PCI Compliance Nonsense

OK – I’ve had about enough of this and I need to rant somewhere!!

As everyone knows – we make websites and quite recently we have been building  lots and lots of online shops. Its usually much more of a technical job as there are so many more elements to take into consideration, one being payments and how you take them via/on your website.

There are generally three ways you can take payments, and they are as follows;

1) Simple “cash holding” payment gateways like PayPal – this takes the money and holds it in your paypal account – not a merchant account.

2) Similar 3rd party payment gateways like SagePay – these are tied to a merchant account which is a bank account specifically for website payments.

3) Embedded payment gateways that never take anyone from your site, process the payment on your site and sends money to a merchant account.

Now all apart from the 3rd (in my professional opinion) do not require any level of pci compliance, as the payment isnt taken on the customer website – its taken on PayPal.com or SagePay.com – who then need to be PCI compliant as thats the point of it all..

Q: What is PCI?

A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.

~Source

Now somewhere along the line some idiot at the top of the ladder in the financial industry has decided that everyone who owns a merchant account (which are never and could never be hosted on our clients hosting environment, so again, hosted with a 3rd party) needs to be PCI compliant – what a load of rubbish!

I agree 100% that if you take/store/send payment info you need to tick every box in terms of compliance – as you are dealing with highly sensitive information –  but why do my clients need to become PCI compliant if they never see the card/payment details themselves?

What the fools at the banks don’t realise is that by them making a stupid call like this (like the cookie thing a few years ago) they are forcing thousands and thousands of small to large sized businesses to unnecessarily pay to have their hosting environments PCI compliant – when they don’t need to!

Additionally, many customers with shared hosting might need to move their site to a dedicated server or VPS at a significantly higher cost to themselves – as some PCI scanners say that shared hosting can never be PCI compliant – its an area of much confusion & myth and really needs properly clearing up by someone who knows what they are talking about, not just some suit making a blind call with nothing to back it up.

Is there anyone out there that can (from a technical point of view, i’m actually able to search Google myself also) explain to me why ANYONE using something like SagePay with an external merchant account needs to be PCI compliant themselves?

</rant-over>

One thought on “PCI Compliance Nonsense”

  1. Good rant – I couldn’t agree more!

    A client of ours just called me and asked if we were PCI compliant (our hosting for their website). This made my heart jump all of a sudden as I didn’t know if we were or not!

    Our client was filling out their annual card safe assessment and as long as their payment systems are PCI compliant they didn’t need to hold a PCI DSS certificate themselves.

    This meant that, as a website and hosting provider ourselves, we needed to be PCI DSS compliant even though our ecommerce customers only ever use, Paypal, Worldpay or Sagepay.

    Now, if we were plugging our own server hardware into the backbone and calling ourselves a hosting company we would have had to submit ourselves for PCI assessment and pay an annual fee for a certificate. However, like most web design agencies we obtain our dedicated servers off another supplier – in our case Amazon AWS.

    It was reassuring for us to read that security certification is shared (as it is all cloud based with Amazon) and that Amazon AWS is covered, which means, so are we. http://aws.amazon.com/security/

    It’d be worth checking with your hosting/server company before rushing out and getting a PCI assessment (not that it has you running out the door i’m sure).

    Cheers

    Sam

Leave a Reply

Your email address will not be published. Required fields are marked *