Jump to content

Archived

This topic is now archived and is closed to further replies.

WoodsWalker

PCI compliance inspection - anyone gone through it?

Recommended Posts

Hi, All,

 

I've been going around in circles (Here's the thread) trying to implement the Moneris Hosted Paypage, which involved installing trying out the Moneris payment module, and finally concluding (Moneris confirms this) that the Moneris payment module is not suitable for using with their Hosted Paypage but only via a PHP API (their other option under their program called "eSelect eCommerce").

 

There seems to be no help available for transacting with the Hosted Paypage, so now I am back to investigating option 2, the API.

 

Fortunately, now that I have oriented myself, I have realized that I need do no programming to use the API, since Moneris has already provided a module (available through Moneris and also here in contributions). Even though Moneris themselves have written this solution (the Moneris payment module), they tell me I will need a PCI compliance certificate in order to set up an account with them.

 

I am a level 4 merchant, with about 1500 credit card transactions per year. Has anyone else gone through the process of getting PCI certificate? Was it a hassle? What did it cost?

 

Thanks for any info!

 

~Wendy

Share this post


Link to post
Share on other sites

If you use a payment gateway and do not store the cc info yourself, its very easy to be PCI compliant.

 

NOTE: Using an api interface you will also need to have SSL on your site.

 

You can do the pci security scans for free, there are plenty of providers offering that service free of charge. (like hackerguardian among other)

 

Then basically you will just need to fill in the PCI self assessment questionnaire .

Share this post


Link to post
Share on other sites

Hi Nick! :) Thanks again for your continuing info!

 

Yepp, got SSL (a "generic" one provided by my hosting package, but I think I'll get my own for the sake of image).

 

Although I expect that I will be PCI-compliant and that free scans would confirm this, Moneris is telling me that I have to acquire a PCI certificate from a vendor, and they are recommending a company called Ambiron Trustwave. From the Trustwave website it sounds like it's pretty involved, requiring quarterly remote re-scans, etc., and that my service provider's server must also be PCI-compliant, and on down the line. This is kind of making my hair stand on end. Maybe 3M can afford this, but can I?

 

Is it this PCI-certificate vendor, then, who will provide the PCI self-assessment questionnaire? Are you saying you think they would settle for this questionnaire and the results of a free scan (or an inexpensive scan from them?).

 

On another thread, from 2007 I think, I read that a company was offering a "deal" on PCI certification for $250 - and I assume the costs are ongoing. It sounds pretty steep!

Share this post


Link to post
Share on other sites

You can use something like hackerguardian for free, it gives you all the needed tools.

 

They are a Standards Council Approved Scanning Vendor(ASV).

 

 

Since you are a level 4, this should suffice: Annual Self-Assessment and Annual Network Scans

Share this post


Link to post
Share on other sites

FYI Just tried the FREE PCI scan from Hackerguardian, its a gimic. You spend all this time faxing over paperwork after you signup to verify this is your site then they scan you site and say compliant or not. No details, no recommendations, nothing... Then if you actually want to know any details of what is in that report you pay them, I spoke on the phone to one of the reps for their company to confirm this, and yes you do have to pay to see ANY details... On the plus side it looks like it is only $79.00/yr for testing which is pretty cheap.


Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Share this post


Link to post
Share on other sites

Thanks for sharing your experience, Keith.

 

Now here's "the rest of the story" (well, so far)...

 

Got home from a four-day holiday and figured that it's time to get on with this. Moneris (our credit-card acquirer, the largest in Canada) really pushes Trustwave for these services, and calls them their "Trusted Partner Company". Perusing Trustwave's "Trustkeeper" options more thoroughly, I saw that they offered a package deal on Level 4 PCI plus SSL - both of which I need - for $394 per year. I bet these rates go down as the competition heats up, but since Moneris prefers this company, I thought it was prudent and likely to go the smoothest if I purchased the services from them.

