News:

You may pay someone to create your store, or you visit our seminar and become a professional yourself with the silver certification

Main Menu

Payment Card Industry Data Security Standards Compliance

Started by Ridgeback, October 05, 2005, 03:55:25 AM

Previous topic - Next topic

Ridgeback

I'm back at work on some new e-commerce sites and am excited about the upcoming release of Virtue Mart!

Has any work been done to make sure that the payment modules for VirtueMart comply with the new PCI Data Security Standards?  This is a critical issue, as in the US, failure to comply can result in significant legal liability if the site is hacked.  All sites in the US that accept Mastercard, Visa, Discover or American Express are required to be in compliance as of June 1, 2005. 

I would guess that since mambo-phpShop stores the card number, cardholder name and card expiration date in full in the database that it would not be considered to meet the requirements of the standard. 

For more information, see http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf

Thanks,
Ridge

Daniel Wagner

Ridge,

Have you followed up on this at all? Looks pretty important that Soeren & the VirtueMart team address this!

One of my clients received the following email recently:

QuoteAs a valued customer, your transaction security is important to us. Visa and MasterCard have implemented a mandatory Payment Card Industry (PCI) Data Security Standard impacting all merchant card transactions.  You may visit each Associations website for information related to these programs:  Visas Cardholder Information Security Program (CISP) at www.Visa.com/cisp and MasterCards Site Data Protection (SDP) Program at http://www.mastercard.com/sdp.

If you qualify as a level 1, 2 or 3 merchant, failure to act by January  7,
2006 could result in serious fines being levied by the Associations for non-compliance to these standards.  All merchants, including those who qualify as level 4 merchants, are expected to meet the requirements of protecting cardholder data.  This includes any agents utilized by your business who engage in, or propose to engage in, the processing or storing of cardholder data on your behalf.  Under no circumstances should you or your agent store any contents of any track from the magnetic stripe on the back of the card.  Any violation or compromise by you or your agent may result in fines, financial exposure and inconvenience to your business.

To date, Visa and MasterCard have imposed fines of more than $500,000 per event for non-compliance and data compromises.  If your business data is compromised, any fees or fines charged by Visa or MasterCard will be passed onto you.  These fees and fines could total more than $1 million.  The Visa and MasterCard websites above contain complete lists of certified vendors to assist you in fulfilling the program requirements.

BA Merchant Services has negotiated a preferred pricing reduction of over 50% with a certified vendor, SecurityMetrics.  You may chose to enroll with SecurityMetrics online at http://www.securitymetrics.com/info.adp or call
(801) 705-5665.  When enrolling please select the scan package that is specific to your level and select Bank of America Merchant Services as your acquiring bank to ensure you receive your preferred pricing discount of over 50%.

If you select a vendor other than SecurityMetrics, please contact us at merchantservicessecurity@bankofamerica.com to inform us of the vendor you have chosen and your enrollment date.  It is imperative that we are able to report to Visa and MasterCard the status of your compliance efforts to help you avoid potential fees and fines, with the exception of any registration costs.

I have yet to look into this further, but will follow up on the forum when I do so.

Thanks,

Dan
Dan

deneb

Scare tactics by the CC giants to avoid fraudulant charges on an already corrupt system.

php_programmer

Any updates on this?  Is Virtuemart PCI compliant now, or not?

Matthew