QUOTE (Ayla @ Sep 13 2010, 01:29 PM)
Our merchant account insisted we take SAQ C (SAQ Validation type 4) when I felt we should have taken SAQ A (SAQ Validation type 1). Now they state we require quarterly scanning of our computer's IP addresses. We are not transmitting any data. We are an ecommerce site only. Using Authorize.net as our gateway from Network Solutions cart to process cards- real time. They said because we do occassionally take phone orders and then enter the person's credit card into Network Solutions or Authorize.net Virtual terminal that is why our own computer's IP addresses need to be scanned? Anyone else doing exactly what we do and was required to take SAQ C? and being required to have their own computer's IP addresses scanned quarterly? Any guidance would be greatly appreciated? Thanks.
P.S., We are a level 4 merchant. Now they are trying to tell me it is required
my website be scanned as well and are stating the following, copied and pasted in quotes from their email to me....." we will perform an IP Discovery to associate all IP Addresses to your website for you to scan. When you scan the website, you want to notify your webhost of "Scanning Co Name" netblock range "xxxxxxxx" and ask them to whitelist us to allow us to scan"
I found this on the pcicompliance guidelines website:
•Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
I still feel I am validation type 1, NOT 4 or 5? Anyone dealing w/ the same issues? thanks.