PCI-DSS?

FuzionMonkeyFuzionMonkey Member
in Help edited January 2009
For offline processing you need PCI-DSS certification.

Does using foxycart count as using a payment system or point of sale connected to the internet?

Because we use a standalone terminal, but whether or not the payment system is connected to the internet changes the certification from 3 to 4.

Also: what would we give you to show proof?
Comments
  • brettbrett FoxyCart Team
    We're always hesitant to provide any recommendations about what level of PCI compliance a company should do, since there is very little agreement even among "experts". We recommend something like ControlScan if you have questions, though that's not a free option. (We're just wary to provide advice that might be wrong.)

    As far as what proof we require: At present, we only ask that you provide written confirmation that you are PCI compliant. We may require proof from a 3rd party at some point in the future.

    PCI is fun, huh? Fun like a root canal ;)
  • FuzionMonkeyFuzionMonkey Member
    edited January 2009
    Okay, thats probably a smart policy :)

    For anybody wondering, theres a good informational thing here:

    https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf

    According to that:

    SAQ Validation Type 3 / SAQ B: Standalone, Dial-out Terminal Merchant, no Electronic
    Cardholder Data Storage
    SAQ B has been developed to address requirements applicable to merchants who process cardholder
    data only via imprint machines or stand-alone dial-up terminals.
    Merchants in Validation Type 3 process cardholder data via stand-alone, dial-out terminals, and may be
    either brick-and-mortar (card-present) or e-commerce or mail/telephone order (card-not-present)
    merchants. Merchants in Validation Type 3 must validate compliance by completing SAQ B and the
    associated Attestation of Compliance, confirming that:
    - Your company uses only standalone, dial-out terminals (connected via a phone line to your
    processor);
    - The standalone, dial-out terminals are not connected to any other systems within your
    environment;
    - The standalone, dial-out terminals are not connected to the Internet;
    - Your company retains only paper reports or paper copies of receipts; and
    - Your company does not store cardholder data in electronic format.



    This one includes e-commerce, so I think it must be validation type 3 in this case.
Sign In or Register to comment.