PCI vulnerability scans

[Ruthierhyme]

I have a geotrust SSL certificate in place, protx & their VSP direct services as gateway providers including having 3D secure enabled, a dedicated IP, BMS as the acquiring bank - don't take payment in any way other than via the checkout system, a fab host and nowwwww need PCI vulnerability scan in order to comply with visa & mastercards security measures .. According to requirement 11 these scans need to run at least quaterly and after receiving a shock £74.99 for the oncoming year am slowing getting over the impact this additional cost will have.

Many many apologies for the rant, would love to hear others experiences, any pointers or something that I may of missed ..

xx

[Ruthierhyme]

I'm not sure how useful this may be, but for anyone who finds themselves in the same 'suddenly dark cupboard situation as me .. fingers crossed this will help ..

Silkysteps payment process has *currently been classified as a Level or type 4 merchant and *1 is required to be PCI compliant.

This is because my customers enter their credit card details on a page of Silkysteps - rather than being transferred / redirected to the servers of a payment provider.
My payment page is secured by a SSL certificate and using Protx's VSP direct service, Customers encrypted details are captured and then sent to their server for authorisation.

Implications that this compliance has for me at the moment - As a Sole trader with no physical / virtual access to customers credit card details .. Quarterly vulnerability scans of the website and an annual submission of the SAQ - Self assessment questionnaire + Attestation doc.

In place - a more comprehensive Data security & protection policy which includes and outlines my setup, personnel, locations, access & storage, all steps taken to publish the information and ongoing security measures.
Company services used - dates, Scan reports, evaluations ..
Timetable to prompt reminders for scan dates, submission of the questionnaire, ssl certificate renewal date.
Statement of service provision: No 'over the phone or other device transactions. No terminal hardware - chip & pin use, policy updated & amended on an ongoing basis .. annual review ..

PCI DSS - Payment Card Industry
PCI Approved Scanning Vendors - ASVs
World wide web . pcisecuritystandards. o r g /pdfs/asv_report . h t m l

I am surprised, or not maybe at the number of ASVs - none, that I could find, offering a straightforward, prices and terms up front, 'pay per scan' (ideally a successful one) or an on demand service - that matched what I was personally hoping to find ..

This quarterly scanning requirement looks to be as frequent & regular a need as making sure the paper & pen cupboard is full - I enjoy shopping around!

The list of approved vendors is long, but have been right through it as of yesterday and come up with some information:
The only 2 ASV sites with a buy now + price that informed my understanding are ..

World wide web . controlscan . c o m /pcicompliance . p h p
World wide web . clone-systems . c o m /ecommerce/pci-asv-services - includes an additional maintenance charge, and as checked today only offer USA coverage.
World wide web . ncircle. c o m /index . p h p?s=products_pci-compliance

My acquiring bank Barclaycard ms have an association with Securitymetrics that I kind of fell into - they have some agreed discounts for merchants, and an online facility to check merchant type, acquiring bank re any entitled discount, compliance needs and price calculation .. which I didn't go through.
It was all helpful in grasping an understanding of the requirements SAQ & attestation have - and will help to make more informed choices and decisions in the future ..
World wide web . securitymetrics. c o m /sitecertinfo . a d p

This page is excellent for leads / logo recognition and information gathering:
World wide web .secure-enterprise. c o m /partners2. h t m l

and I found the PCI compliance guide website plus this quote, not so much the last bit, helpful ...

According to Visa, Level 4 merchants handle fewer transactions than Levels 1,2 and 3, but they account for more than 99 percent of the merchants that accept Visa. This is an ultimate playground for hackers.

Source: World wide web . pcicomplianceguide . o r g /merchants-20071022-gaining-pci-compliance . p h p ?step=merchantcompliance

and hopefully time will allow for checking up on these sites at a later date ..
World wide web . saintcorporation . c o m
World wide web . surecloud . c o m

Tip, DBA's - on the forms, Doing business as .. sorry for this inclusion, I come across soooo many acronyms which aren't usually business orientated!

Please be aware this post is my own experience based on my search / analysing methods and business needs.

*who knows what will change ..
*1 - Protx have emailed stating

With regards to your query below I have accessed your account and as you are using VSP Direct you are required to be PCI compliant.

Silkysteps is compliant
Phil .. thank you so much xx


Please anyone, if you have information that supersedes, updates or informs this, add on

[openmind]

Good stuff Ruth. After working closely with you on this one I have made the decision to look into partnering with a PCI audit company to offer PCI scans for store owners. Hopefully it will be cheaper than what you are paying

[Ruthierhyme]

Good stuff Ruth. After working closely with you on this one I have made the decision to look into partnering with a PCI audit company to offer PCI scans for store owners. Hopefully it will be cheaper than what you are paying

That is the best news! Will very much look forward to hearing how things develop ..

[A Party Shop]

This would be something we'd be interested in, as some of the offerings currently available are costly and it's so difficult to guage their worth.