Last summer I heard a news story that warned that the entire eCommerce process was going to switch much of the liability of online credit card transactions off of major credit card companies and onto the backs of individual businesses. That time has finally arrived.
In February (2016) the Payment Card Industry (PCI) Council announced strict, new rules and requirements regarding online transactions (ie eCommerce) which will be considered “best practices” until compliance becomes mandatory on Feb.1, 2018. These new rules and include immediate procedures and steps designed to protect customer’s credit cards – which we all want. But on the other side of this well intended equation are the hundreds of thousands of small business owners of eCommerce websites that currently “touch” the Credit Cards. In other-words, if your website has an online credit card form which securely passes information through SSL and a third party’s API (such as Authorize.net) who then processes the transaction, the fact that your form is “touching” the credit card opens up a virtual Pandora’s box of compliance issues that you’ll soon have to deal with. An owner of a website like this may have to be responsible for answering as many as 144 complex and technical questions that involve web host vulnerability testing, questions concerning underlying software code, customer data transfer, logging and management issues, verification of documentation of processes and procedures and web hosting server security issues, and all manner of fixes needed to fix all of the above.
To cut to the chase, if your company has an online store that has a Credit Card payment form which is on your server or which resides on the server of your webhost – you (and your webhost) are likely in for a giant world of IT headaches if you want to try to navigate through PCI Compliance. Every part of your store and transaction process has to be subjected to vulnerability testing. If there are any “holes” in your system (which is most likely the case) then you’ll be required to fix them…every one of them, whether they require hiring staff, programmers, fixing software, fixing servers and/or finding and patching any vulnerabilities in software or even hardware. In honesty, the road to PCI Compliance and involve a serious investment of both time and money and don’t be surprise that some of the fixes simply can’t be done without hiring outside staff and/or professionals. In reality, they can be very difficult and even impractical to implement.
For thousands of small business owners of eCommerce websites and online stores which have an online Credit Card payment form which is “touched” by your software and/or your webhost, we strongly advise you to run – not walk – to moving that payment form into the hands of a reputable company such as Paypal or Stripe, thereby limiting your exposure to the deep quicksand of the entire PCI Compliance process. Using a company like Stripe still provides you with what you need – which is an online store which accepts credit cards BUT also a store that won’t have to be run over by the almost overwhelming PCI Compliance process. Because once you pass off that credit card payment form into the hands of Stripe, you are effectively protection your customers credit card data which is a good thing. Bottom line…brace yourself for PCI Compliance headaches or get out of the way and switch to Stripe or Paypal for online credit card processing.