nsForum logo

Welcome Guest ( Log In )

 
Reply to this topicStart new topic
> Pci- Which Questionairre?
Ayla
post Sep 13 2010, 12:29 PM
Post #1





Group: Verified NS Member
Posts: 151
Joined: 30-May 08
Member No.: 1,208



Our merchant account insisted we take SAQ C (SAQ Validation type 4) when I felt we should have taken SAQ A (SAQ Validation type 1). Now they state we require quarterly scanning of our computer's IP addresses. We are not transmitting any data. We are an ecommerce site only. Using Authorize.net as our gateway from Network Solutions cart to process cards- real time. They said because we do occassionally take phone orders and then enter the person's credit card into Network Solutions or Authorize.net Virtual terminal that is why our own computer's IP addresses need to be scanned? Anyone else doing exactly what we do and was required to take SAQ C? and being required to have their own computer's IP addresses scanned quarterly? Any guidance would be greatly appreciated? Thanks.
Go to the top of the page
 
+Quote Post
Ayla
post Sep 13 2010, 04:54 PM
Post #2





Group: Verified NS Member
Posts: 151
Joined: 30-May 08
Member No.: 1,208



QUOTE (Ayla @ Sep 13 2010, 01:29 PM) *
Our merchant account insisted we take SAQ C (SAQ Validation type 4) when I felt we should have taken SAQ A (SAQ Validation type 1). Now they state we require quarterly scanning of our computer's IP addresses. We are not transmitting any data. We are an ecommerce site only. Using Authorize.net as our gateway from Network Solutions cart to process cards- real time. They said because we do occassionally take phone orders and then enter the person's credit card into Network Solutions or Authorize.net Virtual terminal that is why our own computer's IP addresses need to be scanned? Anyone else doing exactly what we do and was required to take SAQ C? and being required to have their own computer's IP addresses scanned quarterly? Any guidance would be greatly appreciated? Thanks.


P.S., We are a level 4 merchant. Now they are trying to tell me it is required my website be scanned as well and are stating the following, copied and pasted in quotes from their email to me.....
" we will perform an IP Discovery to associate all IP Addresses to your website for you to scan. When you scan the website, you want to notify your webhost of "Scanning Co Name" netblock range "xxxxxxxx" and ask them to whitelist us to allow us to scan"

I found this on the pcicompliance guidelines website:

•Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.

(IMG:https://www.controlscan.com/images/faq_saq_validation_type.gif)

I still feel I am validation type 1, NOT 4 or 5? Anyone dealing w/ the same issues? thanks.
Go to the top of the page
 
+Quote Post
AstorStreet
post Oct 7 2010, 01:09 PM
Post #3





Group: Verified NS Member
Posts: 68
Joined: 2-September 09
Member No.: 5,128



Ayla-
What has happened with this - Are you considered a level 1 or level 4? What scanning service did you decide to use?
Thanks
Go to the top of the page
 
+Quote Post
1073458
post Oct 16 2010, 02:59 PM
Post #4





Group: Verified NS Member
Posts: 21
Joined: 10-June 08
From: Virginia
Member No.: 1,270



"They said because we do occassionally take phone orders and then enter the person's credit card into Network Solutions or Authorize.net Virtual terminal that is why our own computer's IP addresses need to be scanned? "
--------

This is exactly what I found out nearly 3 years ago with our processor. The keyword for compliance is "transmit" credit card data. When you enter a credit card number from your local computer to netsol or Authorize.net you are transmitting cc data. I have been getting quarterly scans on my IP address connected to my local PC since then (although I have major doubts as to their value other then filling a compliance checkbox). Bottom line is that if you manually enter cc orders into Netsol MCP, you are a Validation Type 4 merchant and your device needs to be PCI compliant as required by you processor.

IMO this is a big can of worms. The PCI requirements state that ANY computer AND local network you use to enter cc data MUST be PCI compliant. That means even your laptop that you use on the road to enter data must also be compliant. I don't even want to think about the implications for entering cc data with your smartphone using a local wifi (how do you get your smartphone compliant?).

Based on what I have learned, the model of using any computer as a virtual terminal to enter orders to your SECURE gateway is totally flawed. ANY device you use to transmit cc data over the internet must be compliant. It does not matter that you are using SSL connection. The device itself and the local network it is using must be compliant. Frankly, I don't think the processing industry wants to fully address the issue because it makes their virtual terminal feature much more expensive for the merchant. Even Paypal says that if you use their Virtual Terminal feature on your home computer, you must be PCI compliant, but they give little guidance other than a link to a PCI SSC Approved Scanning Vendor.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
Tags
No Tag inserted yet

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

RSS Lo-Fi Version    Network Solutions © 2011 Time is now: 25th May 2017 - 01:35 AM
Domain Names | Web Hosting | Web Design | Shopping Cart Software | Online Marketing | SSL Certificates