Security Metrics is a legit company. Every business with a merchant account is required to become and maintain PCI compliance. I work for a payments company that offers PCI certification for free to customers using our merchant account services. Online companies can usually have their PCI compliance certification in less than 5 minutes using our certification software. We are happy to answer any questions you have, even if you are not interested in changing providers.

Micheal
(877) 721-4055

We are a small synagogue.  We do not take charge cards on the website.  We have maybe one or two fundraisers a year and borrow a  wireless from f & m bank just for a few days. Last year F&M just automatically deducted money to pay Security Metrics, the bank also charges us $20 a month just to be able to borrow the wireless for a few days a year.   This year, F&M did not automatically deduct for Security Metrics but Security Metrics did send us a bill via e-mail for $65.00, saying that they will not cover any of our transactions until we pay.  Is this necessary????

DO NOT give these guys your charge card number. They will bill you annually as "home improvement" hoping that you won't notice. Legitimate companies do not operate this way. They are parasitic scammers.

THis is a total scam. I talked to a Melissa on the phone and questioned her about many things. I said that I needed time to think about it and that I would call her back. I contacted the bank and they said not to pay that we have nothing but troubles.  When I tried the number she gave me for her direct line is was disconnected.

Great company this Security Metrics Would apear this IP address flooded our server with requests : 63.235.131.246 , we are talking 50k requests in a short space of time! crashed the server and site down for four hours!! great service crap company.  LOOKS VERY VERY SCAMMY TO ME!!!!!!!! block this ip as soon as you can.

If Security Metrics is a valid company, this company should not be sending out unsolicited emails with the following content below.  I never heard of them before and I definitely will not respond to these types of apparent scam or advertising solicitations.   They try to make it sound like we know who they are and they are waiting for us to "comply."  Come on, show some legitimacy if people are going to defend your company.  You don't approach businesses who have no clue who you are this way.    

THE EMAIL:

Hello Kristin,

Thank you for using SecurityMetrics for your PCI DSS compliance.

After reviewing our records, we noticed you are not currently PCI compliant.

Some acquiring banks or processors charge their merchants a PCI non-compliance fee.  In order to avoid PCI non-compliance fees (if applicable) we recommend that you become compliant as soon as possible.

You need to complete the online questionnaire with a "Passing" status.

To complete the PCI self-assessment questionnaire (SAQ), please log into your account at https://www.securitymetrics.com and click on the take/retake questionnaire link.

For more information regarding the SAQs, please see:
https://www.pcisecuritystandards.org/saq/index.shtml

If you have any questions regarding your scan results or SAQ, contact our Technical Support Department at 801.705.5700 (USA) or 0844 561 1658 (UK), or by email at support@securitymetrics.com.

We appreciate your business.

SecurityMetrics Support Team

Hi folks,
Passing PCI compliance scans from Security Metrics and McAfee Secure is quite possible even on a $3 a month shared hosting account.

http://TVCNet.com web hosting customers routinely pass PCI scans. Just call them and as them about Security Metric or McAfee Secure PCI compliance scanning if curious.

Wow, I'm surprised at all the shills that replied on this post.  Sounds like Security Metrics employees are busy trying to manage their reputation.

While Security Metrics is not a scam, they are in many ways worse than that.  They are INCOMPETENT.  I work for a web host and I have to deal with these scan "failures" on an ongoing basis.  A few of the failures have been legitimate, but for the most part they are a waste of time and worthless.  

Most recently (today actually) I had 2 of my customers fail for the same reasons.  Seems that while I am running Apache 2.2.21 (the most recent version as of this date), because of a recent exploit I am suddenly expected to perform a side-patch to my apache install.  For anyone who doesn't know what this means, it means modifying the source code and re-compiling.  Um, Yea I don't think so.  Why would I plug in a "patch" that someone came up with before it's been fully vetted.  If they are so concerned about Apache, go complain to Apache about it and get them to release an update, I should not be expected to run beta or worse, untested patches on production boxes.  I could understand if this was a "warning" or a "recommendation" but a failure when I'm already at the most recent version?  I don't think so.

Another scan failure was for Jrun that I have installed.  Their report referenced 4-5 different security bulletins from Adobe, but when I click on them they all went to 404 pages on www.adobe.com.  Really?  Your going to demand that I fix my server yet your report which right now is < 24 hours old can't even contain relevant or even WORKING links??   I won't go into details here, but this too was a false-positive, yet the burden is on me to prove it.

