.5 as PA-DSS certified. We expect this to be done in Q2 of 2009. This is slightly different than PCI-DSS which has to be done on a host by host basis but it will make it much easier for a host to prove they're PCI Compliant.
    Thanks,

    Rick Wilson
    CEO
    Miva, Inc.
    [email protected]
    https://www.miva.com

    Comment


      #3
      Re: PCI-DSS Compliance

      Rick,
      Thanks for the reply.
      Dumping Elavon will not resolve anything. Nor will Miva 5.5 (for me). The $135 charge is for use of their supported tool for determining compliance by downloading and installing an agent on the server that is doing the processing. I can't do that. I only have access to my virtual server, and the reason I contacted my ISP. The monthly fee, I guess, is incentive to complete the process. I can't imagine how some host agent can begin to evaluate much of anything.
      Since the requirement is being mandated by the CC companies, Elavon is trying to make sure it's customers are addressing it, but not necessarily in a user friendly way.

      What I need is someone that has dealt with this situation already that can provide a little guidance on how the 'little people' need to handle it.

      I'm going to call Elavon and see what I can get out of them, next week.

      John

      Comment


        #4
        Re: PCI-DSS Compliance

        Dear John,

        I too am an Elavon client. If you read the notice they sent, they are telliing you that if you do not have a certified PCI Scanning Company scanning your website / server they are going to sign you up with the company they have contracted with (and most likely getting a kickback from). If you already have a certified PCI certified company scanning your systems, you just have to tell them who and send them you PCI Scan Results.

        If you do not have one, you can get one and send them the same information. Basically they are siging you up with a PCI certified company if you do not have one or do not bother to tell them you have one.

        Up until recently Level 4 Merchants (most Internet Merchants) did not have to be PCI certified. Now it is up to your aquirer (in this case Elavon) to decide if you need to be PCI certified or not. Since this can be a money maker for them most aquirers are now making Level 4 Merchant to become PCI compliant. I think all but one of my Hosting Clients called this week to find out if the servers can be made compliant (that is a whole other issue. Some hosted on a shared server may have issues). In our case it is not a problem.

        You do not have use the company they are signing you up with, you can go look around for a better deal. The price they are charging is on the lower end of the scale. You can also look for more Hosting Companies offer this as a service or include it in your Hosting Fees (or for free).
        Thank You,

        Nerd Boy

        http://www.nerdboyinc.com

        1-855-Nerd-Boy

        Comment


          #5
          Re: PCI-DSS Compliance

          Nerd boy,
          Thanks for the response.
          My letter says if I don't provide them with a statement of compliance by the specified date (12/15) they will sign me up for their contracted service, and charge me $135, plus $20/mo until I am compliant.

          My ISP has not responded for days now as to their situation. Aside from a customer service department that sucks, I have no other complaints about them, and they are VASTLY cheaper than any other Miva host I've found. Time to prod them, again.

          John

          Comment


            #6
            Re: PCI-DSS Compliance

            ... by the time you add that $135 and $20/month on top of your "VASTLY cheaper" hosting, are they still a bargain compared to other, much more responsive hosting companies - that also include PCI compliance scanning for free?

            We rarely go longer than 30 minutes to respond to a ticket - I can't even imagine not responding to a client for several days. That kind of "service department" should really rename itself to something a bit more fitting - perhaps "disservice department" would be more appropriate...?

            Comment


              #7
              Re: PCI-DSS Compliance

              Remik,
              Thanks, but it's still cheaper. $315/yr for hosting (multiple sites), spam filtering, SSL cert and all the add-on services (value added apps, ssh login included). Add the 135/yr for scanning software (but not to the ISP) and it's $445/yr. Miva is free. I've got zero complaints with the hosting solution. It's the support response/quality that sucks. As I have extensive IT experience I sometimes have to help them resolve my issues that I don't have access to.

              I shopped around a few month's ago, and I was shocked to see what the 'miva merchant partners' charge. If I was having problems with my store, then it might be a different issue. And since my products are primarily commercial/industrial, the store is not a major source of revenue (only about 10 or 15%). The extra $135/yr now does make a difference, though.

              The ISP support people have responded - "run the scan and send us the list of issues to resolve". I guess they don't have their own process in place....

              John

              Comment


                #8
                Re: PCI-DSS Compliance

                By my estimates you are paying $315/yr + $135 + $20/month (PCI), for a total of $690/year. That's $57.50/month. That is more than most decent hosting companies charge for far superior hosting service and support (with PCI scanning included).

                We, Miva Merchant partners, charge more not "just because", but because we base this on how we host these stores and what we include with each hosting plan. Sure, we could lower our monthly fees and cram 1000 Miva stores on a single server, like some of the companies out there, but then you'd end up with very slow stores (just like with these other companies), or we could cut down on support and have just one person responding to all support tickets - taking days or weeks to get a response (just like with these other companies).

                But... we do things differently. We put no more than 16 Miva stores on a single, shared dual-Xeon server, and our support response time averages less than 12 minutes. Our phone response is measured in the number of rings to answer (2-3) vs number of minutes on hold. That is why we charge a bit more. You get what you pay for. You can either have a fast store with fast service and support, for a few dollars more (probably less than you pay for couple cups of Starbucks per month), or you can wait 2 weeks for response from your host. If this was a real emergency and you were losing money, would 2+ weeks be acceptable response time to you? Heck, I consider even your current predicament unacceptable - they are basically forcing you into $375/year in additional payments ($135 setup + $20/month) because they haven't responded to your tickets by the deadline you were given. If $375 is not worth much to you, then perhaps going from ~$27 to $47/month for better Miva hosting is not such a big deal after all...

                Comment


                  #9
                  Re: PCI-DSS Compliance

                  Remik,
                  I understand your points, but it's not quite as you describe it.
                  I pay 215/yr for webhosting that includes everything except my SSL cert (geotrust step up version, $100) and the PCI scanning. I can host multiple websites at no additional cost (and I do), and nearly everything that you (dotcomhost) offer is included for that price, plus some additional items you charge for (ssh in particular, and I use it regularly). As I noted, I checked out a bunch of other providers already.
                  Until Miva Mia supports Miva 5, I will not be upgrading, either. I do ALL my updates locally, then upload the site back, hence the need for ssh access. I don't believe that (Mia for 5.x) is ever expected to happen.

                  The $20/mo is a 'motivational fee' to get certified. That and the $135/yr are being charged by Elavon, not my ISP. Once certified the $20/mo goes away. If the ISP did the scanning, then I'd pay them either directly, or via my monthly charge.

                  I've not lost a single penny in sales due to ISP issues. The only time my store has been down that I'm aware of was with a bug in the Miva/Authorize.net module recently, and that was not even visible to customers. Most of the support issues have been related to add-on products, email bugs (their webmail tools) and the additional site I have. Yes the support sucks, but only about twice a year. I don't have the time to fix what's not broken, especially if it costs more.
                  I suspect the support problem is that they 'close' a ticket after every response. WTH I asked. 'The queue looks bad if there are too many open tickets.' That would never have flown with any help desk I ever worked with, in my IT experience! Time to -resolution- was THE metric.

                  The reason I opened this thread was to see if I could get some first hand pointers from anyone dealing with Elavon's recent policy changes, as I had no clue what it was all about. It was not supposed to turn into 'my ISP is better than yours'. Although I do appreciate the interest in providing an alternative to what I have.

                  John

                  Comment


                    #10
                    Re: PCI-DSS Compliance

                    I missed one additional point you noted: "because they haven't responded to your tickets by the deadline you were given"

                    In my original post: "I've dropped the ball, and missed the deadline"

                    The ISP is not at fault, I am. I got the letter, and promptly forgot about it for almost a month.
                    They were responding to me in a timely manner, but did not seem familiar with what I was asking, then while I was away for 4 days (and our business closed for the whole holiday period as we don't sell any retail products), there was no update until I posted an inquiry as to the status. They responded within an hour. For a non-production issue, I consider that reasonable. The quality of the responses is a bigger issue.
                    John

                    Comment


                      #11
                      Re: PCI-DSS Compliance

                      I understand, no problem. I find it interesting that they host e-commerce sites but "did not seem familiar" with the idea of PCI compliance when you brought it up. That sets off major red flags in my mind... What else are they not familiar with, or don't do? Do they do backups of their servers? Backups of your site? Do they have redundant systems in place in case something goes wrong? (power, bandwidth, routers, AC, servers, etc)

                      BTW, what is that company's name? Just curious who'd offer "all you can eat" hosting, with Miva, unlimited domains, for $215 or $315/year... (you can PM me if you don't want to post it in public).

