FAQWhat is PCI compliance?

What is PCI compliance?

As a consumer, you will have received replacement credit cards with the new chip technology.  As a merchant of a brick and mortar location, you will no doubt have heard of PCI compliance from your bank or merchant account provider.  If not, you should find out or risk getting fined.

This new standard will be affecting your online shops as well and I wanted to take the time to explain it to you and provide you with some options.

The credit card companies (Visa, MasterCard, Amex, JCB, Discover) have developed the Payment Card Industry (PCI) Data Security Standard to ensure that merchants and service providers meet minimum standards of security when storing, processing and transmitting cardholder data. PCI requires you to demonstrate that you comply with these stricter security requirements. Using self-assessments and security scans available through a PCI Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) you can ensure PCI compliance by June 2010.

There are only three methods of processing a credit card payment through a shopping cart in an automated fashion.  These are:

  • The integrated method, where a site collects the cc data for transmission ONLY through a merchant gateway. To use this, the site must be PCI compliant – this means you must have an SSL certificate with a dedicated IP and comply with security scans.  In addition, to continue using this method past June 2010, the cart software needs to be PA-DSS certified as well even if it doesn’t actually store the cc data.
  • The gateway method, whereby a site collects the shopping cart quantities & pricing and then upon requesting 'checkout' redirects the user to a compliant 3rd party payment gateway who then collects all of the cc details mentioned above. This method still requires the site to be PCI compliant, however, excludes the cart software from the PA-DSS certified requirement.  Given the $20,000 price tag per version, you can well imagine that Open Source software may have a tough time with this one.
  • The manual method via IVR or PCI-compliant POS or at a PCI-compliant online terminal.

This means that the shopping cart software must either meet PA-DSS requirements to process credit cards on the vendor’s site or employ a means of bridging the vendor’s site with the payment processor using a PCI compliant method.  There are only 4 shopping cart software that will meet this requirement by July 2010 and none of them are Free.

Zen Cart v2.0 proclaims that it will meet that standard.  However, most of you have upgraded to v1.3.8a with all security patches applied.  osCommerce users also do NOT meet standards. However, there is a work around for this that may or may not require that you alter your merchant account provider.  creSecure is a PA-DSS and PCI compliant method of bridging the gap between Open Source (Free) software and your payment gateway.  We would install it as a replacement for your current payment module.  When you create an account with creSecure, you can choose the payment gateway from those available. Limitation on payment gateways may apply. The creSecure payment module will then transmit the cc information via their hosted pay page (HTML Clone) to your payment gateway  (see process diagram).  Additional fees may apply.

Depending on which payment gateway you are using, you may need to consider creSecure.  Regardless of which method you use, you must fill out the QSA form appropriate to you and pay for a 3rd party to ensure you maintain compliance.

Zen Cart and osCommerce come with default payment modules.  These payment modules are classified according to the methods they employ to process payments, such as:

  • Online – Processing is done in real-time with an external payment processor.
  • Offline – Processing is done when information is collected and the storeowner has to take action to complete the payment process.  Add-on modules are also available to work with non-standard merchants providers – they are not part of the core software and may not meet the new standards.  To determine if your module meets PCI compliance, please refer to the provider’s Term of Service or speak to your account representative.  If a virtual terminal is included with your account (example: Moneris) you may want to switch to the credit card module and manually enter the payment through your virtual terminal.
Module Method Comments Action
Cash on Delivery Offline Payment is received on delivery of goods. Not advisable for global e-commerce! You’re OK and do not need to adhere to PCI standards
Check/Money Order Offline Customers will mail in their check or money order separately after placing their orders. You’re should be OK and do not need to adhere to PCI standards
Credit Card Offline Customers transmit their credit card information to you and you process the payment with your bank separately. You need:
  • SSL certificate
  • Dedicated IP
Authorize.net Online Integrates with Authorize.net payment processor. See http://www.authorize.net/ for details. Available to US clients only. You need to be PCI compliant and must have:
  • SSL certificate
  • Dedicated IP
Linkpoint/YourPay API Online Integrates to the LinkPoint payment gateway. For more information on signing up for a merchant account and using this module, go to http://www.zen-cart.com/partners/linkpoint for details. Available to US clients only. You need to be PCI compliant and must have:
  • SSL certificate
  • Dedicated IP
PayPal IPN Online Integrates to PayPal payment processor. To sign up for a PayPal business account and obtain more information on PayPal, go to http://www.zen-cart.com/partners/paypal for details. You need to be PCI compliant and must have:
  • SSL certificate
  • Dedicated IP
PayPal Express Checkout Online Also integrates to PayPal payment processor but has the added benefit of shortening the checkout process for customers. For more information on this payment module, turn to the PayPal Express Checkout sub-forum on Zen Cart's site. You need:
  • SSL certificate
  • Dedicated IP

In addition, hosting servers and data centers are also required to be PCI compliant. Our server company has notified me that we will meet standards by June 2010.  As a result, anyone with ecommerce on their site will be required to comply with PCI standards.  Failure to do so will result in termination of the account.

Questions you need to ask yourself:

  1. How are you processing online payment?
  2. Does your current module adhere to PCI standards?
  3. Does your cart software need to be PA-DSS compliant?
  4. Do you have an SSL certificate on your site?
  5. Is there a list of 3rd party scan provider?
  6. Is there an FAQ I can refer to?

Timelines are as follows:

  1. PA-DSS for software, hosting servers and data centers: June 2010
  2. PCI-DSS for website and store owners: July 2010

This information is based on our understanding of the new standards and is provided as is and requries that you do your own due diligence.