 

NOT! >_<

 

Through the Trustwave site (Quick Order page), I created an online user account and was ushered to the menu of packages, put the one I wanted in my shopping cart, and proceeded to checkout. Tried one credit card (which I suspected was full) and it was declined. Tried my less-full one, and it was approved for the $394. Fine. On the next screen an order summary appeared, that said the amount of the order was zero (so I thought perhaps they had simply done a pre-auth until I actually complete the process for the SSL) and the order date was December 31, 1969 - which was indeed odd. There was a button to push to view a printable receipt. Pushed this button, and it told me I had to login to see the receipt. Well, during the user registration I had chosen a password, but not a user name (went back to that screen just to check), so I had to guess what they might have used for a username (my name? company name? email address?). Anyway, I finally gleaned from another screen elsewhere on the site that they use the email address as a username ... but that didn't get me in! Although I knew my password, I finally tried entering my username in the "lost password" screen - and it said it had no record of such a username.

 

In addition, no confirmation emails came to the address I had designated, although at several steps I had been informed that I would get some.

 

Well.

 

Next thing was to call the "Insanely Great Support" 866 number they offered (anyone know if this is toll-free?). A mumbly guy answered directly, as if he was in his kitchen, and I got the impression he thought I was a bird brain. He could find no record of my application for a username and password, nor of my credit card transaction (which had been "approved", so I assume that something had to have been put through to my credit card, even if it was only a pre-auth). He insisted that if my credit card had been processed he would "have the slip" (have the slip?), that there had already been a couple that morning but not one from me, and that I should just go through the whole procedure again.

 

I hung up and thought about it. I decided that I would definitely not put through my credit card info again, until I found out for sure what had happened the first time.

 

But I saw no harm in at least trying to open a user account again, and this time I tried this from another screen, the "user account" screen instead of the one associated with the shopping cart. It seemed to take my info, and it even sent me a confirmation email. But when I tried to access my "account" (even by using the links provided in the email) all I got was "username unknown."

 

I called the "Insanely Great Support" number again, and got a guy who seemed more helpful. Still, he could access no information whatsoever. He said someone higher up would give me a call, and left me with the suggestion that I contact my credit card company if I was convinced a transaction had gone through.

 

This I did. My Mastercard company confirmed that a purchase for $394 had been transacted today by a numbered company in San Antonio. As the transaction was so fresh, Mastercard said they could give me no further information, nor cancel it.

 

Well, Trustwave is in Chicago, and none of their published contact addresses is in San Antonio. At this point I was beginning to wonder if, ironically, the very company who wants money to certify the security of my procedures has itself allowed its system to be hacked.

 

Made another call to the Insane ones at the 866 number. Got a very slow talker, who did not seem to recognize the names of the others I had been talking to. He tried to be reassuring and said that Trustwave had joined forces with SecureTrust, and that the web site currently has more than one entry portal for user account registrations and purchases, and that this was not the first time that customer information had been misdirected within the company. He said he would direct my inquiry to "the Finance department", who would surely have a record of my transaction, which could then be entered manually and all would be well. As it was nearing the end of business hours, he suggested that I would likely hear from them tomorrow. All this took an incredibly long time for him to say. Got me wondering again if the 866 number was toll-free.

 

After I hung up I decided to try to raise the Finance dept. on my own as it was not 4:30 yet. Called the "General Inquiries" number for Trustwave, several times, and only got a fasy busy signal.

 

What would you think?

 

Fortunately, the Mastercard I used is now at its limit, so if thieves have my number they can't get much more than they already have.

 

I'll update this tomorrow. I still have a vague hope that it's all explainable. This is the company that Moneris wants me to deal with, and I'm not sure Moneris will accept a PCI cert. from any other. Sigh. :blink:

Share this post


Link to post
Share on other sites

Had a look at the trustwave website and the the solution seems to include, ssl certificate, pci compliance scanning and certification aswell as a trust seal you can show on your website.. If this is correct then the price quoted seems ok. (other trust seals, hacker seals etc...usually starts with a higher price just as a standalone service)

 

But one thing which did actually give an impression that this is a "boys backroom" style business as opposed to a large professional business was that their own site just has a low assurance ssl certificate...

