Results 1 to 21 of 21
  1. #1
    Join Date
    Mar 2005
    Posts
    30

    Any hosts had to deal with new VISA and Mastercard rules?

    Hello,

    I'm wondering whether the new security rules initiated by VISA and MasterCard in the last couple of months have been an issue for anyone.

    I realize not many hosts have heard of this yet. Unfortunately I'm one of the merchants looking to get a new merchant account but can't find a host that meets the new security requirements. Apparently there are lots of shared hosts out there that have had clients successfully go through the process, but I have no idea how to find them!

    Any advice would be greatly appreciated.

    Thanks,
    Jennifer

  2. #2
    Join Date
    Apr 2005
    Location
    Wisconsin, US
    Posts
    12
    what kind of security measures???

  3. #3
    You can read the compliance requirements here:

    VISA CISP – http://www.visa.com/cisp
    MasterCard SDP – https://sdp.mastercardintl.com/index.shtml
    Discover DISC –
    http://www.discoverbiz.com/merchant/..._features.html
    America Express DSS -
    http://home5.americanexpress.com/mer...tasecurity.asp


    Generally the new rules are meant for merchants with more than 20,000 transactions (VISA/Master) per year and is optional for those below this threshold. However if there's a compromise, you can be assessed fines. (They said sizable fines, so it's can be 6 to 7 digits easily)

    Also I must add, if you do not store credit card details personally. you are not really affected.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  4. #4
    Join Date
    Mar 2005
    Posts
    30
    The company I'm using to get my merchant account, Beanstream.com requires me to go through this process. As of yet I haven't found a host that has experience with it and is able to get me up and running quickly.

    Any suggestions?

    Jennifer

  5. #5
    When you say host, do you mean someone who can get you a merchant account?
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  6. #6
    Join Date
    Nov 2001
    Location
    Chicago
    Posts
    1,135
    The rules specifically are for:

    * Restricting access to credit card numbers to employees
    * Encrpyting credit card numbers when stored in a database
    * Encrpyting CVV2 and card code numbers when storing them
    * Providing notice to your customers that they are being stored
    * Following some other minor guidelines. Most of the stuff should
    be done anyway with or without their regulations. There are also
    very heavy fines for being caught not complying. Fines can be
    as high as $500,000 US per offense.

    My suggestion, hire an outside consulting firm to certify your
    company.

    Dan
    ---
    Dan Ushman
    Co-founder & CMO
    SingleHop, Inc.

  7. #7
    Join Date
    Apr 2005
    Posts
    55
    Dan:

    Question: Is the merchant who provides the credit card acceptance service for your site responsible for all the new compliance laws?

    In other words, I want to be able to offer members the ability to purchase goods and services from my site. I then contract with a merchant who offers those services for a fee.

    Am I, or my hosting firm responsible for anything?

  8. #8
    Join Date
    Oct 2003
    Posts
    9,264
    Nygg,

    As the merchant would handle all the numbers/transactions on your behalf - i.e. if you select worldpay or authorize.net they will be the only ones with access as well as the liability.

    I haven't completely read up on it just yet - but this is what I see.
    I personally recommend everyone do their transactions through third party providers (worldpay, authorize.net, others) as any liability each party has is limited.

  9. #9
    Join Date
    Apr 2005
    Posts
    55
    HP-D:

    Your fast! LOL.

    I look forward talking with you again.

  10. #10
    Join Date
    Apr 2005
    Posts
    55
    Actually, how does that work?

    I contact a merchant. I then authorize him to set up shop on my site and he then handles all the c-card transactions?

  11. #11
    Join Date
    Mar 2005
    Posts
    30
    Hello,

    I already have someone who can get me a merchant account (beanstream.com). My problem is that part of the process is having your website scanned for "security issues". The hosting company then needs to make the necessary changes to their server in order to meet the guidelines put forth by Visa and MasterCard.

    I think I'm going to give up on this! It's more of a headache than it's worth!

    Jennifer

  12. #12
    Well the new regulations is not only only the security of the webserver. It's a whole business process you have to look at such as which employees are given access, whether you destroy obsolete transaction data, etc.

    I also do not typically advice you to store credit card information online unless you are certain or has a real reason to. We store it all offline for example. This is especially if you are just using a shared server, and do not have the expertise or the ability to determine how secure your server would be.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  13. #13
    Join Date
    Jan 2002
    Posts
    1,053
    Originally posted by midphase-Dan

    * Encrpyting CVV2 and card code numbers when storing them
    I thought that Mastercard and Visa had provisions prohibiting any merchant from storing CVV / CVN numbers?

  14. #14
    Join Date
    Mar 2005
    Posts
    30
    I would never dream of storing credit card information myself! That will be handled by the company issuing my merchant account. Yet they're still making me go through rigorous security tests that I've yet to find a host who can pass.

    I was told it's because they want to make sure that the server can't be hacked and someone fraudently point customers to a different server when paying on my site.

    Jennifer

  15. #15
    Join Date
    Nov 2000
    Posts
    3,046
    Originally posted by jkirkpatrick
    I was told it's because they want to make sure that the server can't be hacked and someone fraudently point customers to a different server when paying on my site.
    Well inform them that they are sitting on billions of dollars worth of profits if they know how to verify if a server is hackable or not.

    Pick a different provider... sounds like they don't have a clue.

