I'm a little online education vendor who takes credit cards. I'm trying to make sure that I'm doing the right thing to comply.

WE don't store credit card numbers. All the numbers go straight to our gateway. We will handle over 100,000 transactions (average is ~$25) per year.

I'm planning to:
- fill out a compliance survey and send it to my bank
- do a paid quarterly scan of my network
- get written confirmation and check that my Gateway is compliant.


Is this enough?

First question. Do you only take credit cards online or do you take credit cards via other methods such as over the phone, mail, etc? If you only take them via e-Commerce (i.e., through a Web site), then you will use SAQ C. Otherwise, you will need to use SAQ D. However, you need to have a discussion with your acquiring bank on this subject as they are the ultimate judge as to what type and level of merchant you will be filing under.

Next question. Do you host your own Web site or is it hosted by a third party? If all of your e-Commerce is hosted at a third party, then it is the third party's network that needs to be scanned. You will want to contact your hosting provider to see if they are already performing quarterly scans and if they will share the results of those scans. A lot of third parties will share the results of their scans of a customer's cardholder environment for a price. Again, this assumes that your own company's computer systems do not store cardholder data (CHD).

Unfortunately, we find that a lot of small companies have CHD stored in their computer systems mostly for the research of chargebacks and refunds. So, you really need to take a close look at your processes to ensure that you have not inadvertently stored CHD on your own computers. Look for spreadsheets and the like. There are a number of good shareware utilities available that can scan a computer's hard drive looking for social security numbers and CHD. I prefer SENF from the University of Texas and Spyder from Cornell University. There is the old standby of ccsh from Sourceforge, but it is a command line application and only works in one directory at a time. The key to all of these utilities is that they are NOT perfect and will identify files that do not have CHD and may miss those that do have CHD. However, they should give you the best shot at making sure that your systems do not have CHD. Follow each utilities instructions to ensure you get the best results.

While you need to know the PCI compliance status of your gateway, your organization's PCI compliance is not predicated on whether or not your gateway is compliant. The PCI compliance status of the gateway is up to the gateway's processor.

This is a question of scope. The question is, do you ever "store, process, or transmit" payment card data? Do the cardholders send the information to you and then it is sent to the gateway, or does the cardholder submit it directly to the gateway?

- Cardholder -> Merchant -> Gateway ?
- Cardholder -> Gateway ?

If the cardholder submits their informaiton directly to the gateway, you may have fewer validation steps. You can checkout the PCI DSS Self-Assessment Questionnaire (https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions) on how to choose the best validation step for you.

Hi..
Last week i have purchased beauty things through online.I have send payment using my credit card...The shop employee two times swiped.it will affected or not....pls tell me..

Hi, We're starting Q4 and on my Q4 goals is to review our compliance and security situation. So, I'm back on this question.

We do not store any credit cards at our site or on our network.

When customers purchase, it's:
credit card: customer -> merchant account
They are stored there and then hit monthly. We have access only to the last four digits.

We do over 100K transactions per year.

Any advice on my compliance responsibilities?