Share this post


Link to post
Share on other sites

Hi Nick and all,

 

Yepp, that's an interesting observation about the SSL cert. on Trustwave's own site. Well, my own website makes me look "as big as Chrysler", but again, it's just two people. So, there's no telling how big Trustwave actually is. Glad to hear that their prices are competitive.

 

Trustwave does seem to be a major player in the SSL and PCI-cert market, and has bought out several smaller companies, which apparently has given rise to their difficulties with their web site and their own credit card processing. Both Moneris (Canada's largest credit card acquirer) and Authorize.net direct their customers to Trustwave for these services.

 

Last night I sent an email describing my difficulties to every e-mail address on Trustwave's and SecureTrust's site, and I received a very apologetic e-mail and phone call early this morning. My info was not hijacked -- they have it, and they just mishandled it. They're fixing the problem and things should be back to "normal" by this afternoon. I hope so.

 

Just shows to go that even the "biggies" can have these problems. I hope my customers will be patient with me if I ever charge their card and temporarily misplace their order - well, I admit it has already happened a couple of times over the years, but at least it only takes one phone call from our customer to fix the situation ("sorry! + we'll send you some bonus stuff!"), rather than a whole day of calls and emails.

 

Well, time for some Weeties. :P

Share this post


Link to post
Share on other sites

Just thought I should pop in here A.S.A.P. to report that TrustWave (a.k.a. TrustKeeper) has indeed gone to every length to rectify my problem and to compensate me for my time and consternation.

 

I am quite satisfied now that this was an unusual situation, and their response today was gratifying. It looks as though they have already patched up the holes in their system that allowed the situation to occur. :)

 

So, back to the process as it should have been from the start...

 

Naturally, as of today (May 1, 2008), a new and more complicated system of compliance questionnaires has been enacted. One must select from four or five questionnaires, to suit one's business model. I found I had to go for the most complicated one (230 questions), because I do store customer info on an off-line PC. Took me about 2 hours to answer all the questions, many of which were not applicable (there is often a box to tick for this). But I answered it all honestly, and apparently the questionnaire has already met with approval.

 

The next stage is the network scan, which is scheduled for tonight. I'll keep you posted.

Share this post


Link to post
Share on other sites

SUCCESS!

 

We passed the system scan and now have our PCI Certificate of Compliance. :)

 

I have the impression from the scarcity of forum posts on this topic that I am one of the first Level 4 (i.e., small) merchants to be obliged to go through this process, but if I read things right, most or all small merchants (anyone handling credit card data in any way) will be asked to provide proof of PCI compliance by the end of 2008. VISA and Mastercard have spearheaded this process in order to maintain the integrity and trustworthiness (and hence profitability) of the credit card payment system. Almost all merchants are "going electronic" now, which could spell doom if they were to become a hacker's paradise.

 

To summarize, here's the process of PCI certification as I experienced it (minus that hiccup where my order went awry):

 

SUMMARY

 

1. My credit card acquirer (Moneris) required me to provide proof of PCI certification as a condition of granting me online credit card processing services.

 

2. They strongly recommended their "Trusted Partner Company", Ambiron Trustwave, for these services.

 

3. I perused the Trustwave website, and made inquiries, and found that I could purchase "SSL (OV) + Level 4 PCI Certification" for $394 per year, in a bundle that included an attractive site seal. As I needed SSL as well, I went for this package, although I am sure one can order the PCI Certification separately.

 

4. Trustwave's PCI Certification program is called "Trustkeeper", and I was given a username and password for the Trustkeeper web pages.

 

5. Info: PCI Certification for Level 4 merchants involves filling out a yearly questionnaire, and undergoing a quarterly "remote system scan". No onsite inspection is usually required for Level 4 merchants - that's just for the biggies.

