eCommerce Tycoon

**TWD** · 10-30-2009, 10:06 AM

Ok, so my client is a small business who wants to setup his
business to accept credit card payments on HIS website without
redirecting to a third party like PayPal Standard payments.

In order to do that, what does he need to do?

I read somewhere that since Sep 30th 2009, in order
to accept credit card payments on your website
you need a PCI compliance certificate?
Is this REALLY true or just a way for consultants to scare up
some business.

What costs are involved with PCI compliance.
I think the client will need to buy some special router
hardware, is that right?

**TWD** · 11-02-2009, 01:26 AM

Anybody? Bueller? Bueller?

**chrishirst** · 11-02-2009, 04:16 AM

If you want to accept customers financial information directly and need insurance you don't have a choice.

**TWD** · 11-02-2009, 09:38 AM

Quote:

Originally Posted by chrishirst

If you want to accept customers financial information directly and need insurance you don't have a choice.

But what does it really mean though?
Do you just raise your right hand and say "yes I swear I am PCI compliant" and that's it?

Or is there some kind of audit?
I remember seeing somewhere the option of a "self-audit" (an oxymoron if ever there was one).

**chrishirst** · 11-02-2009, 10:12 AM

http://en.wikipedia.org/wiki/Payment...urity_Standard

I would suggest the unless you are handling hundreds of thousands of dollars/pounds) a merchant account would be a much cheaper option.

The merchant company are the ones who need to meet the compliance standards then.

**TWD** · 11-02-2009, 12:03 PM

So you are saying that if my client has a Merchant account they DONT need to worry about PCI?

Is it even possible to accept credit card payment WITHOUT a Merchant account (forget about PayPal etc)?

I thought the whole point of a Merchant account was that it was the only
way to take CCards and the PCI requirements are still on the merchant.

**chrishirst** · 11-02-2009, 12:09 PM

You only need PCI Compliance if you are reading and/or storing the credit card details.

With a merchant account the account provider is taking the CC info in their secure system.

**TWD** · 11-02-2009, 07:39 PM

So if the client is signed up with say, WorldPay or 2Checkout
they can't just forget about PCI?

Are you saying PCI is only an issue for larger companies WITHOUT Merchant
accounts?

Sorry but this is a bit confusing.

**chrishirst** · 11-02-2009, 07:53 PM

Basically Yes & Sort of

If you want to handle your own collection of CC details (for rebilling or subsequent transactions etc) THEN you need PCI.

Compliance is all about ensuring that only authorised staff have access to CC records and your outward facing system are secure from infiltration

If you NEVER have access to CC details as they pass through the payment process then you don't need PCI.

**TWD** · 11-03-2009, 01:18 AM

Alrighty , that makes sense then.

So in the case of a hotel that accepts peoples credit card details
as a form of collateral for holding a room booking (in some cases the customer later pays by check or cash), they WOULD need to worry about PCI.

On the other hand, for John Doe who sells widgets via his website shopping cart with a 2CheckOut merchant account, he doesn't.

Correct?

**TWD** · 03-13-2010, 08:25 PM

Quote:

Originally Posted by TWD

Alrighty , that makes sense then.

So in the case of a hotel that accepts peoples credit card details
as a form of collateral for holding a room booking (in some cases the customer later pays by check or cash), they WOULD need to worry about PCI.

On the other hand, for John Doe who sells widgets via his website shopping cart with a 2CheckOut merchant account, he doesn't.

Correct?

Anyone got any opinions about whether this is an accurate statement?

**TWD** · 07:25 AM

I've been doing a lot of research on this and think I have a much clearer picture now.

There are a couple of details that have emerged.

As Chris says, if your website never sees the cardholder information (i.e. the transaction is completed on the PayPal website) you are basically in the clear.
When the entire card handling business is outsourced in this way you are SAQ-A under the PCI rules.

If you accept and process credit card details on website (like PayPal Pro) then you are SAQ-C.
A point to note about this is that if you are using a Shared Hosting account you are probably ALREADY breaching PCI. According my own hosting company "SAQ-C compliance can never been achieved on a Shared Host". You should be operating on a dedicated server (expensive, I know!).

If you are storing Credit Card data in electronic format (can't imagine why you would want to) then you are in a world of pain already because you are SAQ-D which has a 200 page list of compliance criteria such as keeping 3 months worth of CCTV surveillance footage and a bunch of other crap that really only Enterprise scale companies have the resources to deal with.

If that isn't enough to make your head spin;
from 1st July 2010 any merchant using a shopping cart system that hasn't been PA-DSS certified will be in breach of SAQ-C or SAQ-D rules (SAQ-A is still sweet since your shopping cart is outside the "scope" of the PCI rules if it never sees the card data).

Pretty much anybody taking card data on their shopping carts whether it be open source, home brewed or non-certified commercial needs to think about an exit strategy right now.

At present the only major (affordable) PA-DSS certified shopping cart is Pinnacle.
X-Cart is working towards it but probably won't make the 1st July deadline.
Magento Enterprise is already there but at 9,000 bucks per year it's not feasible for small / medium business.

PayPal Standard / Google Checkout / Amazon Payments are looking better by the day?

Check out page 28 of this PDF doc for a diagramatical summary
https://www.pcisecuritystandards.org...uick_guide.pdf

and this 7 page White Paper by PayPal themselves basically encouraging developers to encourage CLIENTS
to move across to either PayPal Standard or PayPal Express.
http://cms.paypal.com/cms_content/CA...WhitePaper.pdf

**legallink** · 03-18-2010, 08:16 AM

Sorry I am late in responding....short answer is that PCI has been developed to adjust for businesses of all sizes. But yes, shared hosting is just out......accepting and storing credit cards should be done by a 3rd party if possible for a small business, but this doesn't waive PCI compliance, it just means that your requirements for compliance are less.

**TWD** · 02:39 AM

Quote:

Originally Posted by legallink

.....accepting and storing credit cards should be done by a 3rd party if possible for a small business, but this doesn't waive PCI compliance, it just means that your requirements for compliance are less.

If you are already a credit card accepting store owner - correct.
You still have to fall in line with PCI compliance.
Even if you only do one credit card transaction a year.
Even if you have just an abacus and a credit card imprint swiper i.e. no website.

BUT if you are NOT a credit card accepting store owner, then
outsourcing means you DONT have to worry about PCI.

**M_wb360** · 03-25-2010, 07:08 PM

Should be an interesting read for folks who collect payments on their websites...

PCI Myths (Source: PCI Security Standards Council – PCI SSC)
http://www.cresecure.com/pages.php?CDpath=20_22