PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined. Merchants and payment card service providers must validate their compliance periodically. This validation gets conducted by auditors – i.e. persons who are the PCI DSS Qualified Security Assessors (QSAs). Although individuals receive QSA status reports on compliance can only be signed off by an individual QSA on behalf of a PCI council approved consultancy. Smaller companies, processing fewer than about 80,000 transactions a year, are allowed to perform a self-assessment questionaire. Source: wikipedia.
I used to have a customer that processed payments through his own PDQ (POS Terminal) machine – in order to save the cost of purchasing an external processor such as ProtX or Worldpay etc. Many times, I told him that if his site got abused, he could be liable for big trouble – fortunately his site never did get hacked whilst he was with me. He went to some other coder 3 or 4 years ago – I have no idea if he is still storing CC info in the database.
Just yesterday, I came across a post in the osCommerce Forum where someone wanted the ability to take CC detials directly via his site – obviously that store owner needs to be re-educated. Whose responsibility is that – surely each service provider should be sending letters to their customers to remind customers of the importance of not storing CC details.
Anyway, the point of this post is to make you aware that your site must be PCI compliant – this means acting within the rules and regulations set out by your service provider. If you are in breach, and you get caught out, you’ll be sh1t-deep in trouble.
PLEASE do not store CC details in your osCommerce shop – PLEASE do not use the Credit Card Module that ships with osCommerce. If you want to take Credit Cards, use an external processor such as Worldpay, ProtX or even Paypal – let them take the worry away from you!
What Happens If YOUR Business Does Not Become PCI Compliant?
PCI Compliance is a requirement of your contract with the credit card companies. If you do not make your business PCI compliant, you are in violation of your contract. The credit card companies can take the following actions if your business does not abide by the security standards.
- Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.
- You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.
- If you do not notify the companies of probable or actual violations or thefts of our customers’ information, you will also be fined. Again, Visa can charge you as much as $100,000 per incident.
- Other fines may be charged if the credit card company feels that the your company’s violations pose a risk to the credit card company and/or its members.
Read more online at pcicomplianceguide.org