 

6. Lots of instructions are provided on the Trustkeeper site. There is now a choice of four or five different questionnaires, depending upon your business model. If you store absolutely no credit card information on-site, then you may complete one of the shorter questionnaires. As I do store some info electronically (on a stand-alone PC), I felt I should complete the long one - 230 questions. But it wasn't hard, and took about 2 hours. You don't have to complete it all at once - you can save it and resume later (but watch what buttons you click because if you click "resume questionnaire" it starts again at question 1!). When done, I clicked to send the questionnaire, and a half hour later when I logged back in to Trustkeeper, there was an indication that the questionnaire had passed. Whew. You may review your questionnaire and your answers at any time through Trustkeeper. The questionnaire itself was a learning experience and made me extra-aware of security issues, as I am sure it is intended to.

 

7. On to the remote system scan. I don't know why, but it is recommended that you back up your files before this is done. My site is remotely hosted by Bell Hosting on a shared server, so I backed up my site files to my local PC (they usually are anyway). You may schedule the time of the scan, so I scheduled it for the middle of the night. You must provide at least the IP address of your website (maybe the URL will do). I checked with WHOIS to get the IP address of where my site is hosted, and it gave me the IP numbers of two servers at Bell. I input these. I wasn't sure of my mail server, so I left it blank.

 

8. When I got up this morning and checked Trustkeeper, I saw that I had passed the remote system scan. Whew again! Viewing the detailed report, I could see that the scan also identified a third server, plus my mail server. These servers only had minor insecurities, and passed with a wide margin. Recommendations are given that you may pass on to your hosting service, if you think they would like to optimize security. I suppose that if glaring insecurities had been found, I would have been required to get Bell to fix them ... but all it would have taken was to fax them the detailed scan report, it's all there in plain (technical) English.

 

9. Upon PCI certification, Trustkeeper provides PDFs of the "Detailed Report" (64 pages long), the "Summary Report" (2 pages long), and a cute "Certificate of Compliance", which is what your financial services folks probably want to see.

 

10. That's it for my adventure with PCI. Now I can get back to designing my pages! :)

Share this post


Link to post
Share on other sites

I've gone through it as well. I'm using ControlScan and it's $19 a month for weekly scanning. They tell you how to correct the errors as well.

 

My concern is that we should not have any emulation of globals on, and you can't have it off or oscommerce won't show up. That's my problem now.


Debora

Breaking code.... one website at a time.

Vibrators: like cute little puppies without the puppy breath. Who can't like a vibrator?

Life Tip: Taking yourself too seriously? Put on a penis hat and look in the mirror every 5 minutes. That should fix it.

"Finally found the ball gag for those damn voices. Now to pull out the whip...." - Me

Member of the CODE BREAKERS CLUB - WE RULE!

Share this post


Link to post
Share on other sites

I think I have gotten more confused about all the PCI Compliance regulations the more I look into it.

 

I discussed scanning our oscommerce site with Trustwave, and its almost $10k for 1 scan!

 

Now, I am talking about an application scan. It sounds like previous discussions only involved a network scan, which would basically be a scan of the host.

 

But PCI requires that an application be as guarded as possible against exploits and vulnerabilities, and I don't understand how that could be said without an application scan.

 

Do you know if the scan you had performed was a network scan or application scan?

 

I love osCommerce because of its flexibility and ease of modification, but I'm not sure that we'll be able to use it any longer, due to the costs of having it certified for PCI compliance.

 

Any comments?

Share this post


Link to post
Share on other sites

Hi Nick!

 

TrustKeeper scans my network once a month. As you have read, I also completed a questionnaire. After my initial scan (which I passed), they provided me with a certificate of PCI-compliance, which was what my financial services provider (Moneris) wanted to see. Then I was up and running.

 

The cost was $400 per year, in a package that included SSL as well.

 

The scan is very thorough and a detailed report is provided after every scan. It certainly uncovers vulnerabilities in the website itself (this is where osCommerce comes in). A "cross-site scripting" vulnerability was discovered in my site in July involving the osC page /catalog/advanced_search_result.php. This caused me to fail my scan. I really didn't need advanced searching anyway, so I simply removed that function, and the page, from my site. Problem solved.

 

Also during the summer, my site failed a scan due to some vulnerabilities in the "FrontPage extensions" that my service provider had automatically added to my site functionality. With the help of my ISP we weeded all that stuff out (I don't use FrontPage anyway), and now I am passing my scans again.

