Security Metrics a scam?

I make websites. I don't accept credit cards and I'm happy to receive your company check.

But some of my websites do accept charges over the Internet and one such was completed two years ago in the fall. I got a telephone call from Security Metrics, saying my website failed their scan and that I had to make sure that I was compliant.

I thought what I was doing was providing a service to my customer, so I complied with their wishes, answered their questions and made an upgrade to some of the code on my web server (please note, I made no changes to the website code, I just upgraded the server to a newer version of database software not used by the website and processing code that was used in the website).

Security Metrics just cold-called one of my clients. They told them that they had to be certified and had to have their website certified as well. My client does not take credit cards over the Internet and, I suppose, will take them by phone, or will swipe them for services rendered. My client is strictly business-to-business and does no retail. They install and service conveyor systems and they're really good.

My client asked me to put a Security Metrics logo on their website with a link that certifies that they are compliant. After immediately complying with my client's wishes, I told them the following:

You are not accepting credit cards over your website. So a website scan is about as useful as hair on a tree branch. You (your company) has passed their questionnaire, so in that you take credit cards by telephone you're doing the right thing and your bank will assign you a low risk. That may result in a lower rate paid for credit cards. It also may not matter.

I believe that, unless you have to pay a higher rate for credit cards due to your bank's insistence that you do, the money paid to Security Metrics is worthless, useless and a complete and utter waste. They have charged me for "compliance" and I don't take credit cards, though some of the companies I do work for do.


I don't like Security Metrics. I think they're just shy of a scam operation. Your relationship with your credit card processing company ought not to be farmed out to a third party.

So what should you do if you're on a website with this logo?

I believe their questionnaire and their scan will tend to indicate that the company in question is safe. But it also may well indicate that the company was easily duped by their sales team, which will charge them an annual fee for no additional security at all, other than that provided by the merchant credit card service company with whom they do business. Far more important on a website that takes credit cards is a current security certificate that encrypts all information passed between itself and a bank. And you can tell whether or not a website is safe by simply looking for the locked padlock symbol on your web browser when you are on a page that accepts payments.

You also want to look at the URL on your browser. (URL means Uniform Resource Locator, which is geek-speak for the website's address). If you are on a secure page, it will begin with "https:" which means the the site is secure. If the security certificate for the website is not secure, your browser will almost always notify you. And you should keep your browser up-to-date and never enter personal information into any website that is not secure.

If you are a company that takes credit cards, using a card-swipe, by telephone or on a website, if you get a call from Security Metrics, ask for their phone number. Then hang up and contact your merchant credit card acceptance company and ask if they have asked Security Metrics to call you. If they have, complain. Tell them that you do not want some unverified third party ascertaining your security for a fee.