Received a PCI DSS compliance letter

[shellyky]

I jsut received a letter from First Data, which i assume is Cardservice International about me needing to become PCIDSS compliant by Nov 1st, or i'll be charged $20 a month until i do so. This is the first i've really heard about this stuff. And they're really not giving me much time to fix or even research this until they're starting to fine me $19.95 a month after the 1st.

 

SO here's what i've got: I use OScommerce obviously, Linkpoint API payment module (linkpoint is my gateway in other words), Cardservice International/First Data is my processor. Dreamhost is my webhost...we are, and have always been behind an SSL.

 

So where do i start? I went to the website on the letter and printined out some 8 page self assesment questionaire (Form A, right? we just do online sales) which i am supposed to fill out and mail to first data?

[php_Guy]

I jsut received a letter from First Data, which i assume is Cardservice International about me needing to become PCIDSS compliant by Nov 1st, or i'll be charged $20 a month until i do so. This is the first i've really heard about this stuff. And they're really not giving me much time to fix or even research this until they're starting to fine me $19.95 a month after the 1st.

 

SO here's what i've got: I use OScommerce obviously, Linkpoint API payment module (linkpoint is my gateway in other words), Cardservice International/First Data is my processor. Dreamhost is my webhost...we are, and have always been behind an SSL.

 

So where do i start? I went to the website on the letter and printined out some 8 page self assesment questionaire (Form A, right? we just do online sales) which i am supposed to fill out and mail to first data?

 

They are most likely who they say they are but I still wouldn't take their word for it. So far, they are just a company that you've never heard of asking for money and personal information. I'd start by contacting Cardservice Intl directly and ask them about it. Also, ask for a copy of whatever document requires this (so you can ensure you are fully compliant) and ask them why they haven't brought this requirement to your attention sooner.

 

Until you have verification of who First Data is, I wouldn't send them any information.

 

Sorry I can't help beyond that. Good luck!

[shellyky]

im sure its real--all my personal acct info is on there. i've re-read it. it appears they will be charging me 19.95 a month until i return all of this info and become compliant--so as for 'punishment for being late' i guess is just the 20 dollars a month fee, nothing too drastic aside from the fact they're also stating i can face 1 million dollar fines if i loose a CC #.

 

I have also forgot to mention that my OSC install is older, and it DOES show the credit card # in full view as opposed to the newer installs which show nothing. (i'm double password secured in admin panel) I use this feature to do manual charges for people (ie. an australia guy orders andi need to add more shipping, i can manually add that on, or good customers who contact me telling me to just bill it to their account--linkpoint never has the CC info in view so i couldn't do this otherwise). I saw a tutorial on how you can put X's there instead of it passing thru the CC #, would this be a start?--how will "they" know that i can or can't see them? I guess i dont understand how they can "SCAN" as they call it, or check all of this to see if im good to go.

[cannuck1964]

PCI compliance is an important part of running your business. You need to keep your shop up to date and secure. People who want to sell stuff and take credit cards need to realize this. Running a business online is no different then a bricks and mortar shop, just a different medium of selling. I would suggest you start with an upgrade to your logic first, then look at making sure the CC number is NEVER store in any form or part form on your site DB.

 

This will go a long way to making you PCI compliant. The security of the credit cards is YOUR responsibility and the fine of $20 is just to get your attention, I would not be surprised to see this increased dramatically in the near future to force people to comply with the new rules.

 

cheers,

[jhande]

Hey Shelly,

 

This might be a useful if not interesting read - PCI Compliance Guide.

 

;)