For liability concerns, an acquirer should not directly advocate any one ASV or QSA to their merchants, however it is acceptable for the acquirer to tell the merchants what third party company or companies that they have strategic partnerships with.

“Try to seek a partner who you can rely on to assist with your PCI Compliance program, ControlScan offers a number of solutions for merchants, ISOs and acquirers and currently partners with one of the largest acquirers in the United States,” said Stanton.

As well, the PCI Security Council has a list of approved ASVs and QSAs. Visa and MasterCard also offer their own lists on each Web site.

“Acquirers and ISOs should establish a relationship with a trusted, association-approved PCI assessor, and develop a program for all their merchants to establish compliance, and ensure periodic testing so that compliance remains intact moving forward,” wrote Gray.

A model relationshipThird Party ASVControlScan, Inc. is an Atlanta, Ga.-based, PCI Security Standards Council–approved third party vendor (ASV), providing vulnerability scan and assessments, compliance assistance and network security. Their clients include Fortune 500 and billion dollar corporations such as: Travelers Insurance and PBS.The company offers a turnkey, no-software-needed approach to PCI compliance, and its security certificates assist in meeting the criteria for mandates in Europe, Japan, Canada, ISO and the USA, not only for PCI compliance but also for Sarbanes Oxley, HIPAA, GLBA and FISMA fulfillment. AcquirerAccording to ControlScan’s CTO & Founder, Richard Stanton, the company recently became the ASV for PowerPay, LLC, mentioned previously in this article.“PowerPay requested that we [ControlScan] conduct all of their mandated PCI compliance scans, for all 16,500 of their merchants,” said Stanton.“What sets us apart from other vendors, is that we actually call the merchants, directly, and we also provide a secure Web system, so a company like PowerPay can log into our system and check their merchant’s PCI status at any time.”He continued, “ControlScan is very proactive, providing contact with the merchant, in order to make sure each merchant is PCI compliant…we actually make direct phone calls to each merchant.”

According to PowerPay President Ron Greenberg, after meeting representatives from ControlScan at an industry conference, the company decided ControlScan offered the best PCI compliance scanning program.

“They have a very structured program of trained outbound sales agents along with personalized consulting to assist our merchants in complying with PCI DSS,” says Greenberg. “Other vendors typically did limited outbound sales with no technical support to the merchant.”

In addition to offering the quarterly network scans, mandated by PCI DSS, ControlScan offers an automatic submission solution, for merchants sending the 12-section PCI Self-Assessment Questionnaire.  

ISO

e-Online Data is a credit card processor, offering merchant solutions for Internet, Mail Order and Auction sellers. They service e-commerce merchants ranging from startups to billion-dollar companies, according to their Web site.

At the bottom of the e-Online Data homepage, there is a sentence that reads, “e-onlinedata is a registered ISO/MSP of HSBC Bank USA, National Association, Buffalo, NY”

In this model, HSBC Bank USA is the actual acquiring or ‘member bank’, and e-Online Data is considered an ISO.

The partnership between acquirer, member bank, ISO, third party ASV and merchant looks like this:

Who is the acquirer?

It’s a basic question, yet for merchants new to PCI compliance in general, the name ‘acquirer’ may mean several different things.

For some, it means the ‘acquiring bank,’ which is also known as the ‘member bank.’ The member or acquiring bank is the bank that underwrites and issues the credit card from the card associations to acquirers and ISOs. The member bank is just that: a member of the card association-the card association that gives it’s approval and permission for that bank to issue cards with the Visa, MasterCard, Discover or American Express logo.

But an ‘acquirer’ usually refers to the entity-usually a credit card processor–that provides credit card processing services for Visa, MasterCard, AmEx and Discover receipts collected by merchants, directly or through an affiliated ISO.

Moreover, another layer of merchant confusion comes in because there are times when an ISO is considered an acquirer as well, or, in the case of a company like North American Bancard, a Super ISO-an entity that takes the liability responsibility on, that the acquirer would usually take on for the ISO.

