Results 1 to 9 of 9

Thread: Do I need PCI compliancy if I am not taking anyone's card details?

  1. #1
    Join Date
    Oct 2008
    Posts
    618

    Question Do I need PCI compliancy if I am not taking anyone's card details?

    Last year they told me I did as I was going direct through Sagepay, now I have changed and am going via the Sagepay server.

    Can they make me pay for the compliancy? Is there any need for me to have it as I do not hard card data details.

    The emails have started (2 or 3 a day) so I want to be sure I tell them the right thing. Or should I just ignore them?

  2. #2
    Join Date
    Jan 2008
    Posts
    339

    Default

    If you take Telephone Orders then input them via Sagepay Virtual Terminal then you will, you would need your Broadband static IP Address scanned to test for vulnerabilities to your internal network via your Router, this should be done quarterly.

  3. #3
    Join Date
    Sep 2011
    Posts
    1,978

    Default

    I do my PCI compliance every year. As an online site taking card payments you have to explain who takes the card details, if nothing else. So as far as I understand it, even though you don't see the card details (assuming as mentioned above that you also don't take phone orders) you have to state that you don't see the card details ever. But I do not pay anyone to do my PCI compliance for me. I download the forms and fill them in myself for free. It is mostly n/a. Each time I do I get threatened with a bill and a big argument always happens but I say I filled in the forms myself so don't you dare charge me

  4. #4
    Join Date
    Jul 2010
    Posts
    720

    Default

    Quote Originally Posted by Deefer View Post
    I do my PCI compliance every year. As an online site taking card payments you have to explain who takes the card details, if nothing else. So as far as I understand it, even though you don't see the card details (assuming as mentioned above that you also don't take phone orders) you have to state that you don't see the card details ever. But I do not pay anyone to do my PCI compliance for me. I download the forms and fill them in myself for free. It is mostly n/a. Each time I do I get threatened with a bill and a big argument always happens but I say I filled in the forms myself so don't you dare charge me
    Hi Deefer, I would really appreciate it if you could tell me precisely which forms you fill out, perhaps with a link to them, assuming I never see the card details.

  5. #5
    Join Date
    Oct 2008
    Posts
    618

    Default

    Thanks, deefer can you show me where I download the forms please and who tells you that you have to pay. Security Metrics have always made me do something online and I have to pay them so I did not know there was another option. I just do not want to pay them anymore if I do not have to. Doing the forms myself sounds the best way.

    I do not take card details and put them onto the Sagepay Virtual Terminal, I thought that was an extra service so everything goes 3rd party.

    What irritates me more is that I see no card details and they want over 100, my friend takes card details in person and over the phone and only pays 30 a year. There is more chance of one of her employees getting the card details and using them than me as I never see anything and she is apparently less of a liability than me.

    I read up and there is no 'law' it is just something the card companies would 'prefer' you did. If the card details were scammed them you 'may' get fined. it's always 'may' or 'possibly'. I think it is a load of tosh myself and a way for them to get more money out of us, I know so many people whose cards have been done, but they end up being by someone completely unheard of and usually overseas and nothing ever happens to them. It's another way of trying to screw money out of us I think.

  6. #6
    Join Date
    Sep 2011
    Posts
    1,978

    Default

    Yeah, to cut a long story short, Security Metrics had me scanning my PC and all sorts and charged me loads for scans and stuff. It was a complete scam. I did not need to do scans as i do not process or take anyone card details ever. I was really cross with them. So after all that I cancelled my service with them and did it myself.

    So simply do this. Get the forms directly from the PCI website and download the form you need... there are a few to chose from but it is pretty clear https://www.pcisecuritystandards.org/

    Fill it out and unfortunately you do have to then email your form to Security Metrics, so those muppets still have to be involved. I put a read receipt on the email so I could see that it had been read and a while later after some chasing up you get an email saying you have passed. To email the forms this is the address I used last year but you might want to check if it is current saq@securitymetrics.com

    Anyway, after being told I am compliant by email they then call me saying you better re-instate your account with us then, if you want us to do your PCI compliance and a big row always ensues cos they do this to me every year... I say I don't want an account with you, I do the form myself so why should I pay you a penny. Just stick to your guns.

    If you are like me and use a PCI DSS compliant payment gateway and do not take orders/card details any other way then you can keep saying on the form that you don't take/hold card details and put n/a against stuff. It doesn't take long.

    I hope that helps

  7. #7
    Join Date
    Oct 2008
    Posts
    618

    Default

    It does, a lot, I was just going to ignore the emails, LOL. I am just going to tell them I have no money - or is that wise?

    Thanks for your help, something else to get on with tonight then. I do not think I should be paying them if I do not see any card details, it is a scam IMO, yes.

  8. #8
    Join Date
    Sep 2011
    Posts
    1,978

    Default

    Just tell them you are going to do it yourself. The forms are quite straight forward and won't take a mo. Then email them off and hey presto... done. Up to you if you want to ignore it but I prefer to be PCI compliant just in case. It is not about whether or not you see card details really... the fee they will try to charge you is for the work they do so if you fill in the form yourself and submit it then my argument to them is why do I owe them anything and usually once I say that it is the end of the issue, I am PCI compliant again for another year and it has cost me nothing.

    What you need to remember is the compliance is there for you to show that if you see card details you are being responsible with them or to say look I don't actually ever see any card details. If you don't fill out the forms then they won't know what you are doing/seeing with regards taking card details. You need to tell them you don't see the info. So even though you simply fill in the form and say you don't see any card details, you still need to fill in the form each year and tell them that. Make sense?

  9. #9
    Join Date
    Mar 2011
    Posts
    253

    Default

    Hi guys, I've just been sent a Whitepaper on PCI compliancy and have included the table (sorry it's an image and also not sure why it shows so small either) on how to identify yourselves hopefully it might help some fellow Blueparkers. We are A and I would think most Blueparkers would be too unless you also do face-to-face transactions. You still have to fill the stupid online questionnaire even if you are A just answer outsourced or N/A for most of the questions, takes a couple of minutes.

    Untitled-1.jpg
    Regards,

    Adrian

Similar Threads

  1. Paypal Pro and PCI compliancy
    By RainbowPippa in forum Bluepark Technical Discussion
    Replies: 2
    Last Post: 07-06-2010, 09:52
  2. PCI Compliancy? Issue with staying on site to take payment.
    By pinkypie in forum Bluepark Technical Discussion
    Replies: 16
    Last Post: 21-04-2010, 10:35
  3. Storing customer credit card details
    By paul in forum Bluepark Technical Discussion
    Replies: 5
    Last Post: 05-09-2007, 12:14

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
About us

Bluepark's ecommerce software is developed, hosted and supported exclusively by ourselves, here in the UK, and has been so since the company was initially formed in 2004. Your brand new online shop will be hosted securely on our fast and reliable server network, using a domain name of your choice, providing the ability to build and maintain your ecommerce website, and manage your orders, from any location via your own secure online Administration Console.

A Bluepark ecommerce site is the perfect tool for selling online, whether you're selling physical products, digital downloads or services. You'll be in good company with over 1,000 UK customers who also form a friendly and helpful online community, further strengthening our highly acclaimed support network.

Find us on...