Jun. 18, 2009 - NAR and PCI Compliance Revisited

NAR sent out another letter recently making it clear that it is still their belief that organizations using their payment gateway do not need to worry about their own PCI compliance. So, I recently validated my position (http://www.realtown.com/mattcohen/blog/nar-and-pci-compliance) that MLSs and Associations that take credit cards MUST have their own security assessment process and PCI compliance - they can NOT depend on NAR to take care of security/PCI for them unless members/subscribers only enter card information directly into the NAR payment gateway. I got a second opinion from one of the most highly certified and respected security professionals in the U.S. - Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE. I'm sure we'll be chatting with the folks at NAR soon enough...

So, if you're not on the path toward information security and PCI compliance as needed .... don't wait - contact me!

UPDATE: I now have a call set up with some smart folks at NAR ... hopefully we can get the confusion resolved and end up with a unified message.