The member bank/acquiring bank receives funds from a cardholder when a credit card transaction is completed, and deposits the payment amount, minus any fees, into the merchant’s Merchant Account and from there into his business checking account. From a merchant perspective, knowing the acquirer may be a rather confusing question to even ponder, but it falls to the acquirer to make sure merchants, no matter their level, become compliant. With these new directives in place, it’s incumbent upon the acquirers take their own steps to ensure that they understand what their merchants, ISOs and, in some cases, third party vendors need and to make their merchants understand the PCI compliance process completely.

ISOs and the acquirer

According to an article entitled, “PCI Demands the Attention of Acquirers Now More than Ever Dramatic Non-Compliance Puts ISOs and Acquirers at Risk,” in the May 2007 online edition of “The Exchange” newsletter from the Strawhecker Group-a management consulting company focused exclusively on the merchant acquiring sector of the payments Industry-the relationship between an ISOs and acquirers is very important.

“The liability for non-compliance, when a merchant is breached and/or compromises sensitive data, lies on the acquiring institution; typically, this is passed on to the ISO providing Merchant Services and by that ISO onto the merchant themselves,” wrote Cliff Gray, a PCI expert and associate with The Strawhecker Group.

“Considering that the vast majority of Tier 4 merchants are signed by ISOs, it’s imperative that these ISOs take a stronger stance at ensuring their merchants comply.”

To strengthen the alliance between the ISO and acquirer, Gray offered the following step for moving toward PCI compliance.

“ISOs should carefully review their contract(s) with their sponsor acquirer, to understand exactly what liability they bear upon the event of a merchant breach.”

Greenberg and Richard Stanton, chief technology officer and founder of ControlScan -a leading PCI assessor, who works with US acquiring institutions, merchants, ISOs, weighed in on certain steps that acquirers should take in order to facilitate PCI DSS Compliance for their merchants.

Source: http://www.pcicomplianceguide.org/pcidss/pcidssi-iso-acquirer.html

Aggregation: ParagonHost, LLC http://www.ParagonHost.com/intro.html

“World Class Internet Services”

Merchant Services: Paragon Authrorize: http://www.ParagonAuthorize.com

For Level 4 merchants-brick and mortar or e-commerce sites with Less than 20,000 V/MC e-commerce transactions annually, and all merchants across channels up to 1,000,000 VISA transactions annually-understanding and following the rules of PCI compliance has been murky journey at best.

Despite the copious documentation available at the PCI Security Standards Web site, for many merchants, especially Level 4 merchants, knowing how to introduce and maintain a PCI compliance program is proving to be a puzzling endeavor.

It’s critical that acquirers maintain active and open communication of all policies and procedures with merchants, member banks and the card associations.

Acquirers are the new gatekeepers for PCI compliance information for merchants, but they also serve as information convergence points for card issuers and for third party vendors like ASVs.

It’s up to the acquirers, according to PCI Standards and Security Council, Visa and MasterCard, to ensure that their merchants follow the procedures for compliance.

For acquirers who are not vigilant about merchant compliance, the fines for non-compliance will be steep. Acquirers, whose Level 1 and 2 merchants are not compliant, will be fined between $5,000 and $25,000 a month.

Whether they wish to take on the gate-keeper role or not, Acquirers must step up to the plate, answer and clarify questions that merchants have, concerning the PCI process, or they face the consequences.

According to some merchants, and those working for merchants, how much involvement an acquirer has with the merchant, or the information that is given to the merchant by that acquirer, depends on the acquirer. The acquirer’s information is directly linked to the particular credit card brand’s rules, as well as PCI DSS guidelines. If there is little or no communication between the merchant, acquirer and the card brand, problems begin to accrue.

“The fact that the five major brands have agreed on a single standard is good. Unfortunately, due to federal laws, they do not have full freedom to agree on implementation standards,” said Ron Greenberg, COO of merchant acquirer, PowerPay, LLC.

Based in Portland, ME, PowerPay works with merchants across the US, from retailers, restaurants to convenience stores, all through it’s ‘member bank’ HSBC, and whose business partners include companies like Time Warner Cable, and The California ISP Association.

According to Greenberg, the different credit card brands introduce a whole new level of confusion for merchants and acquirers alike, when it comes to PCI compliance.

“For instance, Visa has defined four levels of compliance for merchants along with a set of fines and penalties,” he explained.

“MasterCard has a different set of rules as well as reporting requirements. Multiply this by five and it creates a mess of rules and compliance issues we need to track.”

