[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 29 Nov 2011, tom wrote:
On 29/11/11 13:23, Philip Radford wrote:Hi Gordon. Thanks for your quick reply. Your comments are exactly the areas we needadvice on. I realised I should have been more descriptive but was racking mybrain as to the best places to seek advice. It would be the following issues. Some of which you have already mentioned. 1. Pass PCI Compliance for potentially capturing credit-card data (for use with Payment Gateways - such as SagePay Direct)
My advice on this one is to use payment services but never ever keep (or even touch) any credit-card data yourself. There's no need and its just not worth it. And check out your bank - you may find you have a merchant account that’s already available for online CC payments and normally only sets you back £20 pm and normal CC payment charges - last time I looked sage was a bit more greedy. And you may be paying for it already!
Banks are getting more and more funny in their view to these things. Some are even insisting on it when, like scenarios above, you never see the CC details. However there are situations when you might want to keep the CC details for defered payments - e.g. out of stock items where you don't want to charge the punter until they're in-stock and shipped.
The whole thing is a bit of a headache. A client is using Security Metrics (because they seem to have nobbled the bank to insist that they're "the one" to use), and they failled a site claiming it was running a vulnerable web server that only runs under Windows when it was apache under Linux. It failed on a few dozen other issues that it had previously passed on - all false positives claiming it was running various applications which it patently wasn't. Security Metrics just didn't seem to care.
Gordon
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq