Solved

Do we need to be PCI DSS compliant on accepting credit card payments?

Posted on 2008-10-30
2
1,115 Views
Last Modified: 2013-11-29
Authorize.NET claims that AIM method can be used to make the customers enter the Credit Card information in our website and that the transaction happen in the background. Typically, I assume that the CC data is transferred to them. PCI DSS states that:

"A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined"

We would like to use AIM method of Authorize.NET (on an internet merchant account) on our SSL page to accept (or transfer) CC payment from our customers. Do "we" need to get PCI DSS compliance and does it cost $?

Please advise.
0
Comment
Question by:ldbkutty
2 Comments
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 300 total points
ID: 22846628
Hi ldbkutty,

There's a lot of noise about PCI DSS compliance at the moment and no one is really sure where things will end up.  If there was a push to drop all e-commerce that is not PCI DSS compliant overnight, the economy would probably collapse, so don't treat this as a major emergency.  However, compliance DOES make a difference as to the rates you pay on the transactions from the credit companies, so you should pay attention.

Right now, I am telling all of my clients to treat it as a best practices issue and to try to maintain compliance when possible.  If you have the time and energy to read and redesign to comply, go for it.  

Authorize.Net claims that they are in compliance:

http://www.authorize.net/solutions/merchantsolutions/merchantservices/ambirontrustwave/

so you would just need to make sure your end of things are okay.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 200 total points
ID: 22861318
The owner of the merchant account requires to be PCI Compliant.  If you're outsourcing transactions then this is cut back somewhat, and if you don't take any face-to-face transactions (ie have a POS device in your store), then SAQ-A would be most relevant (v1.2):

https://pcisecuritystandards.org/saq/instructions.shtml

This requires you to implement strong physical/access controls on any card data onsite (for example, maybe you're printing it off, or have historical records?) and an information security policy that ensures there is a written agreement between yourself and any 3rd parties that handle cardholder data.

Authorize.net are soon up for re-certification (this month), but are currently compliant for customers in the US region (not sure about India?):

http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

However, it's not enough just to refer to this document if asked by your acquiring bank or assessor - you need a contract in place to ensure that your providers remain PCI Compliant and take full responsiblity for any compromise that occurs.  Remember that certification is a one-time process and in the case of Authorize.net, validated that they were PCI Compliant in Novemeber of last year.  Who knows what's happened since...?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Build up a e-commerce website 2 47
connecting to shopify via visual basic 9 212
restrict reviews to purchaser only in mangento 3 44
Alternative to LeadPages.com 3 80
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now