Here is how one my fried solve it exactly with security metrics.

1) get out from your webserver heet head string that said which php version you run. And right after security metrics (and anyone others) stop claims about old php.

2) hire site admin and face him the aim: be compliance with exactly PCi compliance provider.

And, clearly, find someone enought cheap for you, because all it need to banks, not us, and all it just take money from our pockets.

I bet 99% people will agree with me.

I raised this issue with them. One supervisor said that they had no way to change the site. Hmmmm. It is their site. They should be able to change it. Further, they said it was not an issue because the connection is secure. They missed the whole point of security. I cannot trust such an organization.

I maintain a web site on Bluehost for a non-profit. Last summer we switched to a new bank and credit card gateway.

In April 2009 we were deemed noncompliant because our host (Bluehost) was running php “older than 5.2.9.” Several emails back and forth from BH support to our PCI Compliance folks (Security Metrics) finally convinced Security Metrics that the security fixes in 5.2.10 had been backported into BH’s version of 5.2.9.

Then in December we began the game all over again. The site was deemed noncompliant because our host was running php “older than 5.2.12.”

In January 2010 BH support told me they were in final stages of testing for implementing 5.2.12. Two months later (and several emails) BH still has not implemented 5.2.12 and we are being levied an additional $20/month for each month “out of compliance.”

NOW — get this — before BH implements 5.2.12, my latest non-compliance email from Security Metrics today says they require PHP 5.3.2. This leapfrog game seems to have the PCI Compliance cops at least one step ahead of Bluehost. Gobs of my time and aggravation have been spent and now it seems the game is rigged against me and there can be no end. I’m probably going to be forced to change banks or change hosts. Anyone else have this experience??

On a recent scan they highlighted that we had a login form (username/password) visible on a http connection rather than https (on our homepage). We pointed out that they form submitted over https so no information was sent to the server unencrypted. They advised to pass the scan both the form and the page needed to be https. We made the changes to allow us to pass the scan.

I then realised they have the exact same setup on their own website. You login from their homepage using a form which is viewed over http and submits to https.

Surly they would fail their own scan?

Within they’re website you can purchase additional scans on other domains etc and can pay by credit card , so one would assume they need to be PCI compliant themselves?

Seems odd that they would appear to fail their own standards?

I did raise the issue with them but received no explanation.

One more thing. If my credit card processor and my credit card gateway are both PCI Compliant, then why do I have to be PCI Compliant. We are already getting fee-d to death by both of them for every transaction and now we have to pay more fees.

First off, security metrics isn’t at fault here. Your processor has outsourced PCI to Security Metrics and your processor is responsible for these charges.

Second, you should be able to get a refund for the extra merchant numbers. A business only needs to get PCI certified once. It’s ridiculous that they wouldn’t refund you for the accounts past the first on on this.

Lastly, as long as your business plays part in accepting a credit card, you are just as liable for a breach as your payment gateway or processor.

I think based on the experience that you are having, you need to find a new processor. It’s completely unacceptable that you would be charged multiple times for this. The fact that they wouldn’t refund past the first charge just makes no sense. PCI is not something that is going away, but it shouldn’t be a burden to the point that it’s really hampering your business. Your processor obviously doesn’t care for your business even though you have several accounts with them. Go find somebody that does.

I am being charged $139.80 per year for PCI Compliance by Transaction Solitions, (a provider of First Data). I am switching to Sam’s Club, (also a provider of First Data), because they have offered me a PCI Compliance fee on only $39.00 per year. Also they are lowering my MC & Visa discount rate from 2.035% to 1.49%.

I wouldn’t be too sure on Sam’s being cheaper. We and just about every other reasonable processor in the country is lower priced than sams club. The rate you’re quoting is only for qualified transactions. You end up paying for it on downgrades. 1.49% is a debit only rate also. Your credit rate will be more like 1.7 – 1.8%. Just by the fact that Sam’s is trying to use smoke and mirrors to get your business, I would stay away. There’s plenty of honest, upfront providers out there that have cheaper PCI fees than $140 per year.