New security regulations

General General Questions
1

I am not clear who the new credit card security regulations that are often talked about apply to:



As an example I have a very small business that never stores credit card numbers anywhere. I automatically have innovative gateway process all my credit card transactions -



I never see credit card numbers and when i need to make an additional charge I cannot do it by myself. Only the customer or payment gateway can do this.



I have no relationship with the credit card companies directly only with my payment gateway.



Note I do all the normal - firewall, never use shared hosting, keep my permissions tight, antivirus software, SSl certificates and strict access controls to passwords and PCs.



To date I have received no special requests from my gateway although I will call again to check if something new is required like a security scan.

2

… then you don’t care. Same with me. All CC/DC numbers got via API to the Internet Paymernt Gateway and they do the job and are PCI approved.

3

[quote name=‘Noman’]… then you don’t care. Same with me. All CC/DC numbers got via API to the Internet Paymernt Gateway and they do the job and are PCI approved.[/QUOTE]



Exactly.



I know some people like to manually process card numbers and companies Amazon’s size keep numbers but they have a large IT department to take care of everything.



I am wondering am I missing something?



Why so many people worrying? Or are they all people who manually process cards and keep card information?

4

The people who don’t have to worry are those who use payment methods that have the customers entering their credit card details on another site - like PayPal or Google Checkout. If they are entering credit card details during checkout on your domain and those details are transmitted to the gateway, you are subject to all the PCI requirements. They are adding a PCI compliant shopping cart to the list of requirements.



Do you currently undergo PCI testing? The really long questionnaire makes it pretty clear what responsibilities the store has.

5

Hello,

I process manually, off line, using Quickbooks. I only store the cc numbers until the order is processed, about one day. I don’t get or store the cvv number since its not required to process the card in Quickbooks. I don’t allow customers to store CC info for future use.

Due to my low volume, I am classified as Tier 4 with the following requirements.

* Annual SAQ recommended

* Quarterly network scan by ASV if applicable

* Compliance validation requirements set by acquirer.

Since I process off line, I assume there is no acquirer ie authorize.net.

Annual SAQ is recommended, but not required as it is Tier 1-3 merchants.

Am I missing something here? Or, as long as I don’t store the CC numbers and do a Quarterly network scan, then I am in compliance.

Thanks,

Bob

6

[QUOTE]as long as I don’t store the CC numbers [/QUOTE]



But you do collect & store your customers credit card details in your store DB, even if it is only for a few hours or so.


[QUOTE]Due to my low volume,[/QUOTE]



I guess it all depends upon what you consider as low volume, however, considering you process your card transactions through Qbooks, you could eliminate the entire PCI DSS concern regarding CS-Cart certification if you were willing to either obtain your card details via phone or fax! This way the card details are neither collected nor stored online in any way shape or form.

7

Hi,

No, I have to collect on line, not phone or Fax.

CS-CART allows for storing in an open order and then deletes when processed.

Bob

8

[quote name=‘pbannette’]Hi,

No, I have to collect on line, not phone or Fax.

CS-CART allows for storing in an open order and then deletes when processed.

Bob[/QUOTE]



I understand what’s happening Bob

9

i just called my payment gateway - Innovative - and they are not currently planning any additional requirements on the part of small merchants and they are compliant on their end.



i mention my gateway as I have zero interactions with Visa etc it is the gateway’s job to take care of these issues - or at least advise small merchants.



i use PayPal occasionally and if at the last minute some new gateway requirement is announced we could easily switch to PayPal 100% temporarily.

10

[quote name=‘Traveler’]i just called my payment gateway - Innovative - and they are not currently planning any additional requirements on the part of small merchants and they are compliant on their end.



i mention my gateway as I have zero interactions with Visa etc it is the gateway’s job to take care of these issues - or at least advise small merchants.



i use PayPal occasionally and if at the last minute some new gateway requirement is announced we could easily switch to PayPal 100% temporarily.[/QUOTE]



You see, nothing but mass confusion & contradiction! :smiley:



Exactly why I am not loosing any sleep over this clusterxxxx mess & will probably start considering it around July 1st. Another prime example of why most small businesses fail within their 1st yr of operation, bureacrats teetering on the edge of retardation! :smiley:

11

[quote name=‘pbannette’]Hello,

I process manually, off line, using Quickbooks. I only store the cc numbers until the order is processed, about one day. I don’t get or store the cvv number since its not required to process the card in Quickbooks. I don’t allow customers to store CC info for future use.

Due to my low volume, I am classified as Tier 4 with the following requirements.

* Annual SAQ recommended

* Quarterly network scan by ASV if applicable

* Compliance validation requirements set by acquirer.

Since I process off line, I assume there is no acquirer ie authorize.net.

Annual SAQ is recommended, but not required as it is Tier 1-3 merchants.

Am I missing something here? Or, as long as I don’t store the CC numbers and do a Quarterly network scan, then I am in compliance.

Thanks,

Bob[/QUOTE]



Bob,



I just called Innovative which is the same company/payment gateway as Quickbooks and they said that Quickbooks 7 will no longer be ok to use for credit cards so you may want to check which version you are using.



You do store credit cards online from what you say - but:



It does not seem like we will have interactions directly with Visa etc as it seems like the gateways will have compliance responsibility not small tier 4 merchants.



In a worse case situation the payment gateways will give us a months warning at least. And I am certain that they will not drop millions of small merchants overnight.



Also if we are not in compliance due to last minute requirements - it is unlikely taht there will be penalties - again as millions of small mercahnts will be in the same boat.



Also CS cart will likely be PCI compliant if they need to be maybe a bit late but they will be.



So in summary there seems to be little to worry about.



Unless I misunderstanding something?

12

Hi,

I just got Quickbooks 2010. Could not import tax information into this years TurboTax with 2007, but I never saw a notice about not being able to process credit cards in QB2007.

The one thing I am amazed about with Quickbooks 2010 is that I do not see a way to delete all credit card information without going to each account and delete. Should have a way to not save after processing. The only PCI function that is new is that I had to create a more complex password which has to be changed periodically.

Bob