In the past I've had scans performed on one customer that would fail with a server "issue" like apache version and another will pass? Really? I've had customers re-scan with no changes done on my end and failures suddenly disappear, only to re-appear later on for another customer.

I get the concept of PCI Compliance, and I'd certainly welcome it if it wasn't such a moving target.  My experience with Security Metrics these past three years has been nothing short of HORRIFIC.  They are a joke and their scans often wrong.  You are often reduced to having to get on the phone and explain yourself until they finally say they will apply an "exception" for that failure.

Wow, another ignorant person.  I worked at Security Metrics for over a year and a half and cannot count the number of times I heard that same response.  I  know for a fact that no one at that company would ever tell you to turn off your fire wall, ever, not for any reason.  They ask you to whitelist their scanner's IP range.  That is not shutting off your firewall, it just allows an exception for only their IP address.  Also, their scanners are non intrusive.  Let me say that again , "NON INTRUSIVE."  That means that they are not trying to break in they are asking for permission to scan and can be denied very easily.  A $150 dollar router with a simple IDS from Best buy can block the scan.  They do this as to not cause disruptions in your systems and have as gentle of a scanning process as possible.  Saying that blocking the scans means you are secure is the same as a burglar knocking on your door at 5pm and asking to come in.  You say no and he leaves and you now think that your home is impenetrable to a robber.  Security Metrics also offers in depth penetration testing and if you think they can't get into your system I would invite you to try having a pen test conducted rather than a non intrusive external vulnerability scan and see what happens.

I keep receiving faxes from these people and I haven't had an account with First Data for three years so I know Security Metrics is soliciting old user data list. I called them to be removed and they just keep over talking me and won't listen. These people are just trying to get money plain and simple. Why wouldn't First Data / Wells Fargo handle this themselves or contact me directly?

I switched to PayPal for credit card transactions.

Well, the technology has finally passed SecurityMetrics.com and they won't even acknowledge it. One of our client's servers uses a payment gateway that requires Security Metrics. We have a Unified Threat Management Gateway between the servers and the internet, which scans and blocks more than 6000 types of attacks.

Today they told us that we have to turn our firewall off so they can scan our servers. Did you hear that right? They want us to turn our security off, so they can test our security.

Right now, they can't penetrate our live systems with their scans, so they fail us. Wow. Their solution is to poke holes in our security so they can scan servers that with the firewalls, are not even vulnerable on the internet, yet they want this done.

Personally, I think the fact that they cannot scan the server is evidence that the security is working. Not sure what I am going to do, but, wow.

We called in and tried to speak with them to let them understand, but we never got through to a network engineer, only a "support professional" who knew nothing.

@Matt,

I am interested to know how you are PCI compliant?  What knowledge are you basing this off of?  What expertise do you have on the subject?  Are you an expert on the PCI guidelines and are you technically proficient enough to understand them all?  Have you, after firmly understanding all guidelines that apply to your business, set up your processing to encompass them all.  Or are you just yet another person who makes a mostly uniformed assumption of something and then takes a staunch, hard line stance against it.  I am assuming based on experience with dealing with people that the latter part of my comment is true.  You are probably one of those people that think that since their processing company is compliant, that they are as well and that since the hosting company they use is compliant that their site could not possibly have any vulnerabilities.

@batman,

Since when is nmap anything other than a port scanning tool?  How do you conduct vulnerability tests with nmap?  I am really interested to know.  Nmap is the port scanner that SM uses to see what services you have open to the public.  The vulnerability portion of their tests do not use nmap or anything even console related.

SecurityMetrics tests for the complete list of vulnerabilities in the National Vulnerability Database (over 8000 issues) including hundreds of XSS and Database injection vulnerabilities.  Maybe you need to do a little research before you start slamming a legitimate company as some type of scam or questioning their methods of which you know nothing about.

Unknown number to me.

They call me every other week with some new "rep" trying a new angle to have me use their required service as to "ensure I am not charged higher fees and am compliant".  I can assure all here that we as a business are PCI compliant from both our processor, bank, website and any other angle you wish to come from, you most likely are as well.  THIS IS A soft scam of sorts, not blatantly illegal as of yet but will fall to investigation soon enough.  !#gabe if you indeed have spoken to the CEO, maybe you could post his info here so every business that is harassed by these idiots can call him weekly and offer a useless service to him.

