• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1129
  • Last Modified:

Do we need to be PCI DSS compliant on accepting credit card payments?

Authorize.NET claims that AIM method can be used to make the customers enter the Credit Card information in our website and that the transaction happen in the background. Typically, I assume that the CC data is transferred to them. PCI DSS states that:

"A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined"

We would like to use AIM method of Authorize.NET (on an internet merchant account) on our SSL page to accept (or transfer) CC payment from our customers. Do "we" need to get PCI DSS compliance and does it cost $?

Please advise.
0
ldbkutty
Asked:
ldbkutty
2 Solutions
 
Jason C. LevineNo oneCommented:
Hi ldbkutty,

There's a lot of noise about PCI DSS compliance at the moment and no one is really sure where things will end up.  If there was a push to drop all e-commerce that is not PCI DSS compliant overnight, the economy would probably collapse, so don't treat this as a major emergency.  However, compliance DOES make a difference as to the rates you pay on the transactions from the credit companies, so you should pay attention.

Right now, I am telling all of my clients to treat it as a best practices issue and to try to maintain compliance when possible.  If you have the time and energy to read and redesign to comply, go for it.  

Authorize.Net claims that they are in compliance:

http://www.authorize.net/solutions/merchantsolutions/merchantservices/ambirontrustwave/

so you would just need to make sure your end of things are okay.
0
 
Tim HolmanCommented:
The owner of the merchant account requires to be PCI Compliant.  If you're outsourcing transactions then this is cut back somewhat, and if you don't take any face-to-face transactions (ie have a POS device in your store), then SAQ-A would be most relevant (v1.2):

https://pcisecuritystandards.org/saq/instructions.shtml

This requires you to implement strong physical/access controls on any card data onsite (for example, maybe you're printing it off, or have historical records?) and an information security policy that ensures there is a written agreement between yourself and any 3rd parties that handle cardholder data.

Authorize.net are soon up for re-certification (this month), but are currently compliant for customers in the US region (not sure about India?):

http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

However, it's not enough just to refer to this document if asked by your acquiring bank or assessor - you need a contract in place to ensure that your providers remain PCI Compliant and take full responsiblity for any compromise that occurs.  Remember that certification is a one-time process and in the case of Authorize.net, validated that they were PCI Compliant in Novemeber of last year.  Who knows what's happened since...?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now