When asked, bluntly, whether he felt PCI DSS was going to help or hinder acquirers, his answer was just as blunt.

“They [PCI guidelines] are a necessary evil. Any time you add more procedures it is a headache. Will it help? In the long run it should. But everyone must realize it will not solve the problem.”

Some merchants and employees of merchants, who are charged with facilitating the merchant acquirer relationship, seem to add credence to Greenberg’s assertions.

“I have the feeling, although I can not substantiate it to any degree, that the requirements a merchant is under (particularly absolute compliance dates) varies depending on which Acquirer you are going through,” posted Information Security Manager Andrew Mason, on a PCI Compliance Web forum, recently.

Mason, who works for a merchant company in Spain, is paired with an acquirer based in the United Kingdom; an acquirer that isn’t offering the kind of support he thinks is needed. As well, the answers he’s receiving from the credit cards, themselves, have been nebulous, at best.

“Visa seems happy as long as you can prove ‘progress’ in your PCI Compliance project,” commented Mason. “MasterCard appears to be less clear on the various aspects of compliance, particularly the dates.”

He continued, “I asked a question in a webinar recently which was joint hosted by MasterCard. The question was directed to the MasterCard rep. who was VP of something or other to do with PCI / Compliance. The question was, ‘when is the absolute deadline date for compliance?’ “

“The answer? Any guesses? ‘Speak to your Acquirer’”

 Source: http://www.pcicomplianceguide.org/pcidss/iso-acquirer.html

Aggregation: ParagonHost, LLC http://www.ParagonHost.com/intro.html

What Is DNS?

• DNS is a distributed database that is the default naming system for IP-based networks. DNS names are user-friendly, which means that they are easier to remember than IP addresses.
• DNS names remain more constant than IP addresses.
• DNS is used to resolve computer names to an IP address and to locate computers within local networks as well as on the Internet.
• Host names refer to specific computers on the Internet or a private network. A host name is the leftmost portion of a fully qualified domain name (FQDN), which describe the exact position of a host within the domain hierarchy (Example: spiceworks.rocks.com).

How DNS Works In Theory

Domain names, arranged in a tree, cut into zones, each served by a nameserver. The domain name space consists of a ‘tree” of domain names. Each node or leaf in the tree has one or more resource records, which hold information associated with the domain name. The tree sub-divides into zones. A zone consists of a collection of connected nodes authoritatively served by an authoritative DNS nameserver. (Note that a single nameserver can host several zones.) When a system administrator wants to let another administrator control a part of the domain name space within his or her zone of authority, he or she can delegate control to the other administrator. This splits a part of the old zone off into a new zone, which comes under the authority of the second administrator’s nameservers. The old zone ceases to be authoritative for what goes under the authority of the new zone. A resolver looks up the information associated with nodes. A resolver knows how to communicate with name servers by sending DNS requests, and heeding DNS responses. Resolving usually entails iterating through several name servers to find the needed information. Some resolvers function simplistically and can only communicate with a single name server. These simple resolvers rely on a recursing name server to perform the work of finding information for them.

Types Of DNS Records

• An A record or address record maps a hostname to a 32-bit IPv4 address.
• An AAAA record or IPv6 address record maps a hostname to a 128-bit IPv6 address. (Spiceworks does not work with Ipv6 at this time)
• A CNAME record or canonical name record is an alias of one name to another. The A record to which the alias points can be either local or remote - on a foreign name server. This is useful when running multiple services (like an FTP and a webserver) from a single IP address. Each service can then have its own entry in DNS (like ftp.example.com. and www.example.com.)
• An MX record or mail exchange record maps a domain name to a list of mail exchange servers for that domain.
• A PTR record or pointer record maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the in-addr.arpa. domain that corresponds to an IP address implements reverse DNS lookup for that address. For example (at the time of writing), www.icann.net has the IP address 192.0.34.164, but a PTR record maps 164.34.0.192.in-addr.arpa to its canonical name, referrals.icann.org.
• An NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain. Delegations depend on NS records.
• An SOA record or start of authority record specifies the DNS server providing authoritative information about an Internet domain, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
• An SRV record is a generalized service location record.
• A TXT Record allows an administrator to insert arbitrary text into a DNS record. For example, this record is used to implement the Sender Policy Framework and DomainKeys specifications.
• NAPTR records (”Naming Authority Pointer”) are a newer type of DNS record that support regular expression based rewriting.

