This could very well be the problem if they were hacked and weren't using an encripted cc service.
Tell us what you have in place to keep our billing information safe.
- Thread starter Quick1
- Start date
- th_trl_thread_readers 0
- Status
Outstanding! This is EXACTLY what I'm looking for in this thread.
"PCI compliant". I have to go read the standard you posted. I assume this is in there but...
So there are companies that provide online merchant services. And these companies require their clients to be "PCI compliant". All of them? Do all the companies providing merchant services require all their clients to be PCI compliant? Who enforces this?
Lol, about 40 years ago my mother ran a counseling service out of the house. She got set up to accept credit cards. She went to mastercard and visa and signed up for a "merchant" account. She had one of those little manual machines that rolled over a card leaving the imprint on a receipt/bill with a carbon copy. Then she submitted those to the credit card processing center and they moved the money into her "merchant" account -- and charged her something like 5% to do that. The more volume you did the less the percentage.
Is it MC, Visa, (maybe even PayPal?) that require you to be PCI compliant? or are MC, Visa and the like once removed now and it's the company providing merchant services that are inbetween the credit card companies and online store?
When you use the term "their merchant account", what is a "merchant account". Is that something well defined or is that just something that a merchant services company defines? I take it Volusion is a popular company providing merchant services? I assume there are others. Is a "merchant account" something universal with exactly the same terms and conditions across all merchant services providers?
and thanks again for that information.
Last edited:
Give it a little time. They're supposed to be out there packing boxes and shipping my orders first. Browsing the forum second
I'm starting to think now that consumer education may be more effective than vendors trying to list what they use. If I know what I'm looking for then I, as a constomer, can ask a vendor that I'm thinking about doing business with the right questions. "do you use this or that and who provides this and that for you" type of thing. And then I can decide if they meet my criteria.
Exactly. I think if we learn, we'll have a clue, and then we can make informed decisions where we feel comfortable shopping.
I started this thread thinking it would be just that simple. Doesn't look like it. Different merchant service providers for merchants, different billing methods, different card processors, front end/back end... There is the store website, the merchant service..
ok, ok, I'm off to read the PCI compliance standard on wiki
Ok... (it was a cursory read). I have the impression that PCI compliance is defined and required by the "acquirer". Still unclear on that. They say the acquiring bank.... so I get the impression that Mastercard would be an acquirer? something like that.
So PCI compliance may be required but there appear to be different methods of being certified as being PCI compliant. Appears to be dependent on volume. Self certification by answering and submitting a questionaire and certification by an independant company that does PCI compliance certification. (don't know if independent means they are contracted or part of the acquirer or if they are independent of both the banks and the merchants).
It sounds like a good question to ask a vendor is "are you PCI compliant?". How does a vendor answer that? Is there value, as a customer, asking if a vendor is self certified or certified by an independent company that does PCI certification? Do certification companies divulge that information? Can I go to a PCI certification company and ask "Is company X certified by you to be PCI compliant?" and maybe "When was that certification last granted?" Is there a certificate that vendors can display or give customers that can be verified?
So PCI compliance may be required but there appear to be different methods of being certified as being PCI compliant. Appears to be dependent on volume. Self certification by answering and submitting a questionaire and certification by an independant company that does PCI compliance certification. (don't know if independent means they are contracted or part of the acquirer or if they are independent of both the banks and the merchants).
It sounds like a good question to ask a vendor is "are you PCI compliant?". How does a vendor answer that? Is there value, as a customer, asking if a vendor is self certified or certified by an independent company that does PCI certification? Do certification companies divulge that information? Can I go to a PCI certification company and ask "Is company X certified by you to be PCI compliant?" and maybe "When was that certification last granted?" Is there a certificate that vendors can display or give customers that can be verified?
You can't accept credit cards if you aren't compliant, the merchant wouldn't process them for you. It's part of your contract. If a site is taking orders by phone they are taking their chances that the site is not compliant.
