eCommerce Tycoon

**Learning Newbie** · 11-12-2007, 04:25 PM

No, I'm not talking about ancient personal computer expansion slots. I'm talking about the Payment Card Industry, and the extra legal regulations they've imposed.

To accept payment cards like ATM and Credit, a merchant has to secure the data. Not just against people typing random numbers into your site, MasterCard doesn't care if you have to eat a sale, but against hackers getting your database. The new rules are so stringent your backups need to be encrypted. Not only that, but the burden of proof rests with the merchant. If somebody manages to steal consumer data, the merchant has signed a contract (allowing them to take CC payments) which authorizes a $100,000,000.00 US Dollar fine. If you've already proven compliance (with a 3rd party audit) the fine is waved. I don't know about you, but I can find better things to spend a hundred mil on!!

How do I know this boring junk? One of our clients learned they have to meet a higher standard than they expected. They've taken their site offline, and they're loosing thousands a day. I just about passed out when I heard about this.

Good news is if you're not accepting the cards yourself, if you have a intermediary payment processor, chances are they're already PCI compliant. But it's worth it to check. And if you're trying to pick one, this should be on your checklist.

**ADAM Web Design** · 11-12-2007, 04:39 PM

The thing with an intermediary payment processor is that they're required by the banks (at least in Canada) to perform a "full security audit" before approval, which actually consists of some guy that no one has ever heard of attempting to brute force hack the server without warning. This happened to me about 3 years ago, and my server appeared to allow the hack (they actually hit a custom 404 error page and I had forgotten to put in the 404 Response Status code into it.

I ended up with a 14-page report from the "compliance auditor" with over 100 "serious errors and warnings", of which exactly one was correct (and it was the most minor issue, and one that every ISP had as their default setting as well.)

So yeah, intermediary payment processors are the way to fly.

**Learning Newbie** · 11-12-2007, 04:50 PM

See, our client, who will remain nameless, doesn't use an intermediary. "Why would I pay some jack*** 3 % when I can put it on a under used server?" They have all these custom VB 6 applets that integrate orders, and now they have an auditor forcing them to prove and document that the data is encrypted in flight and at rest. It shouldn't be a surprise that someone with this kind of thinking has a lot of turnover, so naturally the people who wrote the apps aren't there anymore. All in all it's a nightmare for them, and we're making a pretty penny fixing it all up.

Intermediary payment processors charge, but you get what you pay for. In this case it's a shield from liability. We're all getting time and a half to help this company implement a 3rd party payment system and to trace all their data through all their systems and get rid of things that aren't core requirements.

A penny wise and a pound foolish is no way to run a business.

**ADAM Web Design** · 11-12-2007, 06:24 PM

Let me guess...it was also outsourced to a subcontinent where the programmers have their heads up their asses and the cultural and social differences led to a dog's breakfast of code?

**Learning Newbie** · 11-12-2007, 07:20 PM

Good code.