3

I recently started working on an eCommerce addition to a site I'm working on.In my research looking for a way to do SSL without a certificate/a free certificate I came across PCI Compliance.I have been reading the PCI DSS Requirements from : https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf and to be honest a lot of this sounds a bit overkill for what I'm doing.

The shop I'm working on will sell around 20 products initially to a very small amount of customers.We're using a hosting provider and we are a total of 3 employees at the company at the moment.Is PCI Compliance mandatory or just recommended and if not mandatory is it really neccessary in this case?

Thanks

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
Vinc
  • 133
  • 1
  • 4
  • 1
    FYI, PCI-DSS is currently at version 3.0, so you are probably better off downloading the new document. – Gurzo Apr 07 '14 at 12:30

2 Answers2

5

First of all SSL without a certificate is not possible, don't try to roll your own security because you will fail at it. You might think "hey how would you not know that I'm actually a very good crypto expert" well because you wouldn't be making such statements.

PCI-DSS is only mandatory if you are processing credit card data. This means that if you accept and store credit card information, you are required to be PCI-DSS compliant. What if you are not compliant? Well according to this reference:

If you do not meet the PCI standards for compliance and the security of your site gets compromised, you will be facing penalties and fines ranging from $5,000 to $500,000. The fines, however, are just the beginning of the overall damage caused by noncompliance.

If your website or company are not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. You will also be placed in the Visa/MasterCard Terminated Merchant File (TMF), making you ineligible to obtain another merchant account, at least for several years. The TMF, is essentially a BLACKLIST from which it is almost impossible to be removed.

When a merchant is added to the TMF, sometimes called The Match File, their name, business name, business address, and home address are all noted. So, you can’t just apply for a new account under the name of another family member or business partner because it will be seen as the same business and location.

Getting on The Match File is just about the worst thing that can happen to any merchant.

Now as you read there is a fine, just FYI the fine comes ontop of all the fraudlant charges (which you will be held accountable for as well).

If you're thinking, "how can I make a business if I can't accept credit cards?" quite simply by using a payment gateway such as Paypal which takes care of all payments (and thus also takes away your need to be PCI-DSS compliant).

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Thanks a lot for the answer,cleared up a lot.I have looked into PayPal,but with it not supporting ZAR and the shop being local only(in South Africa) this will not be possible. – Vinc Apr 07 '14 at 12:53
  • It isn't just if you are processing and storing. Simply handling the data is sufficient to require compliance. – AJ Henderson Apr 07 '14 at 15:28
  • Paypal uses callbacks where you only enter information on paypal's website. The only information you actually send and receive is the amount to be paid and the goods. Paypal will only send you a callback based on paid or not paid and maybe your address information. No card details whatsoever. – Lucas Kauffman Apr 07 '14 at 17:01
  • There are other merchant accounts then just Paypal. Stripe.com has a Js file that will take the CC info and send it directly to them without touching your servers and then it gives but a CCID to work with. This will allow you to take payments through your own UI without having to regulate the usage and storage of the CC info. – Tony Apr 07 '14 at 20:01
0

PCI compliance is required if you fall under it's provisions. The provisions apply, at varying levels, if you handle payment card information in any way. This includes not only processing and storing the information, but also transferring the information across your servers. If, for example, you took in the payment card information (to your server) and transmitted it directly to a third party processor, even without doing any storage of it, you would still be responsible to implement portions of PCI-DSS.

You can also get more information in your merchant services agreement which is the document you agree to follow when getting access to process credit card payments on the credit card network.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • 1
    But if your javascript code takes the payment information and sends it to the third party processor without touching your server, you don't need to implement PCI-DSS. – CodesInChaos Apr 07 '14 at 16:01