I noticed that Kagi was called an excellent payment processor in this thread, and I thought some of you would be interested in some security issues about them and some other payment processors. This applies to people who make or accept credit card purchases. Payment processors (such as Paypal) sometimes use a service to help them stay in compliance with credit card company rules. These rules vary between credit card companies, but they're based on the Payment Card Industry (PCI) Data Security Standard, which helps protect customers. Beware of compliancy services, particularly AmbironTrustWave ( http://www.atwcorp.com/ ) which I discovered has made an unsubstantiated claim that the payment processor Kagi "has performed the required procedures to validate compliance with the PCI Data Security Standard." I recommend that Visa's own list of compliant service providers (which includes payment processors) be used to confirm a payment processor's compliancy. I included this tip in my consumer protection index, under "Payment Processors" at http://www.polisource.com/consumer-protection.shtml#consumer-protection-index along with some other tips. Here's my email to Visa and two replies that I received (I think there was confusion at Visa over whether the first reply was sent). ------------------------------ > -----Original Message----- > I do business with a company that allows > payments through Kagi, and I'm trying to > determine whether Kagi is CISP compliant. > According to your list of compliant service > providers at > http://www.verifiedbyevisa.com/down..._List_of_CISP_Compliant_Service_Providers.pdf > Kagi isn't one of the compliant service providers, > but according to > http://www.kagi.com/about/bulletins/cisp.html > and > https://sealserver.trustkeeper.net/compliance/cert.php?code=x4ij3BZ9ZVRIGnDsmKTROdOFX2IgvC > they are. ------------------------------ Dear Barry, Kagi is not on Visa's updated list of compliant service providers and therefore is not PCI/CISP compliant. Companies that have not successfully fulfilled FULL PCI/CISP compliance requirements and approved by Visa are non-compliant. Therefore, any claims made without a Visa-approved full PCI/CISP compliance are unsubstantiated. Regards, The CISP Team www.visa.com/cisp ------------------------------ Dear Barry, Below is the email response sent last Tuesday by CISP soon after we received the initial email from Barry. Again, Kagi is not on Visa's list of compliant service providers and therefore is not PCI/CISP compliant. Any claims Kagi makes on their PCI/CISP compliance is unsubstantiated. Many business entities consider their operations compliant according to PCI/CISP; however, in order to be legitimately PCI/CISP compliant, the relative PCI DSS compliance requirements according to CISP must be fulfilled accordingly, fully compliant, and approved by Visa. Regards, Then CISP Team www.visa.com/cisp