2

I'm a new business that conducts online auctions for estate sales. When searching for software to use, I had no idea about PCI Compliance. My merchant account told me it was easy. It would be if the developer of the software had created a hosted form from my site to my payment gateway.

Because they didn't, I was required to have an AVS scan which failed. The software developer (who is different than the company that owns the software) told me PCI Compliance was baloney and that he has an SSL certificate so everything is encrypted and fine. He said he has only heard of PCI compliance a few times after building 700 websites and no one has been able to tell him what to change to be compliant. The owners of the software also claimed to have never heard of PCI compliance as well - they use the software and so do about 6-7 other independent businesses who have never had their merchant accounts ask about PCI Compliance (supposedly). I have ended my relationship with this company.

I am now in the process of trying out software from a different company that both owns the software and hires the developers. They claim to have a PCI Compliant environment, but they also don't use a hosted form - they use APIs to send over the info to the gateway, which likely means I will need to scan every 90 days. I'm not concerned about inconvenience, what does concern me is the safety and security of my customers and my liability.

It seems I am completely on the hook for PCI Compliance, including the fines and costs to replace cards, etc., but the developers/software companies have no skin in the game and have nothing to lose and no incentive to change to a hosted form to make PCI Compliance reasonable for merchants who don't want to or can't afford to create their own software. Is this normal? Can someone tell me why PCI Compliance is on the merchant only? I'm ready to shut down my business because it seems I am the only one holding the bag when it comes to compliance, yet I have no control over the software except for my choice to use it. I won't sleep at night unless I know I am doing the best I can to keep my customer's data as secure as possible. Can anyone provide insight or advice here? Or is this specific to my particular industry?

John Deters
  • 33,650
  • 3
  • 57
  • 110
Kary
  • 21
  • 1

4 Answers4

4

First, anyone who says "PCI compliance is baloney" is incompetent; you absolutely did the right thing by walking away from them. Also note that PCI liability means you are on the hook not only for fines and card replacements, but all the fraud that was committed with card data stolen from your environment. If the thieves buy a fleet of Ferraris, you are pretty much all done. (There are other nuances to PCI liability, but web sales are pretty much guaranteed to be the least secure option, and will always shoulder more of the blame.)

Regarding auction software, consider looking for software that performs the functions you wish to offer, but does not perform the payment processing at all. There are many players in the payment processing game; because Security Stack Exchange policy forbids product recommendations, we can't offer you a specific list. There are many reputable big companies that take money over the web; you should have no trouble finding one.

A good way to find a payment company is to observe how they work. Next time you're shopping on line, look to see if the payment company takes you to their branded web site for payment processing, then returns you to the store's site after your payment is approved. That's the kind of payment company you should be looking to hire; it keeps all the PCI risk out of your hands.

Once you've seen how the various players in the payment space operate, you'll know what to look for and who to ask for in your auction software shopping. Some may prefer one payment gateway over another, or offer only one option; that might be OK if you don't mind their choice of providers. If the auction software company doesn't already offer such integration built in to their off-the-rack package, ask when they plan to offer it, not if. Let them know you're only going to buy a package that offers you complete isolation from the payment environment.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • Just to let you know, it IS baloney. I used to work closely with a datacenter on 1 Wilshire which is believe is still the biggest peering location in the world. There are tons of DCs there, and during a conference with one discussing my business he told me the "Dirty Secret" that PCI Compliance was simply a con game. You give me money, I give you a certificate. End of story. Of course there are some basic checks, but its reputation as some magic "environment" is simply a big turd of propaganda. Its like politics. Just have the right connections and you get your PCI Compliance. – 8vtwo Aug 10 '21 at 04:04
  • I should probably differentiate between “certification” and “compliance”. Yes, fraudulent certifications are well known. But if you’re actually complying with the requirements, you’re doing a lot of the right things. – John Deters Aug 10 '21 at 20:15
  • And what makes PCI Compliance "so hard" for a small company with a few servers an a good firewall? Procedural bureaucracy? Or technical competence? – 8vtwo Aug 11 '21 at 06:45
2

It is strange that credit cards are ubiquitous and yet PCI compliance is relatively unheard of, perhaps because it’s difficult to approach and consultants take advantage. It’s fundamentally flawed really, put all the risk on the merchant, through a poorly designed system, and take all the profits. Hopefully crypto currencies will help in this area in the future.

Anyway, practically speaking:

  1. check out the pci council website for official documentation, they have a list of official QSAs on there also.

  2. Look for a PCI compliant service provider, get their attestation of compliance and report on compliance (do this annually), make sure in the contract you have with them it says they are pci compliant. This way the liability moves to them if their systems have a breach.

  3. If you want to setup the payment part yourself use an iframe or redirect solution from Stripe/Paypal (pretty much every payment gateway has this option), then you should only need SAQ A (the simplest compliance self questionnaire).

  4. You can try talking to your merchant bank, they are often very helpful. And/or you can talk to a QSA who will give you advice on what to do.

It shouldn’t be a big deal unless you’re trying to do something fancy, just make sure to cover your bases. Good luck!

Richard
  • 327
  • 2
  • 13
0

Banks and many other merchant service providers know that it is on the merchant to make sure they are compliant. They also know that if you are not compliant that they can charge a higher Non- Compliant fee. So that is my opinion on why they do not inform a new merchant that it is necessary/offer help. I am an onboarding admin for a Merchant service company and I pride on helping our merchants with PCI by walking through the business profile and questionnaire with them. When looking for a merchant service avoid ones who give little to no help or advice on PC or that say it is easy. It is not easy and can be a pain. It is a huge help when a company is hit with fraud. If you take cards please make sure you are compliant and also it will lower that Non-compliant fee.

user264450
  • 1
-2

PCI compliance is only baloney if you want to accept payments from credit cards. I don't think this is unique to your industry - anyone wanting to take online payments needs to be compliant with the Payment Card Industry.

The best thing to do would be to engage a consultant to help build your business's PCI compliance. It may not be cheap, but it's way better than the alternative. Unfortunately here at SE, it's out of scope to advise exactly what to do or whom to engage.

baldPrussian
  • 2,768
  • 2
  • 9
  • 14
  • 1
    First of all, I think you're missing a "not" in this. Second, this is a very unhelpful suggestion. – Bobson Dec 20 '17 at 15:22