Afternoon folks
The company I work for processes a handful of credit card transactions every year and because of this we have to be PCI compliant.

One of my co-workers has been involved *cough* with the initial validation but the task of maintaining compliance has fallen to yours truly and I can see that there is Still Some Work To Do as they say.

Has anyone been involved in PCI compliance testing and if so can they recommend an accredited third party that would help us maintain our compliance? Preferably one that doesn’t cost £1000s

Cheers

Starter for ten is what level of merchant you are. By ‘handful’ I guess you’re a level 4 but it essentially determines your obligations and of course associated cost. By compliance testing are you referring to having your website scanned for vulnerabilities and problems that may lead to card data compromise, or something else such as assistance with the questionnaire/process?

Who do you bank with? Worth a punt if you have small numbers of transactions.
Sage are used by my employer, I think we were Protex then taken over by Sage, okay for our needs and plugs into accounts package.
Boxes to tick and a shredder is the outcome; good proof that no card details are held by you.

Normally your acquiring bank will recommend you a company.
I’ve got a few for different merchant accounts, securitymetrics I use for the main questionnaire and then just bang the certificate across to the other banks needing one.

Costs £12.99 a year I think, just self certify if you’re not putting huge amounts through. If only ‘a few transactions a year’ then you should just fall under basic requirements. You shouldn’t really need any third party involvement but depends on your circumstances.

Email off line if you want a Pen Testing recommendation (not me touting for work BTW).

My card company (Elevon) scans once per month.
I have a Linux server that I just keep updated.
Once a year fill in an online form. No problems.

Also, some smaller companies choose not to be compliant and take the hit.
Not saying you should do this, but you might want to look at it.

Level 2 merchant here and it’s a nightmare.

Thanks folks just about to head out now but will post again tomorrow.

We are level 4 and have answered some of the SAQ questions inaccurately (simply to get compliance) which concerns me.

boblo who do you recommend? always on the look out for good companies.

Well recommend might be a bit strong but I’ve used Outpost24 a few times and always found them OK. No link apart from satisfied Customer.

Outpost24 are ok, yep.

My guess is after going through attestation now about 6 or 7 times, is that virtually all companies aren’t completely honest when they attest, either intentionally or accidentally. Being 100% compliant is extremely difficult. It’s a target but few actually get there.

At the end of the day your compliance status will only come under scrutiny if you get breached but you have a duty to be as good as you can and then try and fix the remaining holes through a formalised plan.

Don’t go down the third party route, it’s a very expensive gravy train.

What compliance level are you?

The biggest deciding factor is card number retention, its the one big game changer ime.

In reality the hardest obstacles I’ve hit are with the FD choosing their own interpretation of the rules..

Tier 1, just give up now and let someone manage it for you. It’s like trying to run a race where the line is just always off in the distance!