One thing a partnership provides is education. ControlScan has notified us that Phase III of the PCI–DSS program is upon us (see the bulletin). If you are running an E-commerce shop or plan to, then you may want to review the upcoming changes in the PCI–DSS program. On October 1st, 2008, Phase III will be in effect. Under Phase III, banks cannot board new level 3 or 4 merchants that cannot attest to PCI compliance. If you need PCI compliance, now would be the time to get started. Best of all, ControlScan is providing a Free 14 day Trial for rackAID clients. The offer expires at the end of the month.
The new rules are designed to stop some merchant shopping and raise overall compliance. Some e-tailers are jumping from merchant provider to merchant provider in an effort to escape the PCI–DSS requirements; phase III will put an end to that practice. With the holidays fast approaching, I recommend checking with your acquirer about your PCI compliance responsibilities.
As I understand the regulations, if you accept any credit card information through your server, via email, web site or other method, then you may need to follow the PCI guidelines. If you 100% outsource your credit card processing and never receive the credit card details, then your processor is the responsibility party. However, if you get credit card number emailed to you, stored in a database or other computer system under your control, then you may want to check with your bank about your responsibilities under PCI–DSS.
rackAID’s PCI Services
As we announce earlier this month, we have entered a partnership with ControlScan to provide PCI related services. We have both Managed PCI Compliance and a Scan & Fix service. Most Level 4 Merchants will be required to have quarterly audits. These audits consist of a Self Assessment Questionnaire (SAQ) and a security scan.
rackAID can help you mediate the scan results. This often requires validation of specific security issues, documentation of false positives, and correcting security issues on your server. We focus exclusively on the server-level operations. Any application level exploits will need to be resolved by you or your software vendor.
Verified Secure Site Seals
Through ControlScan, we also offer a Verified Secure service. This delivers both PCI compliance and site seals attesting to your site’s security. Research has shown that the presence of these seals can increase conversion rates and buyer confidence, resulting in sales increases of 10%. If your ecommerce operations are busy during the holidays, this may be a good time to test these seals on your site.
As you can see to the left there are two seals provided. The certifies your business background, meaning that control scan has verified your address, business registration, domain name, and business name. If you click on this you will get a pop-up stating that your business is a verified site.
The second seal is a “Verified Secure” seal indicating that your site is actively scanned for exploits and has been tested by ControlScan. If you click on it, you get a verified site pop-up that states that the site does not contain any severe security issues as defined by the PCI DSS scanning guidelines (Payment Card Industry Data Security Standards).
These seals have been shown to drive conversions, as you can see in this vendor list.
The Verified Secure Breach Protection program also provides up some additional services if an actual or suspected breach occurs. The program covers expenses from breaches of data security – regardless of your PCI compliance status – as long as the business owner is not involved in the breach:
- A forensic audit when a breach is suspected
- Credit card replacement costs and related expenses (printing and shipping new cards to consumers whose cards may have been breached)
- Assessments and fines levied by card sponsors
- Physical losses, such as if a laptop was stolen that had data on it or receipts were pilfered
You will need to review the full terms and conditions for the specifics, but think of this as an insurance policy for your site.
rackAID client’s can sign up for a free PCI trial. This is a scan only. We do not provide fixes during the trial unless you convert to a paid subscription, but the trial is an excellent way to test the system and see what it provides. Through our partnership ControlScan will help you get up and running in their system.
If you have any questions about our PCI compliance services, just open a free estimate.