Really? Someone that knows too much? Ever heard of "spell check"? Let's not be ignorant, this IS a scam to collect from the small business', as usual-we end up taking the hit for all!

FYI,  I am an owner of a PCI DSS compliance company
It is certainly a valid product or I would not have gone into the business.
The problem is that Security Metrics give the product to First Data who marks it up and pushes it out to the ISO. Who then marks it up and makes the Merchant pay.
I have seem the cost marked up from 100% to 500% I can assure you Security Metrics in not charging the 150.00

Wow. Support Security Metrics for people who can not spell!

The bottom line is that SecurityMetrics is offering a legitimate service for people who need to have it done.  In my experience with them I have had no problems with there scans telling me what was wrong with my site. Their support team is helpful and kind. The thing that all of the merchants who are posting on this need to understand that the PCI "http://en.wikipedia.org/wiki/Payment_card_industry" are requireing this of merchants not SecurityMetrics, This is a necessary act for our customers to understand that we are running a legit business. SecurityMetrics has done this for me.

Don't you want your customers to have the confidence in your company to say "I know i cant trust them with my information because they have taken steps to insure that".. I want to chalenge anyone questioning this company to go to a web site called "google" and do some research. Most of the "scam" articles you find will be of people who are to angry and bitter towards "the man" to really get down and understand what they need to do!

Explain why securitmetrics post scans my clients web site(s) and they aren't even customers of securitmetrics.  Then they send my client an email saying that they have found exploits.  If they port scan me I block them as I would anyone who ports scans my system.  I consider them hackers.  BY BY securitmetrics

Doesn't matter what software Securitymetrics use to scan sites with. The point is that the Payment Card Industry trust Securitymetrics to say that a scan was completed and no serious vulnerabilities found. Which is, I think most people will understand, not the same as me saying I used perfectly good Open Source software to do my own scan and btw everything is fine.

The idea is to have confidence that good basic security measures are really in place. As a merchant I am all for that and as a consumer agin I am all for it.

when you get to the bottom line ,Security Metrics IS First Data a real rip foof company. Beware and double check your processing charges as they will slip in unrelated charges and if you notice they apologize and say it was a computer error. Guess what? Their computer erred 17 times in 3 months. Coincidence? I think not.

"The scans are for ports and typical exploits. They don't mean they are hacker proof. Even if you have "their" seal of approval it doesn't mean your site is safe. You need a real security scan testing for XSS scripting errors as well as SQL injection exploits."

Which SecurityMetrics also does if you are interested.

P.S. To the original post, how would someone know that you gave them the wrong IP address? That sounds like user error on your part, not SecurityMetrics

they scan your systems only using the open source software that anyone can download and use for free. the company uses free software to scan you and charge you a large amount of money to do it. this company will soon be under investigation for many federal violations. nmap is the main program they use to scan

Sounds like an outright SCAM to me

Except that their scans pick up on both XSS and SQL injection. A lot with other common vulnerabilities that Crackers can use to exploit and ultimately steal CC data. Anyone who has any issues with Security metrics i suggest you go to there site read there documentation and im sure if you called the sales team there any of there agents would be more then happy to explain to you exactly what They are all about.

And i have spoken with the CEO personally and they guy is an amazing person, Very very smart.

SecurityMetrics is absolutley not a scam. As they are an accredited PCI/DSS vendor through the PCI. Also in most cases they do not charge the merchant for the services but instead are contracted through the Merchants Credit Card Processors and are paid through them.

The scans are for ports and typical exploits. They don't mean they are hacker proof. Even if you have "their" seal of approval it doesn't mean your site is safe. You need a real security scan testing for XSS scripting errors as well as SQL injection exploits.

I have used their service and know that they do not make up scan results. That would be ridiculous.  They have been in the security business since around 2000.  If you fail a scan, then you have a problem.  Just fix it, rescan, and you will be PCI-Compliant.

They have a sample report here:
https://www.securitymetrics.com/results_porta ... 125002&act=View

The reason you get charged for being non-compliant, is that the credit card companies lose money when numbers are lost.  They have turned a blind eye for many years, but with all the defaults on consumer credit rising, they have to reduce expenses.  Which means, push security costs to the merchants.