The sad part is that what MOST consumers do not understand is that MOST of the time when credit cards get compromised, it is something on their OWN computer that causes the problem. I am sure I am in the minority here, as EVERYONE seems to think EVERYTHING is someone elses fault, but being a Fraud Investigator for a bank caused me to understand that MOST credit card breaches come from a persons OWN viruses and Trojans on their computer, OR by some big company being compromised.
I worked as a FRAUD INVESTIGATOR, my main card is NEVER used online, and WAS STILL charged $5,000 from a store in MOSCOW!! The number was stolen by a person working at a Wendy's restaurant.
I think that a consumer education class is required.
I am also sure that every person that has been defrauded will scream to the mountains that there computer is virus and malware free, but I will also guarantee that these same people use ONE virus scanner, and do not use a program that actually scans, and removes malware. For example, Norton, and Mcafee DO NOT clean malware, and are historically rated the WORST in discovering virus threats.
HERE is some education...
Credit Card Fraud Statistics and Facts
2008 Internet Fraud, Scam and Crime Statistics
Credit Cards: Study finds 1 in 10 are victims of card fraud
The FACT is that these sites use 128bit SSL encryption. This is one of the MOST secure ways to transmit data. It is ALSO the same type used by your bank, so this seems to be safe... Hacking the site is not the problem of the site owner, as much as the hosting service, but we also know that LARGE sites like the New York Times, and ESPN.com have been hacked, so no one is immune.
The best thing to do is contact the PROFESSIONALS at the BANK, and report the incident, and let them deal with it. MY bank would receive over 100 subpoenas a month to appear in court against scammers, so the are working for you. Let the PROS do there jobs, and realize these vendors are NOT the last line of defense, nor are they typically at fault.
I worked as a FRAUD INVESTIGATOR, my main card is NEVER used online, and WAS STILL charged $5,000 from a store in MOSCOW!! The number was stolen by a person working at a Wendy's restaurant.
I think that a consumer education class is required.
I am also sure that every person that has been defrauded will scream to the mountains that there computer is virus and malware free, but I will also guarantee that these same people use ONE virus scanner, and do not use a program that actually scans, and removes malware. For example, Norton, and Mcafee DO NOT clean malware, and are historically rated the WORST in discovering virus threats.
HERE is some education...
Credit Card Fraud Statistics and Facts
2008 Internet Fraud, Scam and Crime Statistics
Credit Cards: Study finds 1 in 10 are victims of card fraud
The FACT is that these sites use 128bit SSL encryption. This is one of the MOST secure ways to transmit data. It is ALSO the same type used by your bank, so this seems to be safe... Hacking the site is not the problem of the site owner, as much as the hosting service, but we also know that LARGE sites like the New York Times, and ESPN.com have been hacked, so no one is immune.
The best thing to do is contact the PROFESSIONALS at the BANK, and report the incident, and let them deal with it. MY bank would receive over 100 subpoenas a month to appear in court against scammers, so the are working for you. Let the PROS do there jobs, and realize these vendors are NOT the last line of defense, nor are they typically at fault.
Hi oettinger,
While I do agree we should do all we can to make our own computers safe, I can't help but wonder why you say most people won't accept that the majority of breaches are the fault of the consumer not making sure their computer is safe and then bringing up the fact even your credit card number was stolen from a person at Wendys. I don't see the correlation.
100% PCI compliant
the credit card companys have guidlines setup to prevent issues from happening. if you fail a scan fines or shut downs happen to the site.
256ssl
secured server ( private )
no online or offline storage of CC info
most up to date software
automatic security updates
custom " bee hive" scripting to send thiefs down dead ends with fake data.
other fun things that im so not going to talk about.
the credit card companys have guidlines setup to prevent issues from happening. if you fail a scan fines or shut downs happen to the site.
256ssl
secured server ( private )
no online or offline storage of CC info
most up to date software
automatic security updates
custom " bee hive" scripting to send thiefs down dead ends with fake data.
other fun things that im so not going to talk about.
