PCI DSS registration

abrr1000

Hi

I received a letter that because we have a point of sale credit card terminal we gotta sign up to this PCI DSS programme and pay a monthly fee.
So I logged on to have a look - I can't get past the first page.
It is asking me who is your nominated qualified assessor company or internal qualified assessor...so then I looked up how to become an assessor and the course is a couple grand?
Someone please shed some light on whats going on - I thought I could just answer a couple of simple questions and be done. Ugh

mneylon

Unless you're doing really large volumes you wouldn't need to be registered for the higher level of PCI DSS

At the lower end you'd probably have to fill out a questionnaire and if selling online get a monthly site scan

In any case speak to your bank's merchant team

TheCostumeShop.ie: Ronan

Blacknight wrote: »

In any case speak to your bank's merchant team

Actually the Merchant banks are going mad trying to make money from this stuff at the moment and they have no real understanding of the meaning of PCIDSS in my experience. They've asked people to pay for courses, charged monthly fees, requested QSA's when they weren't required and charged admin fee's if you don't choose their preferred vendor (whom I assume gives them a kickback or other free services in return for the referral).

We've had compliance charges stolen from our bank without permission by two banks - one whom we don't have an account with (AIB merchant services! :mad:). Obviously legal action was instigated and the charges have been refunded.

PCIDSS is a good thing, it stops amateurs taking credit cards and putting their customers in a position where they could have their cards stolen - so everyone who takes payments online should be PCIDSS compliant. If this wasn't pushed so hard, people will find their card details get stolen online a lot and therefore stop buying online and everyone suffers.

This does not mean you should let your banks bully you. Small merchants are usually bullied into using hosted webservices, ie. you pay on the Worldnet or Realex server (URL) so they will take the majority of the risk elements away from you. If this is the case you need to fill out the SAQ (Self Assessment Questionnaire) and do vulnerability scans on your servers. Despite what they imply it's really not rocket science, but its a boring old bit of paper pushing.

Here's all the info you need to know:

This PDF is from Australia but it think it surmises it up nicely.
www.qvalent.com/pdf/pcidss.pdf

All the information about PCI DSS is here and very well explained:
https://www.pcisecuritystandards.org/security_standards/
(The above also has an SAQ form)


You will need vulnerability scans on your website, I like HackerGaurdian for this. Although chances are you are about to be bullied into using the preferred supplier chosen by the bank as they will be getting a commission. It's a catch 22, because if you don't use their preferred supplier they will charge you a penalty for not using them, but their preferred suppliers are not necessarily in any way competitively priced, will try to sell you things you might not need, like a box that sits in your server etc, so it might work out cheaper to continue using (or starting to use if your new to selling online) your own Approved PCI scanning vendor.

To get you started here's the first 90days free with this trial from Hackerguaurdian. Beyond keeping the banks happy it's important to put your customers safe so i'd suggest becoming compliant as a first priority then later, trying to appease the banks, which in my experience was not the same things.

http://www.hackerguardian.com/hackerguardian/buy/pci_free_scan.html

They also have a step by step SAQ which makes it really easy to become compliant.

http://www.hackerguardian.com

*Although HackerGuardian and Comdo are one of the biggest and best known in this area, this does not mean your bank will acknowledge the results. However the financial regulator does have a lot to answer for here as it's clear monopoly and some banks have clearly crossed into questionable territory.