Thursday, May 02, 2013

e-Commerce PCI compliance

Merchant accounts like Authorize.net are now requiring customers to become PCI compliant for e-commerce. Even if you are using an event registration software like event espresso for wordpress you will be required to go through this process.

My advise - use a HOSTED checkout .....

There are really only 2 ways to become PCI compliant. Here are the run downs of each.

  1. Use a hosted checkout like Authorize.net SIM or Paypal Standard   Customer goes outside of the website to submit their information then gets returned to the website. This method is the most cost effective. It allows you to keep the cheaper hosting and not pay for services like security metrics.

    Here is a picture that explains it.
    http://developer.authorize.net/api/howitworks/sim/
  2. Change hosting to a Virtual Private Server or Dedicated host which is severe overkill for the online business you are running. Generally it costs between $50-$75+ for a VPS and even more for a Dedicated server.  Along with the different server we would need to purchase and install a wild card SSL for all services (email, ftp, etc) around   ~$100.

    Then once all of that is completed we run security metrics scans (these take 12ish hours) review the issues and work with the hosting support team to complete the changes. Generally there are several rounds of back and forth until its compliant. The PCI compliance scan rules to change occasionally to keep up with software updates and security holes.

 As you can see option 2 becomes expensive quickly so I wanted you to be able to make an informed decision.

The question really becomes how much does hosted checkout bother you and your customers?
And are we selling enough to make this worth while?


 Of course all of this is for the website, if you process and store credit cards in house you will need to be PCI compliant there as well.


Stumble Upon CodePyro

No comments:

Post a Comment