2015 was a year marked by credit card thefts and data breaches by hackers that included major government agencies, giant health care companies, and a string of retailers including: Target, Home Depot, TJX (parent of Marshalls and TJMaxx) and even eBay – and that is just known attacks. Just today hackers stole over $67 million from the Bitcoin exchange. Who knows what consumer information is being stolen as you read this? Security measures that could have been taken were not put in place, and known vulnerabilities were left unprotected. As a result we are now seeing more advanced Credit Card readers in brick and morter stores and online there is a new set of rules that has just come out that will have a serious effect on any ecommerce operation.
February 2016 the PCI (Payment Card Industry) Council announced new rules and requirements will be considered “best practices” until compliance becomes mandatory on Feb.1, 2018. What this means is that starting in June of 2016 every ecommerce site that “touches” a Credit Card must abide by these new rules and follow certain procedures steps designed to protect customer’s credit cards. To cut to the heart of the matter, if your company has an online store that has a Credit Card payment form which is on your server or the server of your webhost – you (and your webhost) are likely in for a giant world of time consuming IT headaches and expense. This is because your entire online ordering process has to be subjected to testing which will show any known vulnerability and require a fix for every one of these vulnerabilities…some of the fixes can be quite costly and some of the fixes can be very difficult and even impractical to impliment.
So while the new PCI regulations are necessary step to help fight off hackers and protect your customer’s important information these new improvements come at a high cost which in fact may make it close to impossible for many smaller businesses to comply with unless they undertake drastic, complex and costly steps to comply. In our opinion, the clear solution is to place the bulk of the PCI compliance regulations on the backs of large third party payment processors who have the personell and IT resources to do this job and maintain compliance. In simple terms, this means DO NOT use any credit card form on your site UNLESS it is provided by a company like Stripe or Paypal. Using one of these reputable companies will allow your eCommerce store to accept credit cards without touching your server or the server of your web host – this effectively insulates your business from the deep and complex realm of PCI compliance processes that can truely overwhelming. For instance, we ran into a set of 144 technical questions that had to be perfectly answered, including vulnerability testing of the web host, underlying software, documentations of processes and more steps ad nauseum. It became all to obvious that only a large enterprise could likely manage to deal with all these regulations and it was much easier to move to a third party like Stripe or Paypal who then take on the main burden of this PCI compliance responsibility since they are the only ones that “touch” the credit card using their own online forms.