Hi, I’m new to having my own online business and I noticed quite a bit of talk on here about this issue.
I plan on buying CS cart in the next couple months for my online business. I would like to know if there is anything I need to do or worry about with this issue, I had never even heard of it before I came onto this site. First a little info about my site and business.
CS Cart will be the shopping cart
Go Daddy is the host
I will buy a SSL
I will probably use Authorize.net
I will have between 5 and 25 transactions a day, I doubt any more than that at least for the 1st year of business.
PCI Compliance is something that you should fully research for yourself, just like income tax preparation, there are always differences in an individual’s interpretation! If you do a google search for “PCI DSS” you will find plenty of information.
I will note that having a PCI DSS compliant shopping cart is really only one piece of the overall picture. My bet is that alot of shopping cart companies will not waste the money on obtaining “official” PCI DSS Certification because regardless of whether the cart is “Certified” or not, us business owners will still be required to meet all of the same requirements and must pass the security scans, etc. I now believe that as long as CS-Cart has all of the implementations in place for us to pass the upcoming (July) security scans, then that should be just fine.
Here is a basic overview of what will be required (alot will be dependant upon the volume of credit card business being performed):
What does PCI DSS compliance entail?
A: PCI DSS compliance consists of twelve requirements as follows:
Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored data
Encrypt transmission of cardholder data and sensitive information across public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
I laugh to my self when reading this as it is mostly very basic common sense business practice that many of us have already been practicing for years!
I was reading on authorize.nets site yesterday that if you have under 20k transactions a year it is just recommended not required that you are pci compliant?
Can you post a link to where you read that informaton on Authorize.net’s site? I use them for my processing and would like to read that if they have it written on their site.
I don’t know if I fully agree with not needing to be PCI compliant with authorize.net if you make less than 20,000 transactions per year, but here is what Authorize.net says:
Yo Brandon, it is in the fine print on the right side:
“Note: While compliance is mandatory for Level 4 merchants, validation is optional”
Like I said, just like income tax forms, there will be a variety of different interpretations of this mumbo jumbo…
They can never just say it the way it is, that just would not be confusing enough & we may all be able to figure it out without hiring legal & professional aid!
I agree with you Struck. They aren’t going to make understanding the rules easy.
I’d be pretty willing to bet that they will have exeptions for small businesses like me that don’t do a lot of business. But they aren’t going to spell it out very clearly though.
If they came out an said, “Anybody making less than 20,000 transactions per year doesn’t have to do anything and doesn’t have to worry about this.” than they would make a whole lot less money.
I just can’t imagine that they are going to make every small mom and pop store spend the money to become PCI compliant. You know how much money people like Authorize.net would loose? There would be tons and tons of people just switching over to Paypal just so they don’t have to worry about the scans and all.
Personally, I’m going to make sure I follow what happens, but I’m not going to jump on the band waggon and spend tons of money quite yet.
[QUOTE]That’s close enough to what I’m getting…[/QUOTE]
From one Dude to another!
That truly is awesome Jesse, congratulations!
It is nice to know that some of your fellow CS-Carters are doing quite well, and even more so in the midst of the wildest recessionary ride I will ever be on!
It is nice to know that some of your fellow CS-Carters are doing quite well, and even more so in the midst of the wildest recessionary ride I will ever be on! :D[/quote]
I ain’t making the money, just facilitating the ability to make that much money :P)
CS-Cart claims to be PCI DSS Compliant. So all you need to do now is make sure your host is PCI DSS Compliant. I’m not sure GoDaddy is… by default anyway. You’ll also need to set CS-Cart options to NOT store credit card details.