I recently started working on an eCommerce addition to a site I'm working on.In my research looking for a way to do SSL without a certificate/a free certificate I came across PCI Compliance.I have been reading the PCI DSS Requirements from : https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf and to be honest a lot of this sounds a bit overkill for what I'm doing.
The shop I'm working on will sell around 20 products initially to a very small amount of customers.We're using a hosting provider and we are a total of 3 employees at the company at the moment.Is PCI Compliance mandatory or just recommended and if not mandatory is it really neccessary in this case?
First of all SSL without a certificate is not possible, don't try to roll your own security because you will fail at it. You might think "hey how would you not know that I'm actually a very good crypto expert" well because you wouldn't be making such statements.
PCI-DSS is only mandatory if you are processing credit card data. This means that if you accept and store credit card information, you are required to be PCI-DSS compliant. What if you are not compliant? Well according to this reference:
If you do not meet the PCI standards for compliance and the security of your site gets compromised, you will be facing penalties and fines ranging from $5,000 to $500,000. The fines, however, are just the beginning of the overall damage caused by noncompliance.
If your website or company are not PCI compliant, you run the risk of losing your merchant account, which means you wont be able to accept credit card payments at all. You will also be placed in the Visa/MasterCard Terminated Merchant File (TMF), making you ineligible to obtain another merchant account, at least for several years. The TMF, is essentially a BLACKLIST from which it is almost impossible to be removed.
When a merchant is added to the TMF, sometimes called The Match File, their name, business name, business address, and home address are all noted. So, you cant just apply for a new account under the name of another family member or business partner because it will be seen as the same business and location.
Getting on The Match File is just about the worst thing that can happen to any merchant.
Now as you read there is a fine, just FYI the fine comes ontop of all the fraudlant charges (which you will be held accountable for as well).
If you're thinking, "how can I make a business if I can't accept credit cards?" quite simply by using a payment gateway such as Paypal which takes care of all payments (and thus also takes away your need to be PCI-DSS compliant).
External links referenced by this document: