I am helping a marine supplies company expand their
customer base and increase consumer sales with a new eCommerce
website. Consumer sales means credit card payment processing.
Credit cards mean PCI compliance.
Some people think that PCI compliance is the big credit card
companies attempt to push the responsibility down to the merchants,
so they don't have to spend money now to upgrade their
infrastructure from the 1980's. While there may be some truth in
that, a merchant is responsible for protecting its customers'
credit card information when they purchase their products. If they
want to offer VISA, MasterCard and American Express credit card
payments, then they have to follow the rules.
Wikipedia says the Payment Card Industry Data Security
Standard is a worldwide information security standard
created to help organizations that process card payments prevent
credit card fraud. The standard applies to all organizations which
hold, process, or pass cardholder information.
PCI compliance means that merchants and eCommerce solutions must
follow the standards or be liable for credit card fraud. There are
6 core principles and 12 requirements to follow. The major business
areas to consider for a merchant are:
- Merchant's facility, order processing and internal
financial/ERP systems
- eCommerce website
- Credit card processing gateway
- Processor
- Merchant Bank
I recommend Authorize.net and PayPay Payflow Pro credit card
processing gateways in our eCommerce websites, because they are
rock-solid PCI compliant. A merchant chooses their Merchant bank
and processor company, and best practices dictate due dilligence to
ensure PCI compliance. This happened to be a concern for the
marine supplies company, because they chose to use Heartland as the
processor. Heartland was removed from the PCI-compliant list in
March because of data breaches (see eCommerce
Times article here), so it was important to ensure they were
back on the PCI-compliant list; they were reinstated earlier this
month.
TwinEngines eCommerce solutions do not store full credit card
information in the website database. Very limited, partial
information is stored only for customer service. The shopping cart
transaction is secure with SSL, and does not display full credit
card numbers anywhere after the card information is taken. The
administrative engine used in eCommerce websites, connects directly
to the credit card processing gateway to authorize payments at
check out and to capture the charge at shipment.
Some merchants use the eCommerce website administration tool to
process phone orders, ensuring PCI compliance. The eCommerce
website holds the credit card gateway transaction numbers to allow
the merchant to work with the transactions securely in the credit
card gateway's virtual terminal. This is necessary for activities
such as voiding an authorization or crediting a card when
needed.
If you are selling online, the first place to start is the PCI
DSS questionaire found at
the PCI Security Standards Council. You'll also find the 6 core
principles and 12 requirements established by PCI SSC. After
you do your homework, make sure your eCommerce website will be in
compliance when selecting a partner to help you implement commerce
on the web.