What is PCI and what does it REALLY mean for small business

**TWD** · 10-30-2009, 10:06 AM

Ok, so my client is a small business who wants to setup his
business to accept credit card payments on HIS website without
redirecting to a third party like PayPal Standard payments.

In order to do that, what does he need to do?

I read somewhere that since Sep 30th 2009, in order
to accept credit card payments on your website
you need a PCI compliance certificate?
Is this REALLY true or just a way for consultants to scare up
some business.

What costs are involved with PCI compliance.
I think the client will need to buy some special router
hardware, is that right?

**TWD** · 11-02-2009, 01:26 AM

Anybody? Bueller? Bueller?

**chrishirst** · 11-02-2009, 04:16 AM

If you want to accept customers financial information directly and need insurance you don't have a choice.

**TWD** · 11-02-2009, 09:38 AM

Quote:

Originally Posted by chrishirst

If you want to accept customers financial information directly and need insurance you don't have a choice.

But what does it really mean though?
Do you just raise your right hand and say "yes I swear I am PCI compliant" and that's it?

Or is there some kind of audit?
I remember seeing somewhere the option of a "self-audit" (an oxymoron if ever there was one).

**chrishirst** · 11-02-2009, 10:12 AM

http://en.wikipedia.org/wiki/Payment...urity_Standard

I would suggest the unless you are handling hundreds of thousands of dollars/pounds) a merchant account would be a much cheaper option.

The merchant company are the ones who need to meet the compliance standards then.

**TWD** · 11-02-2009, 12:03 PM

So you are saying that if my client has a Merchant account they DONT need to worry about PCI?

Is it even possible to accept credit card payment WITHOUT a Merchant account (forget about PayPal etc)?

I thought the whole point of a Merchant account was that it was the only
way to take CCards and the PCI requirements are still on the merchant.

**chrishirst** · 11-02-2009, 12:09 PM

You only need PCI Compliance if you are reading and/or storing the credit card details.

With a merchant account the account provider is taking the CC info in their secure system.

**TWD** · 11-02-2009, 07:39 PM

So if the client is signed up with say, WorldPay or 2Checkout
they can't just forget about PCI?

Are you saying PCI is only an issue for larger companies WITHOUT Merchant
accounts?

Sorry but this is a bit confusing.

**chrishirst** · 11-02-2009, 07:53 PM

Basically Yes & Sort of

If you want to handle your own collection of CC details (for rebilling or subsequent transactions etc) THEN you need PCI.

Compliance is all about ensuring that only authorised staff have access to CC records and your outward facing system are secure from infiltration

If you NEVER have access to CC details as they pass through the payment process then you don't need PCI.

**TWD** · 11-03-2009, 01:18 AM

Alrighty , that makes sense then.

So in the case of a hotel that accepts peoples credit card details
as a form of collateral for holding a room booking (in some cases the customer later pays by check or cash), they WOULD need to worry about PCI.

On the other hand, for John Doe who sells widgets via his website shopping cart with a 2CheckOut merchant account, he doesn't.

Correct?