                      Comment


                        #12
                        Re: PCI-DSS Compliance

                        Do you have a url for your store ?

                        See if you find your host on this list:

                        Hosting Chamber of Horror

                        That Ivo Truxa guy, Remik, Nerd Boy, or our Hostasaurus team I'm certain would be able to school most anybody on hosting issues especially when it comes to running the Miva Merchant application on top of the rest.

                        Will your stores appearance and performance properly represent your company to a potential new 7 figure client that might have just heard about your place ?
                        Thanks,
                        -Barrett
                        Favorite Host Hostasaurus.com
                        Order Processing by Shipworks.com
                        Kindly Suggesting to:
                        *Dump Explorer and http://GetFireFox.com
                        *Post a meaningful subject line.
                        *Click the # button before pasting code

                        Comment


                          #13
                          Re: PCI-DSS Compliance

                          Barrett,
                          I appreciate the response, but it's not useful.

                          The link is to a page that is 6 years old, and the links on that page don't even work any more. 7 figure client on a miva store?? I'd be amazed if ANY miva store has 1.
                          My 5 figure customers don't even know the store exists, as it's not intended for them.

                          I'll say this again:
                          It was not supposed to turn into 'my ISP is better than yours'.
                          No more posts of this nature, please?

                          John

                          Comment


                            #14
                            Re: PCI-DSS Compliance

                            Originally posted by jleiii View Post
                            Barrett,
                            I appreciate the response, but it's not useful.

                            The link is to a page that is 6 years old, and the links on that page don't even work any more. 7 figure client on a miva store?? I'd be amazed if ANY miva store has 1.
                            My 5 figure customers don't even know the store exists, as it's not intended for them.

                            I'll say this again:
                            It was not supposed to turn into 'my ISP is better than yours'.
                            No more posts of this nature, please?

                            John
                            Sorry you did mention commercial industrial... which I don't think is too far off in left field for potential clients to be in that revenue range - no matter you don't care about it.

                            How's this.

                            Yes we have recently dealt with Elavon.
                            Yes they gave us less than a 30 day notice.
                            We were pissed.
                            Yes the host of our "pet store" already provides PCI compliance scan package. (FREE)
                            Yes our host quickly fixed any flags it would generate.
                            No severe flags ever noted.
                            No we are not on a $29 per month shared server.
                            Yes we had to fax in our PCI compliance report to Elavon.
                            No we have not yet determined if their left and right hand know what they are doing.
                            We are on the lookout for them to charge us anyway.
                            We will likely switch to the new provider Miva has teamed up with after we get some other fires put out.
                            I sleep better at night knowing I don't have to worry about all this low level server stuff....
                            Thanks,
                            -Barrett
                            Favorite Host Hostasaurus.com
                            Order Processing by Shipworks.com
                            Kindly Suggesting to:
                            *Dump Explorer and http://GetFireFox.com
                            *Post a meaningful subject line.
                            *Click the # button before pasting code

                            Comment


                              #15
                              Re: PCI-DSS Compliance

                              Update:

                              The McAfee PCI provided to us via hostasaurus satisfied Elavon's PCI request.

                              Here is the agent that was helpful.

                              RS Specialist/ RS Escalation
                              Jason Keeling
                              email: [email protected]
                              Ext. 8512
                              Fax 865-403-5348
                              Thanks,
                              -Barrett
                              Favorite Host Hostasaurus.com
                              Order Processing by Shipworks.com
                              Kindly Suggesting to:
                              *Dump Explorer and http://GetFireFox.com
                              *Post a meaningful subject line.
                              *Click the # button before pasting code

                              Comment

                              Working...
                              X