    You need a separate merchant account for each type of credit card you wish to accept and each currency you wish to settle in.

    That's on their website. Scary...
    A well-reasoned assumption is very close to fact.
    - Adorno

  16. #16
    Join Date
    Mar 2005
    Posts
    30
    Ummmm... I think we're having two different conversations here JustinH. I have no problem with my merchant account provider. If the quote you included in your post was from Beanstream.com it must be because it applies to how merchant accounts are handled in Canada. The laws are different up here regarding requirements.

    And it's not them that is requiring the security checks to look for POSSIBLE vulnerabilities that could lead to hacking. It's VISA and MasterCard.

    The fact that you don't understand that is exactly why I'm having so many problems finding a suitable host. Please don't take that the wrong way, I don't mean it as an insult. It's just that this program is so new that no one is familiar with it yet. From all the reading I've done though it's here to stay and something that all hosts with e-commerce customers will soon have to deal with.

    Gotta love the power that VISA and MasterCard have!

    Jennifer

  17. #17
    Join Date
    Nov 2000
    Posts
    3,046
    I should have gone into more detail.

    First, no Visa and MasterCard do not require security scans unless you are doing over 20,000 transactions a month. Under 20,000 it is optional.

    Second, both Visa and MasterCard use the same Security Vendor List that are allowed to perform these scans. https://sdp.mastercardintl.com/vendo...dor_list.shtml
    As you can see, BeanStream isn't one of them.

    Third, Visa and MasterCard's bylaws dictate merchant accounts, government regluations only regulate the laws surrounding them. I've never heard of ANY processor requiring multiple "merchant accounts" for each card processed. That includes PSIGate, which is Canadian, and a company I've worked with.

    Basically, the reason you can't find a host the meets the qualifications, is because no shared host is going to meet the qualifications since they aren't even required until you are doing 20,000 transactions. And processing at that level sure as heck would require more than a simple shared hosting account.

    As such, I'd suggest going with merchant that has a little better grasp on the qualification requirements for CISP and SDP.
    A well-reasoned assumption is very close to fact.
    - Adorno

  18. #18
    What does their tests involved? If you are not storing CC data, it would be a lot easier. You just have to ensure that your data capturing is secure etc

    Josh: That's correct. In fact the "new" regulations reinforce that point.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  19. #19
    Join Date
    Aug 2003
    Location
    Chesapeake, VA
    Posts
    3,381
    Regarding this... a couple quick clarifications that I'll point out before I leave to fly out. Don't want to miss my flight this AM.

    First, regarding CVV - you are absolutely NOT allowed to store CVV data. Whether encrypted or not. You can store the match result - i.e. whether it matched or not, but not the actual cardholder code.

    Second, a simple way to reduce the liability to your business is to utilize a CISP-certified payment gateway for your payment processing. Your Web site does not need to be hosted on a CISP-compliant data center or network as long as your payment processing itself is handled through a CISP compliant manner.

    BTW, CISP has really effectively been integrated/evolved into PCI as the new "collective standard" that allows a PCI-compliant application to effectively be certified by all of the major issuers without having to go through individual certifications.

    Lastly, regarding the comment on needing a merchant account for each card type - if you are in Canada, you typically get a Visa merchant # from a Visa member bank and then a separate MasterCard merchant # from a MasterCard member bank.

    In the U.S., it works differently in that a bank or ISO will issue a single merchant account # which is for both Visa and MasterCard.

    Then to add American Express, Discover, Diners or JCB - you would obtain a separate merchant # for each of those card types and have your merchant processing add it into your merchant account configuraiton.
    CDGcommerce.com - Trusted Merchant Account Solutions since 1998
    Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
    We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
    Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!

  20. #20
    Join Date
    Nov 2000
    Posts
    3,046
    Originally posted by cdgcommerce
    Lastly, regarding the comment on needing a merchant account for each card type - if you are in Canada, you typically get a Visa merchant # from a Visa member bank and then a separate MasterCard merchant # from a MasterCard member bank.
    My knowledge of Canadian merchant accounts is limited, but I did know that each card issuer gave a unique number, but I've simply never heard it called multiple merchant accounts.

    Thanks for clearing that all up. The CVV thing is quite interesting, and something I wasn't aware of. It's understandable not to allow it, since that's the single available method for proving the person has physical access to the card.
    A well-reasoned assumption is very close to fact.
    - Adorno

  21. #21
    Join Date
    Apr 2005
    Location
    Holland
    Posts
    40
    midphase-Dan:

    1. 500K is appliable in USA only (it seems so) and is a fine towards the ACQUIRER , and not its merchant.
    2. You cant store CVV2 or you will run into even more troubles

    In General:
    A. Both Standards are from now on called PCI.

    B. The merchant is ONLY required to pass them if the merchant actually handles card numbers. Most PSPs these days offer to use their own payment-page and show only limited data to the merchant like first 6 digits or last 4 and in that case only PSP has to be certified.
    The way the merchant actually handles the card information, whether in a third party mode or in direct merchant account is pretty outdated these days.

    C. For a merchant, unlike for a PSP, when needed it's pretty easy to get certified as it requires to pass tests only. A PSP has to actually have a visit from those certifying companies.

    We were in fact certified under VISA AIS amongst the first.
    Ido Schiferli
    Marketing Manager

    ChronoPay

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •