Author: Olly

  • PCI Compliance Nonsense

    OK – I’ve had about enough of this and I need to rant somewhere!!

    As everyone knows – we make websites and quite recently we have been building  lots and lots of online shops. Its usually much more of a technical job as there are so many more elements to take into consideration, one being payments and how you take them via/on your website.

    There are generally three ways you can take payments, and they are as follows;

    1) Simple “cash holding” payment gateways like PayPal – this takes the money and holds it in your paypal account – not a merchant account.

    2) Similar 3rd party payment gateways like SagePay – these are tied to a merchant account which is a bank account specifically for website payments.

    3) Embedded payment gateways that never take anyone from your site, process the payment on your site and sends money to a merchant account.

    Now all apart from the 3rd (in my professional opinion) do not require any level of pci compliance, as the payment isnt taken on the customer website – its taken on PayPal.com or SagePay.com – who then need to be PCI compliant as thats the point of it all..

    Q: What is PCI?

    A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.

    ~Source

    Now somewhere along the line some idiot at the top of the ladder in the financial industry has decided that everyone who owns a merchant account (which are never and could never be hosted on our clients hosting environment, so again, hosted with a 3rd party) needs to be PCI compliant – what a load of rubbish!

    I agree 100% that if you take/store/send payment info you need to tick every box in terms of compliance – as you are dealing with highly sensitive information –  but why do my clients need to become PCI compliant if they never see the card/payment details themselves?

    What the fools at the banks don’t realise is that by them making a stupid call like this (like the cookie thing a few years ago) they are forcing thousands and thousands of small to large sized businesses to unnecessarily pay to have their hosting environments PCI compliant – when they don’t need to!

    Additionally, many customers with shared hosting might need to move their site to a dedicated server or VPS at a significantly higher cost to themselves – as some PCI scanners say that shared hosting can never be PCI compliant – its an area of much confusion & myth and really needs properly clearing up by someone who knows what they are talking about, not just some suit making a blind call with nothing to back it up.

    Is there anyone out there that can (from a technical point of view, i’m actually able to search Google myself also) explain to me why ANYONE using something like SagePay with an external merchant account needs to be PCI compliant themselves?

    </rant-over>

  • Finally settled on a new layout

    My rekindled love for blogging has also meant i’ve been spending time tinkering with my blog layout and the colour scheme trying to get it just how I want it.

    For the last few weeks I was rocking an awesome theme, to be fair it was the best one i’ve ever had, proper ticked all the boxes…. apart from the fact once I started delving in and altering a few things I realised the guy who made it was a moron and had obviously coded most of the template files with his knees.

    The structure of everything was a mess. I was very sad :'(

    So, I started the hunt for a new WordPress Theme (you’d have thought i’d have one of the ninjas at work make me one haha) and it reminded me about how hard it was to find simple blogging themes nowadays that focus on the written content rather than huge header images and image slideshows and junk.

    …Is that because no one writes old fashioned blogs any more?

    I get that a picture is worth a thousand words but I often visit blogs and they’re using premium themes that are built to focus on large imagery that accompany the published articles, and the authors simply use some crappy stock image because if they don’t they break the layout of the page.

    So is there really any point in having that as a main feature of the theme?

    We did some work for a lady recently who was a travel blogger, and because of what she blogged about she needed large images to be part of her articles else the images of the places she visited wouldn’t get across to her readers – however not everyone blogs about “visual” things so there really should be more choice of themes out there for the rest of us! 🙂

    Anyway, after 20 minutes or so I saw this theme, liked that it was fairly bare-bones and installed it. All credit to Per Sandström for making a great theme that is easily customisable and is made for bloggers!

    Hurray for simplicity!

  • SCAM – Data File Google Winning Batch: UK/111/GWIN/GUK

    Dave spotted this in our spam box from anagalski@iimcb.gov.pl with a reply to address as owenhookson09@gmail.com – as if “the CEO of Google” would have an email address like that!

    “You have Been Selected as a Winner for Using Google Services. Find attached E-mail with more details.
    Congratulations,

    Sincerely.
    Mr. Owen Hookson.
    CEO GOOGLE UK.”

    And its another attachment jobbo – look at this beaut;

    1

    2

    Here is the original file

    Its of course – a Scam – stay away folks and if you see anything like this in your inbox forward it me so I can have a giggle 🙂

  • Website owners beware – terrorist attacks on your websites too

    Its hard to ignore the current disputes between ISIS and the rest of the world. Every news program and social feed contains links to videos and articles about this horrible ordeal, and it looks like its now also spread to the digital world.

    I was messaged by a customer who said that their website had been hacked. When I visited the website I was greeted by the message;

    Hacked BY MuhmadEmad ./we are peshmarga

    MuhmadEmad seems to just be the persons name, but peshmarga (peshmerga) is a term used by Kurds to refer to “Armed Kurdish Fighters” which – as far as I can work out – should be people on our side, so im really confused as to why they would hack a little wordpress website that has nothing to do with this conflict.

    I’m still looking into exactly what happened but it seems to have been a Gravity Forms exploit of some description – some files within uploads/gravity_forms/tmp were VERY dodgy so they’ve been downloaded for closer inspection and removed from the site.

    Ive also updated all the plugins, themes and the wordpress core. Passwords for all wordpress user accounts, FTP and MySQL users changed too.

    If you’re having trouble with a hacked website then contact me through twitter or something and ill help as best I can.