Adding ecommerce?

“I want to add a shopping cart. How much will that cost?”

These are words that give me a chill. Partly because I cannot answer the question without a bunch more questions being asked and answered, but partly because invariably I know that most small companies, the ones that are our bread and butter are mostly ill-prepared for the rigors of PCI compliance.

Even the most simple shopping cart is a complex beast. There are many decisions that must be made surrounding the products, pricing variables, shipping, inventory, accepting payment, etc. As if these items alone are not complex enough, we also must help our customers through the external influences including how payments will be made, third party security certificate companies, payment gateway companies, payment processing companies and their own bank with getting deposits into their accounts. Just because a company can accept face-to-face credit card present transactions, does not mean that their accounts have been set up for web-based transactions. Then consider the concept of connections to USPS, UPS, etc. to get “real-time” shipping charges from point A to B. This can be a confusing and difficult journey for the uninitiated.

But the Grand Daddy of all is working through PCI (Payment Card Industry) compliance. All companies who accept credit cards must ensure that they are PCI compliant meeting Data Security Standards (DSS). Most fall under the self-assessment questionnaire rules (SAQ), at least initially. There are 5 different versions of the SAQ and which one you must use depends on exactly how you process charges. Three of those versions apply to e-commerce, additionally there are levels (1-4) primarily based on the number of transactions a company handles. Process less than 20,000 transactions per month you are a level 4. More than a million – you fall under level 1 requirement. A breech and you are found NOT PCI compliant at your current level you get bumped to level 1 regardless of your number of transactions. A simple 1 strike and you are out ruling.
The 3 levels of SAQ that affect most shopping cart are SAQ-A, SAQ-C and SAQ-D. At SAQ-A, you do not accept credit cards at all, you send people to a different site to process their card information. Completing the Self-Assessment for SAQ-A will typically take a few hours of your time. The number of PCI controls you must meet are between 13-15. Most of these involve internal controls of credit card protection/access levels.
Most small companies who accept credit cards on their site but do not store credit cards will fall under the SAQ-C guidelines. At this level, the Self-assessment audits are more complex, take longer and should be done quarterly. The number of PCI controls that must be met jumps to 80. Most of these are internal, but also involve security certificates, server level access controls and other external compliance concerns.
SAQ-D level requirements jump to 288. Meeting these requirements requires dedicated servers and high levels of security access.
Generally, the less access you have to credit card numbers, names, addresses and CVV the easier it is to be complaint. If you ever store this information, that puts you into SAQ-D territory. If your shopping cart/website takes the number and immediately forwards it encrypted to a gateway and never stores it, you will likely all in SAQ-C. And if you send the user to another site to process the card information, you will likely fall into a SAQ-A. But even a SAQ-A user can be held in non-compliance if their code is not kept in a secure environment.
There are 2 very common practices that cannot be done if you are maintaining a secure environment:

  1. FTP Access. A standard for many sites
  2. Using the default username and password to access any admin functions of your site.

For more information on PCI compliance refer to PCI Security Standards Council website:

About the Author PFD-Admin