Solved

Do we need to be PCI DSS compliant on accepting credit card payments?

Posted on 2008-10-30
2
1,113 Views
Last Modified: 2013-11-29
Authorize.NET claims that AIM method can be used to make the customers enter the Credit Card information in our website and that the transaction happen in the background. Typically, I assume that the CC data is transferred to them. PCI DSS states that:

"A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined"

We would like to use AIM method of Authorize.NET (on an internet merchant account) on our SSL page to accept (or transfer) CC payment from our customers. Do "we" need to get PCI DSS compliance and does it cost $?

Please advise.
0
Comment
Question by:ldbkutty
2 Comments
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 300 total points
Comment Utility
Hi ldbkutty,

There's a lot of noise about PCI DSS compliance at the moment and no one is really sure where things will end up.  If there was a push to drop all e-commerce that is not PCI DSS compliant overnight, the economy would probably collapse, so don't treat this as a major emergency.  However, compliance DOES make a difference as to the rates you pay on the transactions from the credit companies, so you should pay attention.

Right now, I am telling all of my clients to treat it as a best practices issue and to try to maintain compliance when possible.  If you have the time and energy to read and redesign to comply, go for it.  

Authorize.Net claims that they are in compliance:

http://www.authorize.net/solutions/merchantsolutions/merchantservices/ambirontrustwave/

so you would just need to make sure your end of things are okay.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 200 total points
Comment Utility
The owner of the merchant account requires to be PCI Compliant.  If you're outsourcing transactions then this is cut back somewhat, and if you don't take any face-to-face transactions (ie have a POS device in your store), then SAQ-A would be most relevant (v1.2):

https://pcisecuritystandards.org/saq/instructions.shtml

This requires you to implement strong physical/access controls on any card data onsite (for example, maybe you're printing it off, or have historical records?) and an information security policy that ensures there is a written agreement between yourself and any 3rd parties that handle cardholder data.

Authorize.net are soon up for re-certification (this month), but are currently compliant for customers in the US region (not sure about India?):

http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

However, it's not enough just to refer to this document if asked by your acquiring bank or assessor - you need a contract in place to ensure that your providers remain PCI Compliant and take full responsiblity for any compromise that occurs.  Remember that certification is a one-time process and in the case of Authorize.net, validated that they were PCI Compliant in Novemeber of last year.  Who knows what's happened since...?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Read about how to choose the best possible content marketing agency to suit your needs. Content marketing has become an integral part of running a successful tech business, so it is wise to be informed.
Every business owner understands the significance of online customer reviews and the impact it can have on sales and revenues. With technology advancing at such a rapid pace, getting online reviews has never been easier, especially when many regions…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now