 

From the looks of the reports, Trustkeeper scans the two servers on which my page is hosted, plus scans my site's IP address itself. I am not very knowledgeable beyond this point.

 

Anyway, this type of "network scan" is all I am required to get, and all TrustKeeper offered me. I am not sure what you mean by an "application scan", but I don't think any of us on the forum has found it necessary.

 

Hope this helps!

~Wendy

Share this post


Link to post
Share on other sites

Ok, it's good to hear that they were trying to exploit oscommerce during the scan, that's what I'm looking for!

 

I was uncertain if the network scan would only involve looking for open ports, bad firewalls, etc. (stuff I really have no control of at our host), or if it would try to exploit oscommerce as well.

 

osCommerce is a web application, just viewed through a web browser instead of running on your local PC like Word or something else. Without knowing what all their network scan encompassed, I asked Trustwave about scanning our web application (osCommerce), and that's when they threw this $10k figure at me!

 

I'll talk with them a bit more, because if there's a way to continue to use our osCommerce shop that we've spent so much time on (without spending $10k...), I want to go that route!

 

Thanks for the reply! I'll let you know how it goes.

Share this post


Link to post
Share on other sites

Hi Nick,

 

Glad the info was helpful. I'm sure that the network scan is all you need. Assessing an application for vulnerabilities (which would include predicting all the unstable environments that application might be launched on, etc.) would indeed be very involved, and I'm not surprised they would want 10K for that.

 

But yes, TrustKeeper's network scan does indeed probe into all the osCommerce files one is using, to see what vulnerabilities a hacker might exploit. Glad you are reassured. And yes, do let us know how it goes!

 

~Wendy

Share this post


Link to post
Share on other sites
Thanks for sharing your experience, Keith.

 

Now here's "the rest of the story" (well, so far)...

 

Got home from a four-day holiday and figured that it's time to get on with this. Moneris (our credit-card acquirer, the largest in Canada) really pushes Trustwave for these services, and calls them their "Trusted Partner Company". Perusing Trustwave's "Trustkeeper" options more thoroughly, I saw that they offered a package deal on Level 4 PCI plus SSL - both of which I need - for $394 per year. I bet these rates go down as the competition heats up, but since Moneris prefers this company, I thought it was prudent and likely to go the smoothest if I purchased the services from them.

 

NOT! >_<

 

Through the Trustwave site (Quick Order page), I created an online user account and was ushered to the menu of packages, put the one I wanted in my shopping cart, and proceeded to checkout. Tried one credit card (which I suspected was full) and it was declined. Tried my less-full one, and it was approved for the $394. Fine. On the next screen an order summary appeared, that said the amount of the order was zero (so I thought perhaps they had simply done a pre-auth until I actually complete the process for the SSL) and the order date was December 31, 1969 - which was indeed odd. There was a button to push to view a printable receipt. Pushed this button, and it told me I had to login to see the receipt. Well, during the user registration I had chosen a password, but not a user name (went back to that screen just to check), so I had to guess what they might have used for a username (my name? company name? email address?). Anyway, I finally gleaned from another screen elsewhere on the site that they use the email address as a username ... but that didn't get me in! Although I knew my password, I finally tried entering my username in the "lost password" screen - and it said it had no record of such a username.

 

In addition, no confirmation emails came to the address I had designated, although at several steps I had been informed that I would get some.

 

Well.

 

Next thing was to call the "Insanely Great Support" 866 number they offered (anyone know if this is toll-free?). A mumbly guy answered directly, as if he was in his kitchen, and I got the impression he thought I was a bird brain. He could find no record of my application for a username and password, nor of my credit card transaction (which had been "approved", so I assume that something had to have been put through to my credit card, even if it was only a pre-auth). He insisted that if my credit card had been processed he would "have the slip" (have the slip?), that there had already been a couple that morning but not one from me, and that I should just go through the whole procedure again.

 

I hung up and thought about it. I decided that I would definitely not put through my credit card info again, until I found out for sure what had happened the first time.

