Are you PCI Compliant?

[MrHowie]

I’ll be honest, last year I did not know I wasn’t PCI compliant. Blame it on ignorance, blame it on misinformation. I am just curious, how many of you are truly PCI Compliant and how many of you are like what’s a PCI? It seems like it is virtually impossible for a small business to achieve compliance while still enjoying the conveniences of POS integrated online ordering and credit card processing. Until they have been through a breach, I imagine most people, like myself, are clueless. POS providers talk about how they are PCI Validated, yet when their system is actually set up with all the bells and whistles, you are left with a questionably secure system. And that ultimately is your responsibility. So, do any of you use things like vendor safe, etc for security? Do you take credit cards through your POS?
D

 

[Bubba]

If you are not compliant, you will be assessed an addtional charge by your provider. It did not take long to go through the hoops. All done online.

 

[MrHowie]

SAQ D is pretty in depth. I know it is self administered, but it seems like a lot of people click yes and don’t actually do the things needed, all you did is save the 15.00 your processor charged you. After the breach, I ultimately decided to pull my credit cards out of the POS and run them on my old dialup terminals. For me, the potential risk far outweighs the convenience of integrated processing. Breaches on small businesses are becoming pretty common and I can’t imagine you will get through a breach for under 15,000, even if you had you SAQ filled out. Do you use integrated processing, do you use direct processing that doesn’t store card numbers in you system, do you have a good firewall in place?

 

[Deacon_V]

And just what are you selling Howie?

 

[Jeff_Ward]

I think all credit card processors have arrangements with third-party security assessors to help merchants with PCI compliance. I know that our recommended processor works with 403 Labs to help you complete the SAQ and do the required quarterly network scans. They charge $149 a year for this service.

The majority of the work for PCI compliance falls on the POS developer. The developer goes through great pains to get through their PA-DSS Assessment and they know what you need to do to be compliant. If you follow the information published in your POS supplier’s “Implementation Guide” and work with a security assessor for your network scans it’s pretty easy.

The SAQ-D is only required if your POS system stores credit card data. It is very in-depth and needs to be because storage of credit card data is where most of the risk lies.

 

[Jeff_Ward]

deaconvolker:

And just what are you selling Howie?

He’s a Firefly user and has their software in two restaurants.

 

[MrHowie]

I am by no means selling anything. If anything I am telling you not to buy things. I was just wondering who got stuck filling out a SAQ D and were you able to legitimately fill it out. I keep dealing with companies that tell me they have the solution and none of them actually do. My point is that if you actually read through this stuff, there is no way you can be compliant. The only way is to offload credit cards and not store any information. Just thought some other people might have something that worked well for them (eg, a certain processor, pos, card processing software, security company, dialup terminals). There are some companies out there that sell you a firewall and handle all of your logging, etc, does anybody use one? I went through the 403 labs stuff and their saq stuff is pretty detailed. But I still feel like even IF I can truthfully answer yes, I am not fully protected. I mean, just recently citi group and RSA got hacked. I know those are more high profile, but the threat is real.
D

 

[califood]

It appears that the majority of the security issues are happening with FireFly. We are back to dial up credit card processing. Firefly service, help and security seems to have gotten worse since Grandbury bought them.