The Underscore Archives

On 29 May 2007, at 16:26, Matt Hamilton wrote:


>> Yup. Don't Visa even require that your *data center* is Visa security
>> compliant these days? I know one of the DCs we use makes a big thing
>> about it anyway.
>
> Dunno... last one we had to fill in was for Streamline (natwest/rbs)
> a few years back and it was a joke.  It was 10 yes/no questions of
> the ilk: 'Is your server secure: yes/no' about as much use a
> chocolate teapot.  I hope they are a bit more useful nowadays.

Has changed a lot over the past year or so. They're (slowly)  
beginning to get it. Much more comprehensive questionnaires,  
authorised third party security firms checking you out, periodical  
system scans, criminal record checks on employees who have access to  
data, etc.

Your data centre needs to be OK'd too. If you use a large third party  
hosting company they're likely to already have it. You then need to  
make sure your own stuff is good from there on - locked server  
cabinets, etc.

And as of the 1st of this month VISA and MasterCard require you to  
comply with all PCI DSS v1 standards - otherwise hefty fines.

In other words: way too much stress, stay well clear unless you  
really have too. IMHO.

-j