A lot of small details need to be reviewed before launching an e-commerce website, one of which is the need to be PCI DSS compliant.
Eventually, you'll need to tell your merchant company or your bank that you are opening an e-commerce website, and when you do, they'll want to know about your PCI DSS compliance.
PCI DSS Basics
PCI DSS is the acronym for Payment Card Industry Data Security Standard, which is used by Visa, MasterCard, American Express, Discover, and JCB to help protect credit card information. These payment card companies require all merchant accounts to comply with their security protocols to help minimize the possibility for hacking. "PCI DSS Compliance" or just "PCI Compliant" is the terminology used to indicate that you are complying with their security protocols.
Compliance is tricky. Most people think it's just a requirement for a website to be compliant, but it's not just the programming on your website, it also includes the hardware your website is hosted on, the internet connection in your store, and how you save customer information in your own store.
Testing & Firewalls
Maintaining compliance is not easy, and it's not cheap either. First, you have to hire a company that tests your computer network for known security holes. Their findings show you if there's a potential hole in your website software, the web server, or the firewall at your store. Fixing these problems can be expensive, especially when it comes to web server issues or firewall issues.
I could ask you when you last time you replaced or upgraded the firewall in your store, but I think a better question would be to ask you if you even have a firewall set up at your store. Most business owners are not aware that the modem provided by the cable or telephone company does not provide enough protection.
At minimum, you are supposed to test your compliance every 3 months, and make appropriate modifications. If your website isn't selling a lot, then the cost of compliance could easily overshadow the profits you make from website sales.
E-Commerce Websites
I often try to talk my customers out of e-commerce until they are fully prepared for all the implications. Photography, merchant accounts, PCI compliance, and inventory management are all tough to deal with if you are not ready for it. Also, unless you have the marketing budget to support the site, it probably won't make much money right away.
My opinion on e-commerce websites is that you should have full flexibility to change anything on the website that needs to be changed. This mostly includes marketing features, but it also includes the ability to change the checkout options in your e-commerce. Things like loyalty cards, wish list tie-ins, layaway options, and random discounts can only be programmed into a website that offers full flexibility.
However, that flexibility also brings a lot of additional security risks since you are now asking for additional customer information in exchange for the latest offer. These types of sites usually have a fully integrated checkout system and a direct tie-in to your merchant account. These types of sites are prime targets for website hackers.
It Won't Go Away
You could choose to ignore this responsibility, but the repercussions can be severe. Maintaining compliance is your way of proving to the credit card companies that you followed their instructions for keeping customer information safe. If you don't follow their instructions they might blacklist your company, or worse, you personally, from ever having another merchant account. Could your retail store survive if you only took cash as a payment?
Other than revoking your merchant account and blacklisting you, you'll also face hefty fines if customer information is stolen from you because you didn't maintain the proper security.
Other Options
Of course, the PCI DSS compliance only applies if you keep customer information saved in your website and on the computers in your store. For retail stores that customer information usually only includes payment card numbers. Other types of businesses might also hold social security numbers, medical records, or bank account information.
You can avoid the worries in your retail store by using a card swipe machine that is not connected to your point of sale system. With that method, you'll never worry about saving the card numbers.
For the website, you could use a company that provides the website, e-commerce, and payment options all built into one solution. Shopify and Squarespace are two good examples of this technique. They provide credit card payment solutions built into your website and therefore they take care of all the PCI DSS compliance. They charge higher processing fees for this service, but you have nothing to worry about. This is a great option for new companies that are starting small without any idea how if their business will work. The limitation is that you have no control over the checkout process.
Another option is to have a programmer build your website, but then use a service like PayPal to accept payments. You can integrate PayPal in such a way that your users jump from your website to PayPal to make the payment, then back to your website for the final steps. Again, this removes the PCI DSS responsibility from you and places it on PayPal, but the limitation is that you have little control over the checkout process.
Proving Compliance
To prove PCI compliance, you'll have to hire a 3rd party company to try hacking your website on a quarterly basis. They will provide reports showing the security holes on your site that need to be fixed. Your bank might offer PCI DSS testing, but they also might be very expensive. I use the Trust Guard service purchased for $27/month through this reseller here: https://www.trust-guard.com/stellium/?id=66. Your programmer will have to apply a security patch to your website every time a problem is found.
Most small businesses are only required to prove their compliance once a year. This proof is usually in the form of a "Self-Assessment Questionnaire." It's your personal affidavit that you are keeping everything up to date and safe.
At the time of this writing, the current PCI SAQ is 15 pages long. You can download it from the Documents section of PCISecurityStandards.org at this URL:
https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs
Even though the PCI DSS process is detailed and frightening, it's nothing more than another business process that must be followed, just like insurance and taxes. In case your business is ever hacked, this process will prove that you followed the rules, and it's not your fault that you were hacked.
If you don't follow the process, you will be assessed heavy fines and you might lose your ability to accept credit cards forever.