From the wiki article I was still unclear about some points. I have the impression that "PCI compliant" is a generally accepted guideline/standard.
Who defines/defined it? I found this:
https://www.pcisecuritystandards.org/index.shtml
The wiki article says
"either internally or externally". What does internally performed mean? That you send in a completed questionaire? I found this:
"depending on the volume of card transactions". Is that defined in the PCI compliant standard or does each bank set their own. Would our typical ECF startup supplier be under or over the volume requiring a QSA?
Is there a list of QSA assessors?
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
Is there a list of "approved" payment applications/software? They have this:
https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html
What is this list of participants?
https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html
Should I expect to see a merchant services company like Volusion in this list? Or is it that they are using billing software/application from a company in that list?
Bottom line, as an end consumer, how do I know if the web store/site I'm using is PCI compliant? To what level? and when and how were they assessed as being PCI compliant?
Where is the certificate?
Last edited:
Hmmm...I thought most small merchants used payment gateways. This usually means sensitive information is only entered into, seen by and processed through the hardcore security of the CC processing company, not by the merchant. The merchant never sees or has access to CC information.
We use Authorize.net and do NOT store the credit card info , I believe they have a 128 bit encryption routine ( I need to check on the actual routine )
But it is the same as my bank uses so I am pretty sure it is good !
And we are 100% PCI compliant , the last thing a vendor wants is stolen info it can kill us ! I made sure that we were totally compliant and the bank I use tested my setup to verify that it was totally secure .
We have the Authorize.net LOGO on our site that verifies our safety and security , you can click on it to check that aspect as well .
But it is the same as my bank uses so I am pretty sure it is good !
And we are 100% PCI compliant , the last thing a vendor wants is stolen info it can kill us ! I made sure that we were totally compliant and the bank I use tested my setup to verify that it was totally secure .
We have the Authorize.net LOGO on our site that verifies our safety and security , you can click on it to check that aspect as well .
Last edited:
Volusion SSL and cart, Authorize.net processing ... Dedicated computer that is only used to print invoices and shipping lables and security software... It is of the highest priority that if you are checking your bank accounts, cc accounts and shopping online that you as a consumer have security on your computer.
I bring up this fact, because while it is the consumers responsibility to keep their own computer safe, there is NEVER any way to fully protect ourselves from this type of breach.
I am using these examples to help people understand that there is ALWAYS a risk while using a credit card. Whether it is used at a fast food restaurant, online, or at a clothing store. There may be no wrongdoing by the merchant or by the employees of the merchant, and the data can still be compromised.
This is to say that just because a card was compromised that was used at the website of a vendor here does NOT mean that there systems are unsafe, and to propagate that type of fear in these vendors is unfair, and seems more to me like a witch hunt than a request for information. Again, the best place to find out if a breach occurred from an online vendor is to ask the bank. once the transactions are completed, and the trail is created, it is a short trip to prosecution.
I am sure that MOST (probably all) of these sites are using secure merchant services. If they were not, the banks would not support them. Meaning that the company you are dealing with only gets an authorization number after the transaction has taken place on a secure transaction processing server. (that is owned by a bank)
Hi oettinger,
Okay, thank you for clarifying.
I would like to say I don't think anyone is on any kind of witch hunt here. That would be plain stupid. Why would we want to see any of our favorite vendors as thieves?
I do have a hard time believing that so many members have had problems around the same time and it being the security on their end.
I don't think a vendor is deliberately stealing anyone's information but I do think there is some kind of breach through one or more vendors.
Oh, as far as your question about being PCI compliant. Yes, a company can just fill out a questionnaire and mail it back telling the processing company that they meet the criteria. Of course there are ramifications if caught lying but it is a little late at that point.
So how can I tell if a particular site I am considering is using a secure merchant service?
look for the ssl certificate, then click on it, it takes you to the ssl company along with all of their certs.
