Posts Tagged ‘PCI’

This is a guest blog from 3DCart Co-founder and CEO Gonazlo Gil. 3DCart is a technology partner with a robust eCommerce platform hosting thousands of merchants all over the world … And it’s clear they have an enduring drive for innovation and value.

5 Must-Have Features in a Hosted Ecommerce Provider

In 1997, the concept that would eventually become 3DCart came into existence. I developed 3DCart with the idea of putting every single ecommerce tool and resource at the fingertips of web entrepreneurs so anyone with a computer could start their own online store. Today, we’re still going strong, and we pride ourselves on launching new ecommerce features before the competition has a chance.

The market for shopping carts has exploded over the past decade. If you’re considering the ecommerce business, choosing a shopping cart can get overwhelming. Because not all ecommerce software solutions are created equal, we’ve put together a list of five must-have features for aspiring entrepreneurs to consider when choosing a hosted ecommerce provider.

1. PCI Compliance to Protect Customer Information
You hear about it on the web, on the television, in the magazines: cyber-theft. Recent instances of online fraud (like the hack of Playstation’s network) have caused online shoppers to stiffen up when it comes to sharing financial information. For your sake and the sake of your customers, it’s important to put the minds of shoppers at ease as soon as they discover your brand.

Born from new rules created by the Payment Card Industry, PCI compliance standards are stringent guidelines for ensuring your online store is up to code in terms of security. The last thing you need as an online storeowner is responsibility for losing sensitive personal data to fraudsters. Beyond general culpability, you run the risk of losing trust in your brand, which could sink your business entirely.

The process for reaching PCI compliance is vigorous and expensive. That’s why most ecommerce software providers undergo PCI compliance measures on their own — so online stores can offer security to their customers. It offers a little more peace of mind on both sides of the business relationship and ensures your transactions go through smoothly.

Read the rest of 3DCart’s Guest Blog! »

I know you already know everything about PCI compliance, especially the if’s, and’s, and but’s that go along with it. But, just in case you forgot, here it is in a nutshell.
Is PCI compliance a Federal law? Nope! Not yet anyway. Some states do make it a crime to let credit card data “be” stolen.
What is PCI? It is actually PCI DSS and it stands for Payment Card Industry Data Security Standard.
Who needs it? Anyone that accepts, transmits, or stores ANY credit card data.
Are there different levels? Yes, I am glad you asked.

• Level 4 – Any merchant processing fewer than 20,000 credit card e-commerce transactions in a 12 month period
• Level 3 – 20,000 up to 1 Million transactions
• Level 2 – 1 Million up to 6 Million
• Level 1 – 6 million + (or any merchant that Visa feels should meet level 1 to minimize risks) This is what we are all striving for, right?

Who cares if you are PCI compliant? For starters, YOU should! And secondly, your merchant bank will care. They will care more the larger you get. See minimize risks statement above.
Since it isn’t a federal law should I risk it, because I know my security and I am impenetrable? I wouldn’t take that risk because you can still pay fines, card replacement costs, and pay for forensic audits, etc if someone were to get in and steal data.
How can SoftLayer help? For starters and a quick level 4 fix you can go here and get free scanning on a single IP. Combine that with a “quick” questionnaire about your physical and data security policies and voila, no onsite visit needed and you are now PCI Level 4. Mcafee can help you with you higher level compliance if you would like. Don’t take the questionnaire too lightly because remember you do care about PCI!
Ok so if you have made it this far then you must like boring reading. Go read this. It might come in handy someday. It is the “do this if you get hacked” cheat sheet.
On to 2010! MasterCard stepped up in 2009 and stated that even their Level 2 merchants had to have an onsite QSA assessment by December 31, 2010. That has now been pushed to June 30, 2011. There seems to be some confusion from the other Credit Card companies and they didn’t all jump on board. One thing that they did all agree on is that you can’t put credit card info on WEP secured wireless at all after July 2010. Just don’t do it! And don’t use old un-patched payment applications because they are insecure and will not be allowed after July as well.
This could all change just like Texas weather. If you don’t like the new rules, then just wait a couple of days and they may change it more to your liking. There are still a few things they are looking at going forward that I will let you in on and then I assure you I will stop typing. PCI 1.2 is still about stopping hackers from getting in, there is a new interest in the community on addressing “internal” hackers. The current focus of PCI is aimed at card data “after” authorization but doesn’t say much about card data that is kept prior to authorization, so you can bet that will be added soon too and of course cloud infrastructure and card data has to be on everyone’s radar screen soon.