No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

    ACTION REQUIRED: PCI Compliance for

    We just received an email from Braintree saying:

    This is an email from SecurityMetrics and Braintree. Action is required on your behalf to become PCI DSS compliant by December 6, 2018.

    What is PCI compliance?

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements mandated by the major card networks, including Visa and Mastercard, that apply to any business that processes, stores, or transmits credit or debit card data, regardless of the business's size or location.

    Do I need to become PCI compliant?

    Yes. As a merchant processing credit or debit card transactions, your business is required to validate PCI DSS compliance. While Braintree takes care of a large portion of the PCI DSS compliance validation process, all merchants must at minimum validate their PCI DSS compliance by completing a self-assessment questionnaire (SAQ).
    ....etc, etc.

    It says it was sent by:

    SecurityMetrics and Braintree

    This e-mail was sent by SecurityMetrics, 1275 West 1600 North, Orem, UT 84057.
    This email was sent to you because our records show that you have PCI compliance program requirements. If you do not wish to receive further SecurityMetrics emails regarding PCI compliance you may opt-out by contacting us at ...
    Have other Braintree users received this email, and does it actually require action? (or is it one of those "spammy" sort of the things where you are led to believe you need to do something and then end up paying for an unnecessary service?)

    Thanks in advance for any feedback from others.
    Psydde Delicious
    Delicious Boutique & Corseterie
    Philadelphia, PA

    Typically what a gateway provider wants you to do is ignore it, and you'll find a 'convenient' fee starts to be assessed on the date they claim adherence is required by. Then, unless you are able to fill out a SAQ A that states you aren't touching cards, they'll just keep charging you the fee whether you're passing the scans or not. SecurityMetrics is one of the worst scanning vendors to deal with too; they fail things that were not relevant ten years ago, then you have to demonstrate to them why their report is inundated with false positives.

    Now, the way the Braintree module in Miva Merchant works, or if you're using our MivaPay product, credit cards should not actually be flowing through your store, they go direct from shopper to gateway unless something odd is in place, so unless you're touching them in some other way, you likely can indeed fill out the SAQ A stating you aren't touching them, and telling both entities you don't want or need their scans. Our TAC staff can assist in ensuring that you aren't touching cards, if Braintree or MivaPay are your gateways.
    David Hubbard
    [email protected]