2008/11/5 Dave Brooks <span dir="ltr"><<a href="mailto:Dave@brooksnet.com">Dave@brooksnet.com</a>></span><br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div><span><font face="Arial" size="2">Hello,</font></span></div>
<div><span><font face="Arial" size="2"></font></span> </div>
<div><span><font face="Arial" size="2">We have used
Interchange on our site, <a href="http://brooksnet.com" target="_blank">brooksnet.com</a>, for several years now. We're relatively
small merchants but we are now needing to determine our PCI
compliance.</font></span></div>
<div><span><font face="Arial" size="2"></font></span> </div>
<div><span><font face="Arial" size="2">I was wondering what
your payment application DSS compliance was, what we would have to do to
configure Interchange to be PCI compliant, etc.</font></span></div>
<div><span><font face="Arial" size="2"></font></span> </div>
<div><span><font face="Arial" size="2">Any advice would be
appreciated!</font></span></div></div></blockquote><div> </div><div><br>IC (as I am sure you will realise) represents a small part of your quest for compliance.<br><br>Assuming
you have IC handling the credit cards, most of your work will concern
the integrity of your server/hosting environment and the ability to
track any changes to the systems. You also need documented procedures
in place for your tech staff. <br>
<br>Out of the box, Interchange encrypts card details before storing
them, provides no means of decrypting on the server, and never stores
cards in the clear, even in debug logs. So, looking purely at
Interchange, it ticks the appropriate boxes. The only thing I would
consider changing is the storage of the orders including the cypher
block. PCI-DSS works very much along the lines of 'if you don't need
it, don't store it'.<br>
<br>First step should be to work through the self-assessment
questionnaire and highlight your gaps in compliance. If you buy in your
hosting, your provider should be compliant also. <br><br>The view in
the UK is that if you are hosting an ecom website, you need to be
level-one compliant. This is driving some providers to push people in
the direction of using payment pages instead of an integrated PSP.<br>
<br>Have fun!<br><br>Jonathan <br></div></div><br clear="all"><br>-- <br>Jonathan Clark, Managing Director<br>Setfire Media, Cartridge SAVE, Axiar Payment Solutions<br>0844 576 5515 / <a href="mailto:jonathan.clark@setfiremedia.com">jonathan.clark@setfiremedia.com</a><br>
<br>