Thread: ControlScan NO Longer Offering PCI Verification Seal

I just received word today that ControlScan is discontinuing its PCI Verification Seal program; i.e., it will still offer PCI scanning but will no longer offer a Seal that we can put on our website as a "reassurance" seal of approval for our online customers.

It seems that many ControlScan customers, including us, have had our Seal removed and replaced numerous times due to many false positives. As a result, ControlScan has opted to get out of the "seal" business.

Given that ControlScan is an ASPDNS Integrated Vendor for PCI Scanning, what options do we have? Are there any other PCI scanning vendors that are compatible with ASPDNS?

What does the ASPDNS merchant community feel about having/not having a PCI Seal on the site; does it make a difference as long as we have an SSL seal?

Thank you.

My personal opinion.

I use Mcafee Secure, previously Hacker Safe. When it runs out next year I will not renew it. Here is my reasoning. I have a free PCI quarterly scan from my host. I HATE HATE HATE the Mcafee scan. They absolutely FLOOD my site with hack attempts and flood my logs with hack attempts making error logs useless. They send me zillions of emails while attempting to hack my contact page. I had them bring my V9 site to its knees recently where I had to bounce IIS to get it back .. interestingly I never had that happen to my V8 site.

I understand the need for PCI scanning on an ecommerce system to prove its security; however, once a system has been tested and is no longer modified (other than new products and processing orders) I don't understand why the industry is so obsessed with "daily tests" with McAffee or similar scanners. Its unnecessary, wasteful and expensive!

Ultimately the #1 weak link in credit card security is humans not computers. My feeling is that PCI scanning seals are just the capitalization/monetization of a set of security standards that were intended to reduce fraud/hacking - not intended to increase customer confidence.

As a customer, I'd be more worried about the human behind the store misusing my credit card than a hacker getting into their site and stealing it. As a store owner, I'm mostly worried about injection attacks on forms which is why I buy an off the shelf storefront backend like AspDotNetStorefront - so I don't have to worry about this! They are already PCI compliant. Just don't break it while customizing and you are ok.

I don't have a PCI Scanning Seal on my site; however, I do put a static "PCI Compliant" logo on my checkout that simply claims PCI compliance without verification (no "last tested" or "click to verify" or anything like that).

That's my thoughts... Feel free to correct me if I'm ignorant to a larger problem. ;-)