Information Security
pci-dss compliance e-commerce
Updated Sun, 31 Jul 2022 21:47:59 GMT

Is PCI Compliance mandatory?


I recently started working on an eCommerce addition to a site I'm working on.In my research looking for a way to do SSL without a certificate/a free certificate I came across PCI Compliance.I have been reading the PCI DSS Requirements from : https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf and to be honest a lot of this sounds a bit overkill for what I'm doing.

The shop I'm working on will sell around 20 products initially to a very small amount of customers.We're using a hosting provider and we are a total of 3 employees at the company at the moment.Is PCI Compliance mandatory or just recommended and if not mandatory is it really neccessary in this case?

Thanks




Solution

First of all SSL without a certificate is not possible, don't try to roll your own security because you will fail at it. You might think "hey how would you not know that I'm actually a very good crypto expert" well because you wouldn't be making such statements.

PCI-DSS is only mandatory if you are processing credit card data. This means that if you accept and store credit card information, you are required to be PCI-DSS compliant. What if you are not compliant? Well according to this reference:

If you do not meet the PCI standards for compliance and the security of your site gets compromised, you will be facing penalties and fines ranging from $5,000 to $500,000. The fines, however, are just the beginning of the overall damage caused by noncompliance.

If your website or company are not PCI compliant, you run the risk of losing your merchant account, which means you wont be able to accept credit card payments at all. You will also be placed in the Visa/MasterCard Terminated Merchant File (TMF), making you ineligible to obtain another merchant account, at least for several years. The TMF, is essentially a BLACKLIST from which it is almost impossible to be removed.

When a merchant is added to the TMF, sometimes called The Match File, their name, business name, business address, and home address are all noted. So, you cant just apply for a new account under the name of another family member or business partner because it will be seen as the same business and location.

Getting on The Match File is just about the worst thing that can happen to any merchant.

Now as you read there is a fine, just FYI the fine comes ontop of all the fraudlant charges (which you will be held accountable for as well).

If you're thinking, "how can I make a business if I can't accept credit cards?" quite simply by using a payment gateway such as Paypal which takes care of all payments (and thus also takes away your need to be PCI-DSS compliant).





Comments (4)

  • +0 – Thanks a lot for the answer,cleared up a lot.I have looked into PayPal,but with it not supporting ZAR and the shop being local only(in South Africa) this will not be possible. — Apr 07, 2014 at 12:53  
  • +0 – It isn't just if you are processing and storing. Simply handling the data is sufficient to require compliance. — Apr 07, 2014 at 15:28  
  • +0 – Paypal uses callbacks where you only enter information on paypal's website. The only information you actually send and receive is the amount to be paid and the goods. Paypal will only send you a callback based on paid or not paid and maybe your address information. No card details whatsoever. — Apr 07, 2014 at 17:01  
  • +0 – There are other merchant accounts then just Paypal. Stripe.com has a Js file that will take the CC info and send it directly to them without touching your servers and then it gives but a CCID to work with. This will allow you to take payments through your own UI without having to regulate the usage and storage of the CC info. — Apr 07, 2014 at 20:01