PCI Compliance

General General Questions
1

Hi, I’m new to having my own online business and I noticed quite a bit of talk on here about this issue.



I plan on buying CS cart in the next couple months for my online business. I would like to know if there is anything I need to do or worry about with this issue, I had never even heard of it before I came onto this site. First a little info about my site and business.




  1. CS Cart will be the shopping cart
  2. Go Daddy is the host
  3. I will buy a SSL
  4. I will probably use Authorize.net
  5. I will have between 5 and 25 transactions a day, I doubt any more than that at least for the 1st year of business.
2

Hello,



PCI Compliance is something that you should fully research for yourself, just like income tax preparation, there are always differences in an individual’s interpretation! If you do a google search for “PCI DSS” you will find plenty of information.



I will note that having a PCI DSS compliant shopping cart is really only one piece of the overall picture. My bet is that alot of shopping cart companies will not waste the money on obtaining “official” PCI DSS Certification because regardless of whether the cart is “Certified” or not, us business owners will still be required to meet all of the same requirements and must pass the security scans, etc. I now believe that as long as CS-Cart has all of the implementations in place for us to pass the upcoming (July) security scans, then that should be just fine.



Here is a basic overview of what will be required (alot will be dependant upon the volume of credit card business being performed):



What does PCI DSS compliance entail?

A: PCI DSS compliance consists of twelve requirements as follows:


  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored data
  4. Encrypt transmission of cardholder data and sensitive information across public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security



    I laugh to my self when reading this as it is mostly very basic common sense business practice that many of us have already been practicing for years! :wink:
3

[QUOTE]Go Daddy is the host[/QUOTE]



PS: And what is this all about, you can still check out the “WhoBeYourDaddy Girls” even though you use a professional level hosting service! :cool:

4

I was reading on authorize.nets site yesterday that if you have under 20k transactions a year it is just recommended not required that you are pci compliant?







I wont be anywhere near that level

5

Chip,

Can you post a link to where you read that informaton on Authorize.net’s site? I use them for my processing and would like to read that if they have it written on their site.



Thank you!

6

I don’t know if I fully agree with not needing to be PCI compliant with authorize.net if you make less than 20,000 transactions per year, but here is what Authorize.net says:







Also the link is:



[url]http://www.authorize.net/resources/pcicompliance/[/url]



Hope it helps,



Brandon

7

Yo Brandon, it is in the fine print on the right side:



“Note: While compliance is mandatory for Level 4 merchants, validation is optional”



Like I said, just like income tax forms, there will be a variety of different interpretations of this mumbo jumbo… :wink:



They can never just say it the way it is, that just would not be confusing enough & we may all be able to figure it out without hiring legal & professional aid!

8

I agree with you Struck. They aren’t going to make understanding the rules easy.



I’d be pretty willing to bet that they will have exeptions for small businesses like me that don’t do a lot of business. But they aren’t going to spell it out very clearly though.



If they came out an said, “Anybody making less than 20,000 transactions per year doesn’t have to do anything and doesn’t have to worry about this.” than they would make a whole lot less money.



I just can’t imagine that they are going to make every small mom and pop store spend the money to become PCI compliant. You know how much money people like Authorize.net would loose? There would be tons and tons of people just switching over to Paypal just so they don’t have to worry about the scans and all.



Personally, I’m going to make sure I follow what happens, but I’m not going to jump on the band waggon and spend tons of money quite yet.



Brandon

9

Ironic that I now have to worry about this compliance ****…

Thanks for bringing the 20k transactions to light, now it’s time for the auditing to take place :slight_smile:

10

[quote name=‘JesseLeeStringer’]Ironic that I now have to worry about this compliance ****…

Thanks for bringing the 20k transactions to light, now it’s time for the auditing to take place :)[/QUOTE]



Jesse,



That is what happens when you become a big-hitter, hotdog (& average 55 orders/day x 365 days/yr) ! :smiley:

11

[quote name=‘Struck’]Jesse,



That is what happens when you become a big-hitter, hotdog (& average 55 orders/day x 365 days/yr) ! :D[/quote]



That’s close enough to what I’m getting… Trying to find a transaction $$ limit since 4m will proberly trip the “you need it” sensor

12

[QUOTE]That’s close enough to what I’m getting…[/QUOTE]



From one Dude to another!



That truly is awesome Jesse, congratulations!



It is nice to know that some of your fellow CS-Carters are doing quite well, and even more so in the midst of the wildest recessionary ride I will ever be on! :smiley:

13

[quote name=‘Struck’]From one Dude to another!



That truly is awesome Jesse, congratulations!



It is nice to know that some of your fellow CS-Carters are doing quite well, and even more so in the midst of the wildest recessionary ride I will ever be on! :D[/quote]



I ain’t making the money, just facilitating the ability to make that much money :P)

14

[QUOTE]I ain’t making the money, just facilitating the ability to make that much money :P)[/QUOTE]



Well, in that case this needs to be fixed right away! :smiley:

15

Yeah… my merchant account vendor is saying, “get compliant or pay us $20/month” starting in MARCH.

16

[QUOTE]Yeah… my merchant account vendor is saying, “get compliant or pay us $20/month” starting in MARCH.[/QUOTE]



You mean like starting “tomorrow” ? :smiley:

17

yup… better dig out my wallet!



Then again… if I AM compliant, I still owe them $80 a year. ???

18

[quote name=‘moka’]yup… better dig out my wallet!



Then again… if I AM compliant, I still owe them $80 a year. ???[/quote]



Yup - I’d prefer to use Authorize.net, I havn’t noticed any increase in fees however I could be wrong.

19

It’s not the gateway that is charging. It’s the merchant account (first data). Though, I’m sure the gateway will eventually charge too.

20

CS-Cart claims to be PCI DSS Compliant. So all you need to do now is make sure your host is PCI DSS Compliant. I’m not sure GoDaddy is… by default anyway. You’ll also need to set CS-Cart options to NOT store credit card details.