Have an online store? What you need to do by July 1.

PCI Compliance – a set of security rules set down by the credit card companies for businesses that deal with credit cards – started back in 2004. But there’s a new deadline looming that’s catching many e-commerce merchants off guard.

What’s changing?

Starting on July 1st of this year, any code that touches a credit card must be PCI compliant – not only compliant, but certified as compliant.

Until recently, not storing credit cards, encrypting credit card information (through a secure certificate) and sending the information directly to a Gateway such as Authorize.net for final processing has been regarded as a secure setup. As of July 1st, though, the requirement now includes the security of your shopping cart.

Your shopping cart must be certified as PCI compliant, or you have to find another way of processing credit cards. And the list of certified carts is very short – chances are your cart isn’t on the list. Check the PCI Security Standards Council site (filter by application type: Shopping Cart).

What’s the solution if your cart isn’t compliant?

You can check with the provider and see if they plan on obtaining certification soon. But if you’re a small to medium-size business using an inexpensive or open-source cart, they probably won’t be. Certification is prohibitively expensive for most small cart providers.

The safest and probably cheapest solution is to change your payment processing. You can keep your current cart, but change where the credit card information is collected – outsource that part of the process.

Be sure to look for payment processors that are themselves compliant – that information should be on their site. Paypal is a well-known solution that’s PCI compliant. Another alternative is Authorize.net. Since Authorize.net is one of the most used gateways, there’s a good chance that you’re already using it. If you’re now collecting the credit card information on your site and sending it to Authorize.net, you can have a programmer switch you to Authorize.net’s server integration method (SIM). With this method, all the credit card information is taken at the Authorize.net site, so they’re responsible for security.

What else do you need to do?

Figure out what merchant level applies to you – Visa’s site has a clear listing.

Then follow the requirements for your level. Small merchants (< 20,000 transactions), for example, need to fill out the self-assessment questionnaire -  and may or may not need quarterly security scans. Check with your merchant bank for specific requirements.

You also need to provide security for credit card numbers you take over the phone or in person.

What are the consequences of non-compliance?

Your merchant bank could decide not to let you process credit cards. If you should happen to experience a security breach (stolen credit card number), the credit card company fines could put you out of business. They range from $2000 a day until you’re compliant to $500,000 for a single incident.

A note about our suggestions

There are other ways of dealing with the compliance issue. If your host has great security, you may be able to pass a scan even if your cart isn’t compliant. But as Trust-Guard notes, “it’s important to keep in mind that no matter what your acquirer does or does not recommend that you do in order to be PCI DSS compliant, you could still be financially responsible if something happened.” I.e. if there were a security breach with your host between security scans and credit cards were stolen, you might be fined. We don’t like the uncertainty, so we’re recommending a method that protects against that possibility. You could also switch carts, but that’s likely to be a more expensive solution than changing your processing.

e-commerce PCI compliance technology Posted under Articles by flojnel