 

But I saw no harm in at least trying to open a user account again, and this time I tried this from another screen, the "user account" screen instead of the one associated with the shopping cart. It seemed to take my info, and it even sent me a confirmation email. But when I tried to access my "account" (even by using the links provided in the email) all I got was "username unknown."

 

I called the "Insanely Great Support" number again, and got a guy who seemed more helpful. Still, he could access no information whatsoever. He said someone higher up would give me a call, and left me with the suggestion that I contact my credit card company if I was convinced a transaction had gone through.

 

This I did. My Mastercard company confirmed that a purchase for $394 had been transacted today by a numbered company in San Antonio. As the transaction was so fresh, Mastercard said they could give me no further information, nor cancel it.

 

Well, Trustwave is in Chicago, and none of their published contact addresses is in San Antonio. At this point I was beginning to wonder if, ironically, the very company who wants money to certify the security of my procedures has itself allowed its system to be hacked.

 

Made another call to the Insane ones at the 866 number. Got a very slow talker, who did not seem to recognize the names of the others I had been talking to. He tried to be reassuring and said that Trustwave had joined forces with SecureTrust, and that the web site currently has more than one entry portal for user account registrations and purchases, and that this was not the first time that customer information had been misdirected within the company. He said he would direct my inquiry to "the Finance department", who would surely have a record of my transaction, which could then be entered manually and all would be well. As it was nearing the end of business hours, he suggested that I would likely hear from them tomorrow. All this took an incredibly long time for him to say. Got me wondering again if the 866 number was toll-free.

 

After I hung up I decided to try to raise the Finance dept. on my own as it was not 4:30 yet. Called the "General Inquiries" number for Trustwave, several times, and only got a fasy busy signal.

 

What would you think?

 

Fortunately, the Mastercard I used is now at its limit, so if thieves have my number they can't get much more than they already have.

 

I'll update this tomorrow. I still have a vague hope that it's all explainable. This is the company that Moneris wants me to deal with, and I'm not sure Moneris will accept a PCI cert. from any other. Sigh. :blink:

Share this post


Link to post
Share on other sites

Hi, I was looking at these posts and remembered what I had hesard from friends who attended a recent PCI meeting in Florida. Interesting enough is the FACT that a merchant (ANY merchant) can use ANY Security vendor they want to use as long as the "report" is completed by a PCI ASV Company.

 

The real kicker is this:

1) You as a merchant can chose whatever ASV you want to assist you.

 

2) It's the QSA behind the curtain (they are the one telling Moneris to tell all it's customers to use TrustKeeper) and most likely are taking a piece of your money to do so!!!

 

3) TrustWave cannot tell Moneris that they will not accept the work of your SELECTED ASV or the scan/validation report provided by that ASV. Unless it is "expressly written" in your contract with Moneris (which would be unfair busniees practices) then you can use ANY ASV you want to.

 

If ANYONE tells you that you MUST use a certain ASV and thart another will not be acceptable..... you should immediately complain to the PCI council as this type of behavior directly violates the agreement all ASV and QSA companies have signed with the PCI council.

 

If enough people turn them in........everyone will be able to get the best service for the least money........Instead of linking BOTh of their pockets.

 

Here's the 411 to report such things:

 

PCI Security Standards Council, LLC

 

Address:

PCI Security Standards Council, LLC

401 Edgewater Place

Suite 600

Wakefield, MA USA 01880

 

Phone:

+1-781-876-8855

Share this post


Link to post
Share on other sites

Hi Michael!

 

I suspected that what you write was true. As I said, Moneris "really pushed" Trustwave - but they didn't force me (who knows if they would have tried ... I didn't put up any resistance).

 

As far as I'm concerned, the whole PCI certification racket, despite the need for security measures, is the equivalent of the wild wild west right now. It's every person for himself. I expect the dust will settle eventually and more effective, clearer, and probably cheaper options will come along.

 

Here's hoping!

~Wendy

Share this post


Link to post
Share on other sites
If you use a payment gateway and do not store the cc info yourself, its very easy to be PCI compliant.

