Quote:
|
Originally Posted by just wondering
We use Streamline & SagePay Direct.
We've been told that as we're not storing any Card Details at all we DON'T need a Server Scan & only have to fill in the PCI-DSS Form "C". Even though we're on Shared Hosting.
So I'm sat here thinking "Do we even need the X-Payments Addon"?
|
Weird that they don't require a server scan. Card numbers pass through your server so its in PCI scope. I would run the quarterly server scans anyway as PCI clearly requires them in this case.
What you are seeing is a result of the fact that the card brands leave it up to the acquirer to decide what proof of PCI compliance is required from small merchants. So it will vary what hoops any particular merchant will need to jump through. We will probably see the same thing with the PA-DSS mandate. A few months back someone posted that they couldn't get a new merchant account because X-Cart isn't PA-DSS certified. But overall, I think some acquirers will enforce it and some won't especially early on. Over time most will enforce it.