On Wed, 24 Jun 2009 16:27:02 James McGlinn wrote: > Yeah, I can confirm ASB are insisting on 3-party for new gateway > accounts, as I understand it most/all of the other banks are also > moving towards that (others might be able to confirm that - I've only > dealt with ASB recently).
It is universal. > That policy doesn't seem to affect existing setups. In principle it That is debatable. More to the point they haven't gotten around to chasing up current merchants. > doesn't seem a bad idea to require independent certification for > merchants handling card details - I've seen some pretty shocking > systems. Mailto form anyone? > But that said I haven't been through the process of getting PCIDSS > certification so don't know how onerous it is. In simple terms for 'small' merchants it's a matter of ticking off every item on the list and then getting your cardholder details handling systems independently remote scanned by one of a list of approved auditors. However the devil is in the detail. The list that needs to be ticked off contains many 'issues' that can take some time and professional expertise to work through, and some of the tick boxes are hardly what I would call relevant in many instances, but they must be ticked because 'N/A' is only an option on the wireless related points. And then there is the cost of a breach once you're PCI-DSS certified. I'd want to have an insurance policy for at least US$ 10 million in place, and this could prove to be very difficult to obtain in NZ. All the brokers and companies I spoke to don't have a clue on these areas and thus will not insure them. Michael --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] -~----------~----~----~----~------~----~------~--~---
