Practical Ecommerce

Early Impact Co-founder on PCI Compliance

Payment Card Industry (PCI) compliance is a complex issue that’s difficult for ecommerce merchants to understand. It’s also a complex issue for vendors. But it cannot be ignored. Massimo Arrigoni is the co-owner of Early Impact, developer of the licensed shopping cart ProductCart. He has thoroughly studied the PCI compliance issue. In this eCommerce Conversation he gives us a vendor perspective on becoming PCI compliant.

email-news-env

Sign up for our email newsletter

  1. Massimo Arrigoni November 11, 2009 Reply

    One clarification that might be helpful. In the podcast the “Self Assessment Questionnaire” or “SAQ” came up several times, but… which questionnaire applies to you? There are 4, labeled with letters A to D (https://www.pcisecuritystandards.org/saq/instructions_dss.shtml).

    SAQ A is short and sweet, but only applies to certain scenarios. B & C don’t apply to e-commerce businesses. D applies in most cases.

    If you only need to fill out "SAQ A", being PCI Compliant becomes much easier. So, when can you do that? You can if your e-commerce system (shopping cart) does NOT transmit or store any credit card information.

    When does that happen?

    – When there is no payment option that involves payment information (e.g. you are only taking reservations or class sign-ups, with no payment).

    – You are using ONLY an outsourced checkout process that means that no payment information is ever entered on your Web store (but rather on a page hosted on the payment system’s Web site), and no payment information is ever stored in your database. This is true, for example, when the ONLY payment option active on your e-commerce store is:

    – Google Checkout
    – PayPal Express Checkout
    – PayPal Standard
    – and a few others

    In all other cases you must use SAQ D.