:confused: We take orders via Actinic Catalogue and charge through our own Barclaycard PDQ. Now with the compliance coming into force at the end of the month, we are wondering if anyone knows of a host that has PDI Compliance certification,whereby we are still able to use our PDQ for taking payments.

Unfortunately our host regretfully has not passed the complaince test, and we are out on a limb.

I have been warned by SecurityMetrics that not all companies stating they are PDI Compliant are, and they are willing to run a scan on anyone we may wish to use.

Any help would be much appreciated.

Shirley

If you do a search you will find a HUGE thread on the subject of compliance and Barclays

Mal,

Many thanks for trying to help. I had realised this, but feel that many users are not using an electronic PDQ to charge for orders, but are using a PSP. We had a shop for 13 years and continued using this method when we became an e-commerce site.

Surely there must be some hosts out there, who are PCI Compliance compatible without resorting to PSP payments.


Shirley

I think you may have missed the whole basis of PCI. If you do not use a PSP, where are the card details held and how it is compliant, given that actinic software does not meet the guidelines? Spend your time investigating which PSP to use, cos sure as damn it, a PSP is one thing you will have to do. Actinic payments launches soon, take a look into it, sounds perfect for you.

Jo at pinbrook has compliant hosting but as lee says checkout all the options first as a psp such as the new actinic system is the way to go. Downloading card details will soon be a big no no.

We aren't offering compliant PCI hosting on shared servers as it is simply not possible to do so. We could get compliance and then someone uploads a dodgy script and POP goes our compliance for 3 months.

We only offer PCI compliant hosting on dedicated servers.

I think you may have missed the whole basis of PCI. If you do not use a PSP, where are the card details held and how it is compliant, given that actinic software does not meet the guidelines? Spend your time investigating which PSP to use, cos sure as damn it, a PSP is one thing you will have to do. Actinic payments launches soon, take a look into it, sounds perfect for you.

Leehack,

I had given our name for information on the Actinic payments which is launching soon, and am waiting for info.

I just wish it was possible to continue the way we are going with a Host who is PCI compliant. It would be so much easier, as if we find we are out of stock, and the item no longer available from our supplier, then we have to issue a credit with a PSP, whereas now we only have to credit on an occasional basis, because we do not charge normally until the items are despatched.

In my innocence I thought that the extra expense we paid for a "secure padlock" gave extra security also, but I am now wondering if this mean nothing with the PCI Compliance thing.

Regards

Shirley

Jo at pinbrook has compliant hosting but as lee says checkout all the options first as a psp such as the new actinic system is the way to go. Downloading card details will soon be a big no no.

Mal,

Thanks. Hopefully my nightmares will come to an end when Actinic sort it. However, am I correct in wondering if I will have to update from v7 to make it possible.

Regards

Shirley

We aren't offering compliant PCI hosting on shared servers as it is simply not possible to do so. We could get compliance and then someone uploads a dodgy script and POP goes our compliance for 3 months.

We only offer PCI compliant hosting on dedicated servers.

Jo,

Thanks for your comment. I had intended getting in touch with you to see if you were complaint for our needs. It would appear however that one has to buy a server, and I am not that clever to handle that as well. If I am wrong do please let me know.

Regards

Shirley

yes you will need to upgrade to v9 for the new payments system but it will mean you don't need a dedicated server so it may be cheaper in the long run to upgrade. If you have cover then the upgrade is free but even if you don't then upggrading is the way ahead as v7 is very old now and with v9 you will soon make your money back in increased sales.

I just wish it was possible to continue the way we are going with a Host who is PCI compliant. It would be so much easier, as if we find we are out of stock, and the item no longer available from our supplier, then we have to issue a credit with a PSP, whereas now we only have to credit on an occasional basis, because we do not charge normally until the items are despatched.
I still think you have the wrong angle of looking at this, it's about your payment processing more than your hosting. UNcompliant hosting + compliant PSP is fine. You have the option for pre-auth with PSPs, I think this is going to become the law to use in the future, so you are only taking money when shipping the products.

The days of your own padlock and downloading orders onto your PC to process manually are finished and rightly so. 50% of site owners can still not grasp taking a snapshot each day and storing it safely, how on earth can we put these people in charge of 1000's of credit card details? More important than that, if their system gets robbed, they present a thief with 1000's of card numbers and addresses AND they have no backup records of the sales most of the time.

Some Actinic users are seriously walking a tight rope, the quicker they are forced to protect things properly, the better. There is a big case with a huge compensation claim just waiting around the corner for someone at the moment, once it happens, everyone will run round like headless chickens getting a PSP.

yes you will need to upgrade to v9 for the new payments system but it will mean you don't need a dedicated server so it may be cheaper in the long run to upgrade. If you have cover then the upgrade is free but even if you don't then upggrading is the way ahead as v7 is very old now and with v9 you will soon make your money back in increased sales.

Lee,

Thanks for that advice. Is it possible then that with Actinic Payments we will be able to take back orders and charge when the goods are despatched, rather that the Payment company taking all the money when the order is originally placed?