 

NOTE: Using an api interface you will also need to have SSL on your site.

 

You can do the pci security scans for free, there are plenty of providers offering that service free of charge. (like hackerguardian among other)

 

Then basically you will just need to fill in the PCI self assessment questionnaire .

 

I'm not so sure this is accurate. Even if your site/database does not store credit card info, it may still fail compliance. Why? Because when you are transporting this info from the user to the site (before the data is passed to the processors gateway, e.g. Authorize.net) chances are high that your hosting company is using SSL 2.0, which will trigger a failure.

 

So your options are to find a host that will disable 2.0 and has 3.0 available (or a dedicated server) OR you can use a third party payment page (like PayPal or WorldPay), whih really means that you are not processing directly on your site at all.

Share this post


Link to post
Share on other sites
... OR you can use a third party payment page (like PayPal or WorldPay), which really means that you are not processing directly on your site at all.

 

I think this is what toyicebear meant by "payment gateway" in his post above. If the customer enters their information on the payment gateway's page (as in most forms of Paypal from what I understand), then the merchant need not go through a PCI-compliance certification or get SSL (although I think SSL is a good idea anyway).

 

As I have not seen many posts here about the PCI certification process, I assume this is what most osCommerce merchants are doing, and it must work fairly well for them.

 

Unfortunately, "payment gateway" is not well defined as a term, so the information here on the forum can get confusing.

 

I am in Canada and use Moneris as a payment processor. In my case, the customer info is collected directly on my site, and so Moneris required me to get PCI certification and SSL before I could activate my store. The advantage is that I have almost complete control over the "look and feel" of the payment process pages, and that I can check the orders before the transactions go through to Moneris.

 

Moneris also offers the option of using their "Hosted Paypage", meaning a system similar to Paypal where no PCI certification of SSL is required at the merchant end. Unfortunately, they offered no installation support for this option, so I never explored it and can give no further info on it.

 

~Wendy

Share this post


Link to post
Share on other sites

Wendy,

 

It is Wolfgang again,

 

One more question on the PCI compliance you have past so simply. I have the same ting going right now. Via Elavon processor with TrustKeeper.

 

I passed the questionnaire just fine. The scan is a total disaster, mostly because of way over my head hosting problems, I am with BlueHost and there Unix/Linux server situation does not conform with PCI.

 

I put a ticket in with them but it looks like a long process, I have 40 issues, 6 violate PCI security.

 

I am tempted to forget all the head ache and just go with google checkout. If you or anyone else out there knows if that is a way to be somewhat compliant, let me know please!

 

Thanks

Wolfgang

Share this post


Link to post
Share on other sites

Hi Wolfgang,

 

I'm sorry you are having trouble with your hosting company.

 

It might not be a long process for them to correct their security issues - it all depends on their skill and how badly they want to keep you as a customer. Six PCI issues is not too bad - I had three with Bell Hosting in the summer, and between their efforts and my own, we fixed them.

 

But if BlueHost won't co-operate, you're right - you'll either have to get a new hosting company or go with an option that side-steps PCI compliance.

 

Best of luck!

~Wendy

p.s. - I just Googled "PCI-compliant hosting" and saw quite a lot of listings.

Share this post


Link to post
Share on other sites
Hi Wolfgang,

 

I'm sorry you are having trouble with your hosting company.

 

It might not be a long process for them to correct their security issues - it all depends on their skill and how badly they want to keep you as a customer. Six PCI issues is not too bad - I had three with Bell Hosting in the summer, and between their efforts and my own, we fixed them.

 

But if BlueHost won't co-operate, you're right - you'll either have to get a new hosting company or go with an option that side-steps PCI compliance.

 

Best of luck!

~Wendy

p.s. - I just Googled "PCI-compliant hosting" and saw quite a lot of listings.

 

Thanks again Wendy, I also just got google checkout working, so between all these options....

 

PS: Here is the kicker, Elavon lets you be non compliant for $20.00 a month after March 2009. Does that smell fishy???

Share this post


Link to post
Share on other sites

×