Me personally? I have been in internet security for a living for 25 years now. mauisuncomputersystems.com
mauisun.org is my main site, we have been there for 16 years.
my admin sections are secure locked. feel free to try them, if you don't have my stuff it will tell you no access.
Look, I understand everyone wants to be secured. We don't use a shared certificate, we payed whole hog for the real deal. we also work with our host to make sure all points of our site are hacker secured. I have been with lunarpages for 15 year and personally know the owner. We are lock down secured.
if you are more comfortable with paypal, we can do that on the side. you want to send cash or check? we are good there too.
best we can do for you all. Even our processor is offsite so when you move on to them you are on their own secure server, fel free to check them out, securepay.com. one of the best in the industry.
ok, we chimed in. as you were
David and Pam
look for the ssl certificate, then click on it, it takes you to the ssl company along with all of their certs.
Me personally? I have been in internet security for a living for 25 years now. mauisuncomputersystems.com
mauisun.org is my main site, we have been there for 16 years.
my admin sections are secure locked. feel free to try them, if you don't have my stuff it will tell you no access.
Look, I understand everyone wants to be secured. We don't use a shared certificate, we payed whole hog for the real deal. we also work with our host to make sure all points of our site are hacker secured. I have been with lunarpages for 15 year and personally know the owner. We are lock down secured.
if you are more comfortable with paypal, we can do that on the side. you want to send cash or check? we are good there too.
best we can do for you all. Even our processor is offsite so when you move on to them you are on their own secure server, fel free to check them out, securepay.com. one of the best in the industry.
ok, we chimed in. as you were
David and Pam
David and Pam
Thanks for responding! What is a shared certificate?
You can find the answer to your question here:
http://www.ourshop.com/resources/shared-ssl.html
Hope this helps.
The use of SSL certs does not indicate secured merchant services. SSL is used to encrypt information between a server and a client for a given purpose. You can look at the certificate (easiest way is to click on the pad lock icon in your browser) to ensure that the site using the certificate is the same as the site that was issued the certificate, although your browser should show an error if this is not the case-it will by default). Now obviously you want your communication secured if you are passing any confidential information (CCs, passwords, private info, etc). However, someone can easily bring up a shady site and use ssl to encrypt communications. I'm afraid there is no magic there, as anyone with a site and a dedicated IP address can buy a SSL.
It sounds like a few people in the thread are looking for the silver bullet that they can use to make 100% sure that a site they are dealing with is safe. There are a lot of aspects to Internet security-way more than can be covered in this thread-in fact, there are IT career certifications in it (cissp for one). As I stated in an earlier response, the best advice is to use reputable companies, and trust your instincts. If a site looks shady, get away. If there isn't SSL encryption, get away. If 1/2 the words are misspelled, things don't look professional, the prices seem to good to be true, and you just don't have a good feeling about using that company, get away.
This conversation could easily delve into many aspects of online security, and common advice stands here too: don't share your passwords, don't use the same password on multiple sites, protect your information, etc, etc, etc. One other thing you might consider is checking with your bank or CC company. Many of them offer 1 time use card numbers for online purchases. I wish more banks still offered this the way they did several years ago, but there are still quite a few who do.
It sounds like a few people in the thread are looking for the silver bullet that they can use to make 100% sure that a site they are dealing with is safe. There are a lot of aspects to Internet security-way more than can be covered in this thread-in fact, there are IT career certifications in it (cissp for one). As I stated in an earlier response, the best advice is to use reputable companies, and trust your instincts. If a site looks shady, get away. If there isn't SSL encryption, get away. If 1/2 the words are misspelled, things don't look professional, the prices seem to good to be true, and you just don't have a good feeling about using that company, get away.
This conversation could easily delve into many aspects of online security, and common advice stands here too: don't share your passwords, don't use the same password on multiple sites, protect your information, etc, etc, etc. One other thing you might consider is checking with your bank or CC company. Many of them offer 1 time use card numbers for online purchases. I wish more banks still offered this the way they did several years ago, but there are still quite a few who do.
- Status
Similar threads
