Hi there,
EUK seem to be very confident about their ability to provide PCI-compliance for merchants storing credit card details on their server (i.e. Sage Pay Direct or Paypal Website Payments Pro, as opposed to Pa.ypal Express Checkout/Sage Pay Form & Server), so I'm hoping you'll be able to clear this up for me.
I've taken a look at the thread on your forum at dub-dub-dub.eukhost.com/forums/f11/pci-dss-compliance-7882/, googled and spoken to BarclayCard's chosen security company SecurityMetrics (who didn't reassure me - they came across as not really understanding PCI!).
[it seems i cannot post links as a new member of this forum so I've just pasted them in
aaaargh no i haven't because the forum automatically tries to make them urls again - this is doing my nut! I can't even remove the http bit. Ok, I'll try and obfuscate them by replacing www with dub-dub-dub]
The issue is this:
Reading official PCI documents, PCI compliance is a complex process, a small part of which is a remote scan (to ensure ports are closed, software is up to date etc.). Merchants storing credit card details locally are required to complete SAQ-D (found here: dub-dub-dub.pcisecuritystandards.org/saq/instructions_dss.shtml),
as are their Service Providers.
Listening to Security Metrics and reading the EUK forum, compliance appears to be about the scan only. However there is more to it than that as far as I can see. For example, web site and database must be on separate servers, secure processes and policies must be in place behind the scenes at the hosting provider as well as the merchant, down to the level of ensuring any relevant devices are labelled as to their owner and purpose! And merchants and their service providers must each make an 'Attestation of Compliance', essentially securing their liability should things go wrong.
To be fair there seems to be a lot of confusion around PCI - the official PCI informtion says one thing, and everyone else (even banks and security companies!) say another. Or perhaps I am missing something. For example, requirements are being phased in - are some people just behind the times? Do acquiring banks get to decide how rigourous they want to be, and are they currently being quite flexible and ignoring most of PCI? I find that hard to believe however.
PCI compliance is of course about passing the buck.
My concern is that if I take everyone at their word, it is possible I will gain PCI compliance and be able to begin taking payments just by passing a scan. If my site is then somehow hacked, card details are compromised and my card services provider investigates, they may then find that one of the other PCI requirements (such as physical access to the servers in the EUK/web host's data centre) was not properly compliant. Cue immeasurable damage to and possible failure of my business 
What about the rest of compliance beyond scanning? Are EUK and others 'PCI Compliant" service providers, capable of completing the appropriate forms (especially the SAQ-D linked to above), and do you have appropriate procedures/policies/measures in place?
For example, can you address the points made here: dub-dub-dub.outeredgeuk.com/pci-compliance-with-sage-pay-form-server-direct/?
Real PCI Compliance
Linear Mode
