Payment Card Industry (PCI) Data Security Standard - Responsibility?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hi All:

I just got an email from a security company.  Is this something we need to
be concerned with if we set up a client with PayPal?  Does it only apply to
those who take credit card info?  I have clients that give me their credit
card into so that I can purchase their domain names and server hosting, but
that is done verbally.  Anyway, here is what it said:


This email follows a previous email sent to you on August 17, 2005 regarding
the Payment Card Industry (PCI) Data Security Standard established by
Visa(R), MasterCard(R), American Express(R) and Discover Card(R).

If you are storing, processing, or transmitting cardholder data, Visa(R) and
MasterCard(R) have implemented a mandatory Payment Card Industry (PCI) Data
Security Standard impacting all merchant card transactions, requiring your
business compliance. You are required to identify your compliance
requirements and become compliant by September 16, 2005. For some merchants,
this means enrolling in a security-testing program for Annual or Quarterly
Scheduled Security Testing of your Internet connections and the completion
of a Self-Assessment Questionnaire, with a certified security vendor.

Failure to act NOW could result in serious fines being levied by the
Associations for non-compliance to these standards. All merchants, including
those who qualify as smaller merchants, are expected to meet the
requirements of protecting cardholder data. This includes any agents
utilized by your business who engage in, or propose to engage in, the
processing, transmitting, or storing of cardholder data on your behalf.
Under no circumstances should you or your agent store track data. Any
violation or compromise by you or your agent may result in fines, financial
exposure, and inconvenience to your business.

If you are only using a stand-alone terminal that is not connected to
software or the Internet, no scanning or advanced analysis is required. To
date, Visa and MasterCard have imposed fines of more than $500,000 per event
for non-compliance and data compromises. If your business data is
compromised, any fees or fines charged by Visa or MasterCard will be
directed to your merchant services account. These fees and fines could total
more than $1 million.

We are here to help. We have negotiated a preferred pricing reduction of
over 50% with a certified vendor, SecurityMetrics. Enroll with
SecurityMetrics online at: or call (800) 557-4797. To receive
the preferred pricing please request the scan package that is specific to
your level and select the code "A1231" that represents your acquiring bank.

If you select a vendor other than SecurityMetrics, please contact us at, to inform us of the vendor you have chosen
and your enrollment date. It is imperative that we are able to report to the
Associations the status of your compliance efforts to help you avoid
potential fees and fines, with the exceptions of any registration costs.

yada, yada"

Re: Payment Card Industry (PCI) Data Security Standard - Responsibility?

BG wrote:
Quoted text here. Click to load it

This sounds like spam to me. Is it from any company you've actually
done business with before? If not, ignore it. The standards apply to
vendors who accept cards. So for instance, if you process your own
credit cards (the card numbers are entered on your server), you may
need to be concerned w/ the new standards. If you're using PayPal,
PayPal will be taking care of this. The same with any intermediate

Arccos - Land of Lyrics

Re: Payment Card Industry (PCI) Data Security Standard - Responsibility?

Quoth BG in alt.www.webmaster

Quoted text here. Click to load it


This is geared more to the payment gateway or processing agency (,
PayPal, your bank, etc).  If you DO store
personal credit information, say in a shopping cart database or something, it is
your reponsibility - or your hosting provider's.  If
you just pass the information on to someone else who stores it (your merchant
provider) it is not your worry.

# remove _your_clothes_ to email me

Site Timeline