Jump to content

Pci Data Security Standard

Recommended Posts

I have been researching setting up an e-commerce system using OS-commerce or CubeCart/ZenCart installed via Fantastico. My initial thought was to use PayPal Direct (the $20 per month option where customers do not need to leave your Web site and the shopping cart communcates with PayPal using the PayPal API).


I then started reading about the PCI (Payment Card Industry) Data Security Standard. This was created when VISA, American Express, Diner's Club, Discover Card, JCB and MasterCard collaborated to produce a set of standards known as the PCI Data Security Standard. All Merchants and Service Providers that handle, transmit, store or process information concerning any of these cards are required to be compliant with PCI as of June 30, 2005. Penalties for non-complaince are severe.


So, say I set up CubeCart, got an SSL certifificate etc I would certainly be handling and transmitting credit card information. I'm not sure whether I would be storing or processing credit card information based on the configuration mentioned above (i.e. CubeCart, SSL), but irrespective of that, it appears that I would need to be compliant with the PCI Data Security Standard.


Has anyone come across this? How would I go about making sure that I was compliant (the standard includes things like making sure data is behind a firewall - something I am sure Total Choice have taken care of)?

Link to comment
Share on other sites

Guest Serpentine



Take this with a grain of salt. First you need to determine what group you fall under, I am just taking a guess and thinking that most readers of this post fall into level 4 in that you are processing fewer than 20,000 transactions per year. If you are above that and up to 150K then you are at level 3. Level 2 is from there to 6 million transactions per year. Level 1 is above 6M transactions yearly.


Now, lets say you are at the Level 4 category you are required to comply with the standards but you are not required to have an onsite security audit, it is recommended that you complete the Self-Assessment Questionnaire annually and they recommend that you have a yearly network scan.



Here is a Self Assessment Questionnaire I found. Now, you can't answer all of those questions yourself because you need to know some things about where your server is. I can't answer those parts either but I gather that most of the answers are yes.


So what if you are Level 4 and do not do what they recommend? I can’t answer that, from the VISA site it looks pretty grey if you are in that category. I will be honest, I am not an expert on this. I am not sure if I am reading all of it right but if you use your cart and have SSL and are under 20K transactions per year than as I read it, you should be ok. Your merchant provider MUST be compliant so things should be ok for you as long as you are not storing card data any longer than necessary to perform the transaction.


Hopefully, someone with a better understanding of the policy will come along and clarify it for us.

Link to comment
Share on other sites

Thanks, that makes it a lot clearer. I would definitely be at the low end.


When I looked at osCommerce it appeared that credit card numbers are stored on the database - I don't know if this is the case with other carts that can be auto-installed on TotalChoice Hosting.

Link to comment
Share on other sites

Guest Serpentine

I believe it depends on the method of the transaction/merchant used/contributions used as to how much is really stored of the number.

Edited by Serpentine
Link to comment
Share on other sites

  • 4 years later...

The above information about PCI Compliance for lower-level merchants used to be true. Now, however, smaller and smaller (transaction level or dollar level) merchants are being forced to comply.


Wells Fargo (with AuthorizeNet) are now requiring a compliance audit for all on-line merchants. We are currently trying to complete this audit and the issue is raised as to whether the web-server (we are virtual hosted on our own reseller account) is hosted in a secure environment.


So the question is, what is TotalChoice's data-center PCI compliance level? Is access logged (both physical to facility and root logins)? Cameras? Video retained? Et cetera...




Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...