Other types of records simply provide information (for example, a LOC record gives the physical location of a host), or experimental data (for example, a WKS record gives a list of servers offering some well known service such as HTTP or POP3 for a domain). When sent over the internet, all records use the common format specified in RFC 1035 shown below.

POP3 SMTP Mail Servers for popular Internet Service Providers

1&1 incoming mail server: pop.1and1.com
1&1 outgoing mail server: smtp.1and1.com
View 1&1 internet services – Domain, Web Hosting, Servers …

Adelphia Cable incoming mail server: mail.adelphia.net
Adelphia Cable outgoing mail server: mail.adelphia.net

Ameritech (SBC Yahoo!) incoming mail server: pop.ameritech.yahoo.com
Ameritech (SBC Yahoo!) outgoing mail server: mailhost.det.ameritech.net

AT&T WorldNet incoming mail server: postoffice.worldnet.att.net
AT&T WorldNet outgoing mail server: mailhost.worldnet.att.net

AOL outgoing mail server: smtp.aol.com

Bell Atlantic incoming mail server: pop.bellatlantic.net
Bell Atlantic outgoing mail server: gtei.bellatlantic.net

BellSouth incoming mail server: mail.bellsouth.net
BellSouth outgoing mail server: mail.bellsouth.net
View BellSouth internet services – Fast DSL …

BlueLight incoming mail server: mail.bluelight.net
BlueLight outgoing mail server: smtp.bluelight.net

Cableone incoming mail server: mail.cableone.net
Cableone outgoing mail server: authmail.cableone.net

Charter incoming mail server: pop.charter.net
Charter outgoing mail server: smtp.charter.net
View Charter internet services – Digital TV, Cable Internet, Telephone

Comcast incoming mail server: mail.comcast.net
Comcast outgoing mail server: smtp.comcast.net
View Comcast internet services – High Speed Digital Cable Internet …

Compaq.net incoming mail server: pop3.compaq.net
Compaq.net outgoing mail server: smtp.compaq.net

Compuserve incoming mail server: pop.compuserve.com
Compuserve outgoing mail server: smtp.compuserve.com

Concentric incoming mail server: pop3.concentric.net
Concentric outgoing mail server: smtp.concentric.net

Cox Central incoming mail server: pop.central.cox.net
Cox Central outgoing mail server: smtp.central.cox.net

Cox East incoming mail server: pop.east.cox.net
Cox East outgoing mail server: smtp.east.cox.net

Cox West incoming mail server: pop.west.cox.net
Cox West outgoing mail server: smtp.west.cox.net

Cypress Communications outgoing mail server: smtp.cypresscom.net

Dotster incoming mail server: pop.registerapi.com
Dotster outgoing mail server: smtpauth.registerapi.com
View Dotster internet services – Domains, Hosting, SSL …

EarthLink incoming mail server: pop.earthlink.net
Earthlink outgoing mail server: mail.earthlink.net, smtpauth.earthlink.net

GoDaddy incoming mail server: mail.godaddy.com
GoDaddy outgoing mail server: use your ISP’s SMTP mail server
View GoDaddy internet services – domains, hosting, SSL …

Google GMail incoming mail server: pop.gmail.com
Google GMail outgoing mail server: smtp.gmail.com

HughesNet incoming mail server: mail.hughes.net
HughesNet outgoing mail server: smtp.hughes.net
View HughesNet internet services – Satellite High Speed Internet

Internet America incoming mail server: pop3.airmail.net
Internet America outgoing mail server: mail.airmail.net

IX Web Hosting incoming mail server: pop.ix.netcom.com
IX Web Hosting outgoing mail server: smtp.ix.netcom.com
View IX web hosting services

Juno incoming mail server: pop.juno.com
Juno outgoing mail server: smtp.juno.com
View Juno internet services – High Speed Internet …

Lycos incoming mail server: pop.mail.lycos.com
Lycos outgoing mail server: smtp.mail.lycos.com or your ISP’s SMTP

Mac.com incoming mail server: mail.mac.com
Mac.com outgoing mail server: smtp.mac.com

