With Protx Direct what was the PCI assessment like? Do you self assess or get a 3rd party in?Originally Posted by petemasson
Red Fox Hosting Reseller
With Protx Direct what was the PCI assessment like? Do you self assess or get a 3rd party in?
Alastair - WOWD
Red Fox Hosting Reseller
Integration with protx is very simple not as simple as world pay but that is to be expected as an invisble payment method will never be as easy as a visible payment method.
PCI auditing of your site only needs to be done when you are pushing a huge number of transactions through your site per year a figure I have never reached.
Although in theory you should comply with the PCI standard, please follow the link to what you must do to achieve this.
https://www.pcisecuritystandards.org...he_pci_dss.htm
To comply with PCI is very costly and time consuming and therefore you are unlikely to really be able to stand up and state my site fully complies with the PCI standard or less you only have 1 customer and you work for them full time.
I am not trying to say which method is better but provide the facts so that you can make up your mind on this matter.
I have built sites for customers who are pushing in excess of Ģ600k a month through World Pay and have had less than max 1 day down time over the past 3 years. When this happened we simply reverted to offline credit card processing. World Pay (owned by RBS) have a serious infastructure and are very reliable.
I had to communicate with Protx today and instead of hassling them via phone, like I had to last week when I could not enter my IP address of were transactions originated using their admin panel because it contained a defect of which they rectified there and then, I thought I would test there email response. I still have no resolution to the problem I raised at 09:30 this morning which if my site was live and not taking payments I would not be happy.
The previous poster mentioned he would trust an invisible payment solution more than a visible payment solution. The problem with this statement is this person knows what a payment solution is. Your customers no nothing about payment solutions and therefore you need to think about what they will think about your website and how they complete a purchase whether you use a visible or invisble payment solution. One other serious benefit of World Pay is that once a customer has shopped with a site using World Pay they will automatically gain trust with other sites that use World Pay which is a large number of sites.
Red Fox Hosting Reseller
I think Protx Direct is the best solution for me right now as I want a true invisible solution.
The only reservation is the mention of PCI assessment that I read on the Protx website (http://www.protx.com/products/vsp_direct.asp)
Does anyone have any advice on PCI and Protx? Should I be concerned? Do I really need it?
Alastair - WOWD
Red Fox Hosting Reseller
When I signed up for Protx Direct, they didn't have the PCI policies in place. However, the link you quote says about the Direct method;
"The best way to become compliant quickly and easily is to ensure that you submit the card details directly to Protx and make sure that you do not store any card details yourself."
Pete
Red Fox Hosting Reseller
Yes but it also goes onto say "If you plan to use VSP Direct but you do not wish to undergo the PCI audit, then you should use VSP Server instead."
VSP Server is not an option for me, only Form and Direct... and I really want Direct, but the PCI thingy worries me.
Alastair - WOWD
Red Fox Hosting Reseller
I'd just contact them (they've always been helpful when I've contacted them), tell them what you propose to do and find out how many hoops they expect you to jump through for it. If it's too onerous, which I'm guessing it won't be if you aren't storing card detials, then you can make an informed decision!
Red Fox Hosting Reseller
Well they were prompt...
I asked "I only need PCI auditing if I store the card details? I assume that if I pass them directly to you and reference the transaction codes then I do not need auditing?"
And they replied "This is correct, unless you are processing a very high volume of transactions and are of category 3 or higher as illustrated on the url previously sent." http://www.protx.com/aboutus/accred_pci_does.asp
So, the upshot is that I dont need PCI auditing for Protx Direct.
But then I got this follow up email from Protx "One further point with reference to the PCI audit:
It would be up to the acquiring bank of your client to decide whether they should be conforming to the PCI DSS, so I recommend that you advise your client to speak to the acquiring bank (who issued the merchant number)."
...
Alastair - WOWD
Red Fox Hosting Reseller
If you transmit credit / debit card details to Protx then you need to adhere to the PCI DSS requirements. Using Protx Direct therefore means you have to adhere to the PCI DSS requirements.
Regarding PCI auditing, if you process more than 6 million transactions then you have no choice but you have to pay a company to perform an audit, and if this was the case you would not mind as you would be raking it in and it would help you sleep at night. I have a customer who roughly does one order a minute and is miles away from ever reaching the 6 million transactions limit before requiring a company to perform an audit. I guess companies like play, amazon etc exceed the 6 million transactions limit.
If you process less than 6 million transactions then you can peform the audit yourself.
As mentioned before adhering to PCI DSS is very costly and time consuming.
My opinon of Protx today went down big style. The email I sent them yesterday about a problem I was having they closed for me without contacting me or resolving the problem. Thanks Protx. They then looked into the problem that I was having which was transactions were not showing on my account, a bit of a problem. The guy at protx mentioned I must be dreaming that my transactions are suceeding, I gave him the transaction references recieved back from protx and he explained I must be making them up, yeah like I would waste my time thinking up random 16 character codes for fun and imaginging the message that I recieve from protx which states transaction suceeded. I must have been dreaming when it said suceeded what it really meant was computer says no.
Red Fox Hosting Reseller
Not according to the email I received from protx. According to them I only need a PCI audit if I store the card details.
... OK are there any other alternative invisible gateways can I use that don't require the PCI?
Alastair - WOWD
Red Fox Hosting Reseller
Hi Alastair,
The email from protx is trying to sell you a service, all the salesman I know in the world will tell you what you want to hear and promise that everything is possible within reason.
The PCI DSS documentation is found here
https://www.pcisecuritystandards.org...i_dss_v1-1.pdf
and decribes the following at the top of page 2:
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
From the above snippet from the PCI DSS documentation I would conclude that if a page on your site recieves credit card details from the customer (client to server) and then passes them to protx (server to server) then you will be effectively transmitting credit card details and this PCI DSS requirements apply and it would therefore be necessary to self audit atleast.
I therefore do not think you are going to find an invisible payment method that does not require you to follow PCI DSS. The only way I think it can be possibly achieved without requiring you to follow PCI DSS is if the integration occurred within an iframe contained on your site but this is very border line.
After detailing what I know about PCI DSS I do not understand why anyone uses a invisible payment process because the amount of compliance is costly and timely and could be considered as not easilly achievable, but these persons probably have never heard of PCI DSS.
I actually think now that any site I use in the future that uses a visible payment process I will think thank god my card details are not going near that site and should be quite safe.
We recently had a case at work where a customer had been hacked and had all their credit card details stolen because they used an asp script which did not encrypt the credit card details and they had to admit this to visa and then were audited by one sec who imaged their server for analysis to see what evidence may have been left behind.
What would be interesting is to see what Protx reply is if you asked them to check whether you needed to perform a self audit as part of PCI DSS if you did less than 6 million transactions and used protx direct on your site to transmit the credit card details to protx servers. Depending on their response you could quote the snippet from the PCI DSS documentation and then see what their response is.
James
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
Bookmarks