Thread: Mandatory PCI-DSS Compliance
View Single Post
  #144  
Old 07-Apr-2009, 05:51 PM
cbarling's Avatar
cbarling cbarling is offline
Administrator
  
Join Date: Nov 2002
Posts: 744
Thanks: 0
Thanked 4 Times in 4 Posts
Following discussions with the PCI DSS Director at Barclays, I would like to clarify what are our recommended options for Barclays merchants who also use Actinic:

- If you only take card payments for ecommerce orders using the web page of a compliant PSP, your web site does not need a security scan, although it is still good practice to do one. You are SAQ validation type 1, and need to complete SAQ form A.

- If you take card payments for ecommerce orders using the web page of a compliant PSP, and take mail order related payments or card present payments using a card terminal (PDQ) you are SAQ validation type 3, and will need to complete SAQ form B.

- If you take card payments for ecommerce orders using the web page of a compliant PSP, and also use the compliant PSP's web form for taking mail order related payments, you must get an external scan of your office network (to make sure hackers can’t get in from outside) and you are required to run a virus checker on every PC. You are a SAQ validation type 4, and need to complete SAQ form C.

These are the three options recommended by Actinic because they combine the best security with the least cost and hassle.

If you are in any doubt about which SAQ to complete Barclays state that Security Metrics will take you through a free needs analysis and determine which one should be completed.

Security Metrics can provide the external scan for the third case (Type 4 / SAQ C) at a reasonable cost, even if you are connected to the Internet by broadband and don’t have a fixed IP address.

Details of up to date SAQ forms can be found at:

https://www.pcisecuritystandards.org...l#instructions

If you are completing SAQ C, and you use a compliant PSP to capture ALL card data, we suggest that you tick "Yes" and simply put the name of the PSP in the "Special" column for the requirements that are fulfilled by the PSP (so for Actinic Payments you would put "Via Creditcall", who provide our service, in the "Special" column).

In all cases, the merchant is ultimately responsible for their own PCI DSS compliance. If you use any other method for capturing card data, a lot more compliance activities are required.

Although we have been specifically discussing Barclays Merchant Services here, we believe that the same rules apply to all of the banks.

I hope that this helps.

Chris
__________________
Actinic Webinars cover a variety of topics

Actinic Knowledge Base contains many answers to common questions

Ecommerce shopping cart by Actinic