There’s a security standard that is being imposed by credit card companies. It’s called PCI DSS (Payment Card Industry Data Security Standard), and it’s recently (2007) a requirement of all businesses that process, store, and/or transmit credit card data online. Extremely unlikely to happen to smaller vendors, but failure to comply can be punished by revocation of credit card charging privileges, and/or a fine.
This standard is not a law, but a small-print agreement between the card company and its vendor (you). The bank that provides you with credit card charging privileges may at some point in the future ask you to prove your “PCI compliance”, or else revoke your charging privileges.
In practice, the card companies are at this point only leaning on their biggest vendors (with millions of card charges per year), so there’s absolutely no need for you to panic. However, once they’ve got their biggest vendors toeing their line, they’ll start to focus on their smaller vendors, so this is something you will probably need to deal with sooner or later.
What is required is that if you currently accept credit card information through your website (or plan to), that you either change the way you handle credit cards online in order to comply with the security standards (and become “PCI compliant”), or stop accepting credit cards on your website altogether. Of course, the option also exists to do nothing, but you’re taking your chances that way.
How to Become PCI Compliant
If you want to process credit card numbers from your website, you will need to become “PCI compliant”. In order to do this, it’s necessary to do three things:
- Fill out a self-questionnaire related to how you handle credit card information. It has over 100 technically dense questions for which you will need to answer either Yes or N/A to all of them. (See below for sample questions)
- Get a quarterly scan of your website by HackerGuardian, HackerSafe, or similar. HackerGuardian offers a free PCI scan. HackerSafe, the more recognized of the scanning companies, charges up to $149 a year for their PCI scan.
- Fix any problems with your website that the quarterly scan shows. The cost of this will depend on the issues that come up.
Note that as far as the scanning companies are concerned, if you send customers to a third party website (such as PayPal or 2Checkout) when they enter their billing information, you still need to become PCI compliant because it’s your website that initiated the payment process.
TRANSMIT CARD INFORMATION
If you want to transmit credit card numbers from your website’s order form through an email to yourself, you must become PCI compliant, plus the website must be modified to use encryption when it transmits the emails, and the recipient of the email must be set up to receive encrypted email. On top of this, you should only email the last four digits of the card number. Email is very much not secure, even when encrypted.
It will take about 30 to 60 minutes to set up the website to use encryption, and perhaps an hour for you to set up your email to receive encrypted email (and be able to de-encrypt them). Setting up your email to be able to read encrypted emails is no small affair, and it may be necessary to get a professional to do this for you, perhaps a local IT person who can actually come into your home and sit with you as you go through the process. If you have a Mac and a .Mac account, this process is much easier.
From a security standpoint, it is probably more secure to store credit card numbers in your website’s database rather than emailing them, even if the emails are encrypted.
STORE CREDIT CARD NUMBERS
If you want to store credit card numbers within your website’s database, in addition to becoming PCI compliant, you will also need either a virtual private server or a dedicated server. If you have a shared hosting account, it’s not a good idea to store credit card numbers within your database. VPS starts at $50/month and dedicated hosting starts at $100/month, and those are for slow servers only appropriate to smaller websites. More trafficked sites will need to pay double or more.
OPTION 2 – Stop Accepting Cards Online
Stopping accepting credit cards online is the simplest and cheapest solution for complying with the new rules. You could still provide a printable order form and ask people to submit that with their credit card info, or you could call back every customer to get their card information over the phone. You could also accept orders online and require a check be sent before the order is complete. This could work if you have a very low online sales volume or you need to call back your customers anyway to confirm things.
HackerSafe / HackerGuardian Trust Logo
The next level of PCI compliance is to get a HackerSafe (or HackerGuardian) trust logo on your site. The companies claim this increases sales by 15%. In order to get this logo, you must do everything mentioned above as far as PCI compliance goes, but the scan will be done every day. This is all handled automatically by the scanning company.
They charge for their logo. HackerGuardian is the cheapest at $79 a year, and HackerSafe, the more recognized of the two costs between $500 and $2000 a year depending on how much they think they can squeeze out of you.
If you have only a tiny online sales volume, the simplest option is to discontinue accepting credit cards online. If you need to continue to accept credit cards online, you should become PCI compliant. It might make sense to get the trust logo in addition to the PCI compliance. HackerGuardian is the cheapest of the compliance assurance companies with a free PCI compliance scan and a $79 yearly trust logo program.
These PCI compliance rules are now part of our ever evolving world wide web. I don’t make these rules up, but I’m informing you of them so that you can avoid any future liability. Whether you choose to make any changes is up to you. Realistically, the chances are small that anything terrible will happen to you if you don’t. But small doesn’t mean zero.
My fees for any future ecommerce projects will take PCI compliance into account. For any past projects (including yours), my fees will be $50/hr for any consulting and implementation. Questions will be answered for free before any PCI compliance process starts.
For more information, please see:
Sample PCI Questions
As you can see, some of these are these are very techie.
- If wireless technology is used, is the access to the network limited to authorized devices?
- Are vendor default accounts and passwords disabled or changed on production systems before putting a system into production?
- Is sensitive cardholder data securely disposed of when no longer needed?
- Are all users required to authenticate using, at a minimum, a unique username and password?
- When an employee leaves the company, are that employees user accounts and passwords immediately revoked?
A blog for website owners written by a web designer
BLOG CATEGORY ARCHIVES
- eCommerce (9)
- Email (6)
- Helpful Hints (21)
- Hosting (4)
- Marketing (13)
- Metadesign (6)
- Programming (3)
- Security (5)
- SEO (1)
- Visual Design (3)
- Web Design Tutorial (7)
- WordPress (5)
- X-Cart (5)
"Thank you so much for being so responsive – we're really happy with the site!"
Lisa E., Program Manager
Jewish Welcome Network, San Francisco, CA