Regards

Shirley

I believe so Shirley yes, but i am somewhat in the dark on it also. Croccy knows more about it than me, i just wish it was launched and ready to use, there has been enough hype and talk about it, let us bloody see it now!

I think AP is the most excitement we've had since V8 was launched, it's a sad world in web design, or maybe it's just me who is sad.

I believe so Shirley yes, but i am somewhat in the dark on it also. Croccy knows more about it than me, i just wish it was launched and ready to use, there has been enough hype and talk about it, let us bloody see it now!

I think AP is the most excitement we've had since V8 was launched, it's a sad world in web design, or maybe it's just me who is sad.

Lee,

Let us hope so, we could have "Self Certified" but decided to go the correct route, and what a minefield it has turned out to be.

Sorry don't know what "AP" stands for. Do hope it all works out eventually, sincere thanks for your help and support. When you read other forum messages, it is good to know we are not the only ones who has been having problems with it.

Regards

Shirley

AP = Actinic Payments. It has been a minefield and many of us are hoping that the Actinic helicopter lifts us out shortly, we can only walk round for so long before we lose a leg.

I still think you have the wrong angle of looking at this, it's about your payment processing more than your hosting. UNcompliant hosting + compliant PSP is fine. You have the option for pre-auth with PSPs, I think this is going to become the law to use in the future, so you are only taking money when shipping the products.

The days of your own padlock and downloading orders onto your PC to process manually are finished and rightly so. 50% of site owners can still not grasp taking a snapshot each day and storing it safely, how on earth can we put these people in charge of 1000's of credit card details? More important than that, if their system gets robbed, they present a thief with 1000's of card numbers and addresses AND they have no backup records of the sales most of the time.

Some Actinic users are seriously walking a tight rope, the quicker they are forced to protect things properly, the better. There is a big case with a huge compensation claim just waiting around the corner for someone at the moment, once it happens, everyone will run round like headless chickens getting a PSP.

Lee,

Thanks for your comments. Having delved into this, we are now a lot clearer about it than we were, and we were not prepared to go "self certification", hence the paying of SecurityMetrics to check out our vulnerability. We will take your advice and update to v9, and hopefully will then be able to use Acticnic as the PSP provider.

Having my credit card cloned, when purchasing petrol at a garage, I realise what can happen also.

Again thanks.

Shirley

PCI is a bit like the credit crunch we are seeing at the moment. People like up and I have been warning about it for a couple of years but its now here and there is a panic. Actinic payments can be seen a bit like the bank of England trying to pull us all out the crisis

Still actinic is coping better than alot of other econmerce software at the moment. I can see an aufull lot of sites having to close down and perhaps for once actinic are one step ahead of the game.

Mal,

Thanks again for your comment. I realise that now. Hopefully it will all work out in the end. Even shops with websites must be having problems also with this PCI compliance. I would like to know of one company that has passed the Compliance test!!!

Shirley

Several points

1level 4 self cert is a lor easier to acheive than jumping throug loopswith Security Metrics

2 using a psp means they have to show compliance and not you, see other threads on pci to see this dicussed

3 actinic with ssl or shared ssl is not compliant, not because of security of encryption but more becauseof procedures,pci is all about procedures

4 pinbrook dedicated servers are managed- thus to run a site on one of our DS does not require any tech knowledge, you get the same control panel as shared hosting (we manage the server)

5 Actincic payments has been incorporated into 8.5.3 due for release very soon (today, tomorrow) and v9 anddoes allow things like taking payment on shipping not on ordering. AP hasbeen written with PCI in mind and replaces actinic shared ssl and using ssl on it own

Jo don't you get tiered of posting this info all the time. IMO chris should make a statement similar to your last post a sticky so we can avoid anymore threads like this

Several points

1level 4 self cert is a lor easier to acheive than jumping throug loopswith Security Metrics

2 using a psp means they have to show compliance and not you, see other threads on pci to see this dicussed

3 actinic with ssl or shared ssl is not compliant, not because of security of encryption but more becauseof procedures,pci is all about procedures

4 pinbrook dedicated servers are managed- thus to run a site on one of our DS does not require any tech knowledge, you get the same control panel as shared hosting (we manage the server)

5 Actincic payments has been incorporated into 8.5.3 due for release very soon (today, tomorrow) and v9 anddoes allow things like taking payment on shipping not on ordering. AP hasbeen written with PCI in mind and replaces actinic shared ssl and using ssl on it own

Thanks Jo,

I feel more confident now and understand a lot more, and would like to thank Lee, Mal and yourself for all your help. We will update to v9 and go to Actinic Payments when they are ready.

Kind regards

Shirley

its a big boat and we are all in it so don't panic as I don't think the PCI police will be banging on your door anytime soon. Its a bit like DDR there is a £5000 fine for not being compliant for that as well but not may people worry about that even when most sites fail.

Jo don't you get tiered of posting this info all the time. IMO chris should make a statement similar to your last post a sticky so we can avoid anymore threads like thisI'm used to repeating myself - i do it all the time at home :)