Mail.com incoming mail server: pop1.mail.com
Mail.com outgoing mail server: use your ISP’s SMTP mail server

Mediacom incoming mail server: mail.mchsi.com
Mediacom outgoing mail server: smtp.mindspring.com

Mindspring incoming mail server: pop.mindspring.com
Mindspring outgoing mail server: smtp.mindspring.com

Mpower Communications incoming mail server: pop.mpowercom.net
Mpower Communications outgoing mail server: smtp.mpowercom.net

MSN incoming mail server: pop3.email.msn.com
MSN outgoing mail server: smtp.email.msn.com
(cannot send pop3 email from other domains)

Netscape incoming mail server: pop3.isp.netscape.com
Netscape outgoing mail server: smtp.isp.netscape.com

NetZero incoming mail server: pop.netzero.net
NetZero outgoing mail server: smtp.netzero.net
View NetZero internet services – HiSpeed Internet …

PacBell incoming mail server: postoffice.pacbell.net
PacBell outgoing mail server: mail.pacbell.net

Pacifier outgoing mail server: smtp.pacifier.com

PeoplePC incoming mail server: pop.peoplepc.com
PeoplePC outgoing mail server: smtpauth.peoplepc.com
View PeoplePC internet services – High Speed Internet …

Pipeline incoming mail server: pop.pipeline.com
Pipeline outgoing mail server: smtp.pipeline.com

Prodigy incoming mail server: pop.prodigy.net
Prodigy outgoing mail server: smtp.prodigy.net

RLWD Web Services incoming mail server: mail.yourfulldomainname
RLWD Web Services outgoing mail server: smtpout.secureserver.net
View RLWD Web Services internet services – Domain, Hosting, Marketing …

Rediff incoming mail server: pop.rediffmailpro.com
Rediff outgoing mail server: smtp.rediffmailpro.com

SBC Global Ameritech incoming mail server: pop.ameritech.yahoo.com
SBC Global Ameritech outgoing mail server: smtp.ameritech.yahoo.com

SBC Global Flash incoming mail server: pop.flash.yahoo.com
SBC Global Flash outgoing mail server: smtp.flash.yahoo.com

SBC Global NVBell incoming mail server: pop.nvbell.yahoo.com
SBC Global NVBell outgoing mail server: smtp.nvbell.yahoo.com

SBC Global Pacbell incoming mail server: pop.pacbell.yahoo.com
SBC Global Pacbell outgoing mail server: smtp.pacbell.yahoo.com

SBC Global Prodigy incoming mail server: pop.sbcglobal.net
SBC Global Prodigy outgoing mail server: smtpauth.prodigy.net

SBC Global SNet incoming mail server: pop.snet.yahoo.com
SBC Global SNet outgoing mail server: smtp.snet.yahoo.com

SBC Global SWBell incoming mail server: pop.swbell.yahoo.com
SBC Global SWBell outgoing mail server: smtp.swbell.yahoo.com

SBC Global Wans incoming mail server: pop.wans.yahoo.com
SBC Global Wans outgoing mail server: smtp.wans.yahoo.com

SBC Global Yahoo! incoming mail server: pop.sbcglobal.yahoo.com
SBC Global Yahoo! outgoing mail server: smtp.sbcglobal.yahoo.com

Seanet incoming mail server: pop.seanet.com
Seanet outgoing mail server: mx.seanet.com

ServNet outgoing mail server: mx.serv.net

SpeakEasy incoming mail server: mail.speakeasy.net
SpeakEasy outgoing mail server: mail.speakeasy.net

SprintPCS incoming mail server: pop.sprintpcs.com
SprintPCS outgoing mail server: smtp.sprintpcs.com

Sprynet incoming mail server: pop.sprynet.com
Sprynet outgoing mail server: smtp.sprynet.com

Starpower incoming mail server: pop.starpower.net
Starpower outgoing mail server: smtp.starpower.net

The River outgoing mail server: mail.theriver.com

Time Warner – Road Runner
Server names change regionally.
View Time Warner internet services – Digital Cable, High Speed Internet

For example, in South Carolina, use
incoming mail server: pop-server.carolina.rr.com
outgoing mail server: smtp-server.carolina.rr.com

For example, in Southern California, use
incoming mail server: pop-server.socal.rr.com
outgoing mail server: smtp-server.socal.rr.com

View more Time Warner – Road Runner pop3 and smtp mail servers

Toucan incoming mail server: pop3.toucansurf.com
Toucan outgoing mail server: smtp.toucansurf.com
View Toucan UK internet services – Dialup, Broadband, Mobile …

USA.net incoming mail server: pop.netaddress.com
USA.net outgoing mail server: smtp.postoffice.net

Verizon incoming mail server: incoming.verizon.net
Verizon outgoing mail server: outgoing.verizon.net
View Verizon internet services – Broadband DSL, FiOS (Fiber Optic Service)…

View more Verizon pop3 and smtp mail server information

VisiNet incoming mail server: pop.visinet.net
VisiNet outgoing mail server: smtp.visinet.net

WildBlue incoming mail server: mail.wildblue.net
WildBlue outgoing mail server: mail.wildblue.net
View WildBlue internet services – Satellite Speed Internet …

WHRO.net incoming mail server: mail.whro.net
WHRO.net outgoing mail server: mail.whro.net

Yahoo incoming mail server: pop.mail.yahoo.com
Yahoo outgoing mail server: smtp.mail.yahoo.com
View Yahoo! internet services – Domains, Web Hosting …

• The need to route traffic between the ever increasing number of networks

Why do I want a MAC address?

When computers talk over TCP/IP or UDP/IP the computers whom wish to speak to the destination IP computer ARP for the destination computer’s MAC address. The TCP/IP implementations require the IP to MAC translation and in reverse (RARP). This is the only way data gets transferred over the internet, by going through the layers from layer 7 to layer 1 and back. Hence when you send a packet to an IP address, the Network layer finds the destination MAC and sends the packets to that MAC address. In a LAN setting, you usually hit the destination ethernet card yourself through maybe some switches or hubs. In an internet setting, you go through various routers which do some analysis of TCP/IP headers and it finally arrives at the destination ethernet card. You must realize that every ethernet card in the world has a unique MAC address.

When you are a Winsock programmer dealing exclusively with sockets, I doubt you would care what the MAC addresses of the related NICs (Network Interface Card) are because you would never need to know about them. This is a low level issue which one needs not be exposed to in a network programming environment.

There are specific reasons why you may need to know the MAC address. Personally I had to write the Media Access Control Layer in an HDL language at one point. I had hard coded the FPGA to a certain MAC and created a static ARP so that I could write sockets software on my PC which would send UDP packets to my MAC. The MAC would then decipher and verify the checksum, and CRC of the UDP and MAC packets. It would then take the payload and forward it along to an RS232 interface. The RSR232 interface was connected to a Bluetooth device via RFCOMM. Your reason for knowing a MAC address may be different.

We will deal with enumerating the MAC address of all the NICs in your computer in a Windows environment.

Deciphering the 48-bit MAC address

The 48-bit MAC address is a globally unique identifier. Each ethernet card in the world has a unique MAC address. The first 24 bits correspond to the Organizationally Unique Identifier. The second 24 bits is administered by the company or organization that the OUI has been assigned to. You will notice that all 3Com cards, for example, will have the same OUI, the first 3 octets in a MAC address.

How do I get a MAC address via command line?

Okay, there are several command line utilities to get your MAC address. The first one that comes to mind is GetMAC. Simply open a command prompt and type GetMAC and it will return your 48-bit MAC address in the following format:

Physical Address   Transport Name ================== ==================================================== 00-40-CA-B5-5B-06  \Device\Tcpip_{B249BB63-9574-4061-817A-D62E1D12072F}

The next method of doing it is writing IPCONFIG /ALL, this will also get all the MAC addresses of your ethernet cards along with all the IP addresses setup for each ethernet card. Information such as your Gateway, WINS server, DNS server, subnet mask, and all the IPs associated with your each NIC.An interesting way to discover what MAC addresses you know of other people on your network is to type ARP -a in a command prompt and you should get a listing that is similar to this.

Interface: 192.168.1.102 — 0×2   Internet Address      Physical Address      Type   192.168.1.1           00-20-78-d9-5c-b3     dynamic   192.168.1.100         00-50-ba-b3-55-ec     dynamic   192.168.1.101         00-a0-cc-7a-7d-6d     dynamic