The Importance of PCI Compliance
Accepting credit card payment online carries great responsibility. Merchants must take every step to protect the integrity of ALL the data collected from their customers. Why? You can lose your shirt if you don’t.
The credit card companies have banded together and created a standard for the use and storage of credit card data for ecommerce companies. This standard is called the Payment Cart Industry Data Security standard (or PCI for short). It applies to ALL ecommerce merchants both big and small. If you sell something online and accept credit card payment, you HAVE to be aware of the PCI standard. Why? If your store is found to be non-complaint, you can lose the ability to collect credit card payments, be targeted by a class action suit and face HEAVY fines. Believe me, it’s a whole lot easier being complaint.
Here are some important facts about the PCI Standard:
1) The Payment Card Industry (PCI) Data Security Standard is a joint
creation of Visa, Mastercard, Discover and American Express. It is
a response to the growing severity of credit card theft.
2) The goal of the PCI standard is to protect cardholder data wherever
it may reside. The PCI has developed industry wide standards for card
data security to be followed by both merchants and providers alike.
3) Every single online store that accepts credit cards is legally
required to be PCI compliant. In order to be compliant shopping cart
providers have to successfully completed CISP review based on PCI data
security standard.
4) Non-PCI Compliant Merchants Face:
*Losing the ability to process transactions altogether
*$500,000 in fines (per incident) Visa is actively fining merchants now
*Class-action lawsuits
*$10,000 in monthly fines
Most every merchant thinks they are complaint. But are you really? Three areas of your online store must be checked for PCI compliance.
1. You! How do you handle and store credit card data? The best practice is not to handle or store credit card data. Let the payment gateway or processor do it for you. Never store it yourself – either online or offline.
2. The payment processor. Make certain that one you use is PCI complaint.
3. The shopping cart solution. Make certain that the one you use is PCI complaint.
How can you tell if your payment processor and shopping cart solution is PCI complaint? Here is a list of companies that the completed the CISP review process and are officially compliant.
CISP Compliant Service Providers
If you doubt that your payment processor or shopping cart is officially compliant, you can contact Visa directly.
For more information regarding PCI compliance, here is the main page of Visa’s website dealing with PCI standards and the rules:
More info on PCI Compliance
The importance of PCI compliance cannot be understated. If you’re an ecommerce merchant, the responsibility is yours and yours alone. Make certain that you follow the standard and use shopping cart and payment processing companies that are officially compliant.
On a side note, PCI compliance is one reason I recommend that ecommerce merchants use a hosted shopping cart rather than a do-it-yourself solution like osCommerce. You can cover yourself and protect your customers by simply using a hosted cart solution found on the list of PCI complaint companies.
Volusion, Yahoo Stores and MonsterCommerce are the only hosted cart solutions on the list that we’ve reviewed. MonsterCommerce was one of the first to get listed but lacks many of the features and functionality that Volusion offers. Considering this, Volusion is only hosted cart solution on the list of officially complaint companies that eCartReviews recommends. MonsterCommerce and Volusion are heading in opposite directions. Volusion is going up and MonsterCommerce is going down (at least on my stock chart). Yahoo offers a great solution - if you like profit sharing! Of the three, Volusion is the best all around solution.
Delicious
Digg
Newsvine
Technorati
It is not enough to use a compliant solution. Merchants may also be held responsible. If you as a merchant or service provider are collecting and storing any data, online or offline, such as collecting data online and processing payments in your Brick & Mortar or in your basement, check these guidelines http://usa.visa.com/merchants/risk_management/cisp.html
The list on this Visa site is for US providers only. Many international providers are compliant with these recommended standards. If your provider is located outside the US, contact the provider or Visa Global.
Upon further review this is basically another scare tactic from visa. Visa itself has been compromised in the past. Shopping cart solutions have undoubtedly used this scare tactic to gain customers by touting "the list."
On the service provider list you will find Visa's small print disclaimer
CISP reviews represent only a "snapshot" of security in place at the time of the review, and do not guarantee that those security controls remain in place after the review is complete. These reviews did not cover proprietary software solutions that may be used or sold by these service providers.
heh
and
Inclusion on this list indicates only that the service provider successfully completed a CISP assessment following requirements prescribed for their CISP Level, based on the report of an independent security assessor. Visa does not endorse the service providers or their business processes or practices.
Don't rely entirely on the list and don't be fooled into believing that those on the list cannot be compromised. This is not to say the list is a bad thing. Frankly I'm getting tired of Visa scaring the bejesus out of consumers with their TV ads, etc. If Visa holds this list in high regard or considers it valuable consumer information, it should be advertising it as a solution along with its stolen identity scare tactics.
This is an inaccurate statement.
Every single online store that accepts credit cards is legally
required to be PCI compliant. In order to be compliant shopping cart providers have to successfully completed CISP review based on PCI data security standard.
It is not a law, but best to get up to industry standards if you are not.
Hello again Brian
I saw the post from a Volusion rep on your forum.
quote
Doing the self-assessment is not the same as compliance.
the self assessment does not make you compliant --
Lynn Bender Volusion
end quote
Post: http://www.ecartreviews.com/forums/CISP-Compliance-Misconceptions-t2550.html
If you look at the list of CISP compliant service providers you will see many which are labeled as self-assessment under the column titled Assessor here: http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf
Visa says they are CISP compliant by self-assessment. If Visa says so it must be true.
At least 2 cart solutions on the CISP compliant list you do not mention or recommend are listed as 1shoppingcart and goemerchant, both of which were compliant before monster commerce and volusion. Both are now late submitting their annual reports to Visa, but so is Google. Take a look. Noted in yellow or red depending on how late they are.
What might also be noteworthy are the distinctions of services these companies were reviewed for.
Yahoo, Google, Goemerchant and 1shoppingcart were reviewed for Internet Payment Processing
Monster Commerce was reviewed for Merchant Payment Processing
Volusion was reviewed for Internet Payment Gateway
Contrary to what some cart solutions would like us to believe, a service provider does not have to appear on this list in order to be PCI or CISP compliant. They can submit a report whether its self-assessed or assessed by a third party, depending on what level they are and register with Visa. If they don't register, they don't get on the list, per Visa:
Service provider registration
Service providers must be registered with Visa prior to inclusion on the list of
CISP-compliant service providers.
Brian, thank you for bringing this to the attention of merchants.
Stephan -
Thanks for the feedback.
Which cart solution do you represent?
Hi,
I'm not a cart rep but I have used most of them at one time or another.