Get Your E-commerce PCI Compliant or Face Fines

4 comments

This isn't recent news but it's been dodging around on my radar recently. I finally got time to have a look through it today.

The banks and credit card companies have introduced a new standard for businesses that store or carry out credit card transactions on their site. Only web sites that carry out the entire transaction on the vendor site are exempt.

From the feedback people have had from the banks, this also seems to cover connections made via the payment processor API. This method sends the data straight away but usually doesn't store the information. The new PayPal Pro API would be an example of this.

Sites will need to be approved for PCI Compliance by an approved vendor. Although the process is semi-voluntary at the moment there are some severe fines and sanctions for non-certified vendors should a breach occur.

What Happens If My Business Does Not Become PCI Compliant?

PCI Compliance is a requirement of your contract with the credit card companies. If you do not make your business PCI compliant, you are in violation of your contract. The credit card companies can take the following actions if your business does not abide by the security standards.

* Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.

* You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.

* If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.

* Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.

From a look around Google, fees for scanning seem to start around the $200 mark. For more information visit the PCI Compliance Guide

Comments

Nothing New Except the Name

The various CC companies have been doing this for years but simply merged it into a PCI single standard.

My simple solution to the problem was to stop storing the CC information on my server since my processor provides a complete backend control panel with methods to adjust the sale or perform voids and refunds without knowing the full CC number.

I only record the authorization code and nothing more so I'm more than compliant.

Also, many states such as California have state laws which require such information to be encrypted and there are civil penalties for failure to comply. The worse part is the CA law requires full disclosure to all customers that have been breached which is an instant PR nightmare as well.

The worse part is the CA law

The worse part is the CA law requires full disclosure to all customers that have been breached which is an instant PR nightmare as well.

Horrible, just horrible... We should be allowed to hunt down and shoot to kill all affected customers just to keep it quiet.

Not telling all customers just means some other poor sap merchant is going to get hit with the fraud. I am all for full disclosure in the case of breaches.

My simple solution to the

My simple solution to the problem was to stop storing the CC information on my server since my processor provides a complete backend control panel with methods to adjust the sale or perform voids and refunds without knowing the full CC number.

Yes I haven't stored CC details for years now but the bit that got my attention is that this standard seems to cover API connections too. From the mailing lists I have been on (where people have been checking with the banks) it seems that if you take the CC details in any form on your web site then you have to pay to get checked - even if they are sent instantly to the payment gateway.

We often use this method to keep the payment pages in the same brand as the rest of the site (and to avoid taking the user to another URL which increases the drop out rate).

Considering there must be literally hundreds of thousands of merchants who are going to get hit with this checking fee, I'm surprised this isn't bigger news. Even if it's just $200, that's probably more than most are paying for their annual hosting (not to mention the costs of getting venerabilities fixed if they are found).

This is going to be a serious payday for the certifying companies.

Levy/Fine List

less of a comment than an open question:

can anyone point me in the direction of a comprehensive list of PCI-specific fines that have been levied?

we're having a difficult time convincing the business side that a POS upgrade (current POS is non-compliant and aged beyond the ability to fix/mend to comply) is the only means of obtaining compliance, and need some specific instances of actual fines, before we find ourselves in a situation where a "compelling event" creates the urgency to replace the POS or shut our doors.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.