I agree, it isn't total "BS", in fact none at all. I've been supplying a class "A" product for Global Payments for the last 15 years and followed the security issues as they evolved. The card associations have to do something to protect against fraud and the PA-DSS (the latest acronym) standards are a genuine effort. The ones who are making a killing for now are the auditors. So, if you don't like the auditors, become one yourself - it can be done. From a developers standpoint meeting the requirements becomes routine. As for the merchants and the questionnaires, some of them are a bit lame. I think part of the objective is to make the merchant aware they do have some responsibility to reduce fraud.


>Well, I don't think it's total BS. Lots of people have been burned because businesses who had their credit card information did not protect it. As with anything else, there can be unfortunate side effects of what is in essence a good thing.
>
>And let's not forget who is behind PCI in the first place -- bankers ;-( These are industry rules, not government laws, and most credit cards are issued by banks.
>
>
>>You're right and wrong.
>>
>>Level 4 doesn't _require_ certification, but if they don't do the questionaire (for $100 - of course it's not free!), some card processors will charge them $20 per month because they're not PCI-compliant.
>>
>>The questionaire is RIDICULOUSLY stupid. One of those things where you just give the "right" answers and you pass, and you can return to the questions until you get them all "right". It reminds me of the questions you're sometimes asked when checking in at the airport "do you have any explosives on you, sir?", "did any stranger ask you to deliver a package to the pilot, sir?" arrrgghhhh!
>>
>>PCI is a cash cow. Just like y2k and patriot act. It's total BS.
>>
>>Alex
>>
>>>Merchants who take Visa are classified as level 1, 2, 3, or 4. Level 1 merchants are the Wal-Marts and Targets of the world, with very large transaction volumes. The PCI requirements for them are stringent. Level 4 merchants are so-called "mom and pops." The requirements are much less stringent. What most of them do is sign up with a credit card processor. The processor charges relatively small fees and they are the ones who have to comply with PCI, not the merchant.
>>>
>>>UPDATE: Sounds like X-Charge is your processor. You have no worries. As you say, if you don't store credit card data there is no way you can let it get into the wrong hands.
>>>
>>>>Hi Carsten,
>>>>
>>>>PCI Compliance is scary, especially for small shops. I too am a single developer shop. I have a POS system that is in use by about 50 locatons in Connecticut.
>>>>
>>>>When I first got wind of PCI Compliance stuff, I checked and found that an audit of the software was required and the cost of the audit was $30,000. Forget it!! Perhaps that has changed but....
>>>>
>>>>And I think it would be impossible for small shops to pass because of requirements for version control, quality control etc etc.
>>>>
>>>>I currently support PC Charge, X-Charge and Mercury. I really LIKE X-Charge because I am totally insulated from the PCI stuff. Basically I never see the Credit Card data so there is no way I can store it. I simply pass a parameter (amount) to the X-Charge control and X-Charge takes it form there and tells me the result.
>>>>
>>>>On top of that, X-Charge support is top notch. Installation is a breeze. You set up a date and time, X-Charge calls you, logs into the cash register and does everything. You just make sure the internet connection is good.
>>>>
>>>>And if that is not enough, I get a nice commission check every month from X-Charge.
>>>>
>>>>The last time I spoke to the Mercury rep, she told me thet are planning a similar developer interface but I have not seen it yet.
>>>>
>>>>I would be very interested to hear what you have discovered on this topic.
>>>>
>>>>Ken
>>>>
>>>>(860) 280-6871
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi all -
>>>>>
>>>>>Just wondering what everyone is using to get PA-DSS compliance for credit card processing. What companies are you using for assessments, anything best to look for when choosing? We are a small shop (1 developer) and are trying to figure out the best way to go here.
>>>>>
>>>>>Is anyone using payment processors such as https://www.x-charge.com/ to deal with PA-DSS? Is it working for you?
>>>>>
>>>>>Any insights would be appreciated!