PCI DSS compliance – advice please

Home Forum Chat Forum PCI DSS compliance – advice please

Viewing 13 posts - 1 through 13 (of 13 total)
  • PCI DSS compliance – advice please
  • rocketman
    Member

    Afternoon folks
    The company I work for processes a handful of credit card transactions every year and because of this we have to be PCI compliant.

    One of my co-workers has been involved *cough* with the initial validation but the task of maintaining compliance has fallen to yours truly and I can see that there is Still Some Work To Do as they say.

    Has anyone been involved in PCI compliance testing and if so can they recommend an accredited third party that would help us maintain our compliance? Preferably one that doesn’t cost £1000s

    Cheers

    scuttler
    Member

    Starter for ten is what level of merchant you are. By ‘handful’ I guess you’re a level 4 but it essentially determines your obligations and of course associated cost. By compliance testing are you referring to having your website scanned for vulnerabilities and problems that may lead to card data compromise, or something else such as assistance with the questionnaire/process?

    Premier Icon TPTcruiser
    Subscriber

    Who do you bank with? Worth a punt if you have small numbers of transactions.
    Sage are used by my employer, I think we were Protex then taken over by Sage, okay for our needs and plugs into accounts package.
    Boxes to tick and a shredder is the outcome; good proof that no card details are held by you.

    Premier Icon nickdavies
    Subscriber

    Normally your acquiring bank will recommend you a company.
    I’ve got a few for different merchant accounts, securitymetrics I use for the main questionnaire and then just bang the certificate across to the other banks needing one.

    Costs £12.99 a year I think, just self certify if you’re not putting huge amounts through. If only ‘a few transactions a year’ then you should just fall under basic requirements. You shouldn’t really need any third party involvement but depends on your circumstances.

    boblo
    Member

    Email off line if you want a Pen Testing recommendation (not me touting for work BTW).

    Premier Icon colp
    Subscriber

    My card company (Elevon) scans once per month.
    I have a Linux server that I just keep updated.
    Once a year fill in an online form. No problems.

    samuri
    Member

    Also, some smaller companies choose not to be compliant and take the hit.
    Not saying you should do this, but you might want to look at it.

    Level 2 merchant here and it’s a nightmare.

    rocketman
    Member

    Thanks folks just about to head out now but will post again tomorrow.

    We are level 4 and have answered some of the SAQ questions inaccurately (simply to get compliance) which concerns me.

    purpleyeti
    Member

    boblo who do you recommend? always on the look out for good companies.

    boblo
    Member

    Well recommend might be a bit strong but I’ve used Outpost24 a few times and always found them OK. No link apart from satisfied Customer.

    samuri
    Member

    Outpost24 are ok, yep.

    My guess is after going through attestation now about 6 or 7 times, is that virtually all companies aren’t completely honest when they attest, either intentionally or accidentally. Being 100% compliant is extremely difficult. It’s a target but few actually get there.

    At the end of the day your compliance status will only come under scrutiny if you get breached but you have a duty to be as good as you can and then try and fix the remaining holes through a formalised plan.

    enfht
    Member

    Don’t go down the third party route, it’s a very expensive gravy train.

    What compliance level are you?

    The biggest deciding factor is card number retention, its the one big game changer ime.

    In reality the hardest obstacles I’ve hit are with the FD choosing their own interpretation of the rules..

    toby1
    Member

    Tier 1, just give up now and let someone manage it for you. It’s like trying to run a race where the line is just always off in the distance!

Viewing 13 posts - 1 through 13 (of 13 total)

The topic ‘PCI DSS compliance – advice please’ is closed to new replies.