Credit Card Security, AB, Server and PCI

[ursr]

This is more of an informational post for those who require PCI compliancy.

As some of you know, the credit card industry is moving towards forced PCI compliance... This includes Visa, MC, AMEX and Discover/Novus cards.

Visa is yet again broadening the PCI compliance. This means if you are accepting credit cards, that the new changes may affect you sooner or later.

A few days ago, VISA has again broadend level 2 mechants.

If a Visa retailer, for example, doesn't alert Visa to a loss of cardholder or any other security problem, the retailer faces a penalty of $100,000 per incident. This is in addition to other significant other penalties for VISA, MC and AMEX can be as high as $500K.

Some recent info:

http://storefrontbacktalk.com/story/...astatement.php
http://www.eweek.com/article2/0,1895...EMNL072406EOAD
http://www.cioinsight.com/article2/0...1789022,00.asp
http://visa.com/press

If you want FREE PCI compliancy checking, feel free to sign up here:

https://www.scanalert.com/ to create a FREE sponsored PCI account. (click link)

If anyone wants the full-blown Hacker-Safe from Scanalert, PM me and we can offer you a better price.

[dmkap]

wait what does this mean? now im hosted through ustinet.. what does this mean for people like me?

[ursr]

You can sign up for the sponsored PCI too

That is open to any merchant who wishes to take advantage of it. Regardless if they use our services or not. I posted it here for everyone and anyone who wants, as I deem this useful.

Occasionally, you can even negotiate better cc discount rates if you can prove PCI compliancy. ScanAlert's PCI product is recognized by the industry as the leading PCI compliancy certifier, and is easy to use. (sounds like a commercial).

Hackersafe is more for for someone running their own machine or wanting to test their apps and network with scanalert's vulnerability scanning. Scanalert's Hackersafe is a paid service.

Level 2 merchants, are probably bigger than most hosts here, but the PCI scanning is free through us, so go for it

[hostit1]

My credit card processor sent me a letter in the mail a few months ago. The letter basically stated that ALL credit card processors in the United States to enforce their merchants to be PCI compliant.

PCI DSS, is a set of comprehensive requirements for enhancing payment account and the security of your customer's sensitive information.

So, my credit card processor told us to signup with an account with a PCI Compliance site. There was a list of companies and we decided to choose Security Metrics

Security Metrics, then asked a few questions about how we handle customer data, is it encrypted, do others have access to this data . . . etc.

Then they asked if we process credit card transactions over the Internet. Since we do, they stated that they need to know the URL and website where orders are being taken or inputted by the customer.

Then they (Security Metrics) ran a PEM test (Application Penetration test). Basically what this is is they try to run a series of tests to test out exploits on a website. They also test to see if certian services are being ran and if the web server is secure.

Everything came out clean except for Agile Bill. Security Metrics was able to inject data into the php which was a security risk and our certification failed.

Now we did fix this by implementing some mod_rewrite rules.

I highly suggest that you implement some form of mod_rewrite rules and if this project is still alive, that the developers take a look at the application and secure it.

I will be more than happy to assist the developers of Agile to get this software up to date and more secure.

True Call International
A Better Way To Talk