23390123_b6caaefc16_b

Anyone setting up — or maintaining — an online store faces the issue of PCI compliance.

This is a set of standards set down by credit card companies to protect online shoppers from fraud and identity theft. Both problems are growing fast. In fact, more than 15 million Americans have their identities stolen every year, which costs financial institutions more than $50 billion in losses.

With stakes this high, your ecommerce operation simply must meet the PCI standards.

The History of PCI Compliance

More than a decade ago, ecommerce was taking off. But credit card companies like American Express, MasterCard and Visa stood to lose billions from fraudulent transactions. Facing a common threat, they founded the Payment Card Industry Council, and in 2004 issued the first PCI-DSS — Payment Card Industry Data Security Standards.

PCI-DSS 3.1 is the latest version, released in April 2015. Every online store that accepts credit cards must meet these requirements. Otherwise, your bank will either:

  1. refuse to accept credit card transactions from your store, or
  2. ding you for extra charges to cover your higher risk

“PCI provides a minimum set of guidelines,” says Chris Beckett, Security Operations Manager for Bigcommerce. “Those guidelines go into a lot of nooks and crannies, and make sure you do things up to industry standards. But, this can be quite hard for some people, especially smaller merchants with no one dedicated to security.”

That includes most online stores, especially those at PCI Level 4 (under 20,000 card transactions a year) or Level 3 (20,000 up to 1 million transactions a year).

How Your Ecommerce Technology Affects Your PCI Compliance

You can acquire ecommerce software in different ways:

  • Buying commercial software to run on your on-premise hardware
  • Using open source software on your on-premise hardware (the DIY approach)
  • Signing up for hosted software delivered as a service (SaaS)

Each approach strikes a different balance between your costs, benefits and PCI risks and workload. The table sums up the highlights, the details of which I’ll explain further.

Screen Shot 2015-10-22 at 12.35.50 PM

#1: Commercial software: the costly option

This requires you to buy and maintain your own hardware, plus shell out for a commercial software license and annual support.

The software might be PCI-compliant out of the box, or you could have lots of work getting there. But any extra support you require from the vendor for PCI will likely cost extra.

This option could work for you, if your company chooses to:

  • Buy and maintain on-premise hardware
  • Pay for an on-premise software license and support
  • Maintain in-house expertise to install, customize and maintain an ecommerce platform
  • Keep someone on call 24/7 to troubleshoot any problem and get the platform back up fast if it ever goes down

Clearly, the drawbacks here are the high costs of hardware, software and support –– plus the unknown burden of handling some of your own PCI compliance. If that doesn’t sound appealing, skip this approach and read on.

#2: On-premise, open source software: Lower cost, higher risk

This option is a lot like writing your own code. You still pay for your hardware, but you avoid paying any software license fee. Sounds like a bargain, right? Not so fast.

You have to assemble, compile, install and tweak your own software. And, as for PCI, this can turn into a money-pit. Open source is a black box where no one really knows what’s going on.

“The problem with open source is that you’re not buying from any vendor,” says Beckett. “So there’s no one to fall back on for help. You might not get any support, or no phone number you can call. Or maybe the PCI auditor might not like something about the platform.”

In that case, you’re stuck. You may have to document every step of your process in painful detail. That means holding meetings, analyzing code, sketching flowcharts, writing reports… spending weeks of effort that can easily outweigh any savings you gained from open source.

The DIY option could work, if your company can afford to:

  • Buy and maintain on-premise hardware
  • Maintain in-house expertise to link, tweak and maintain ecommerce software
  • Take staff time to hold many meetings and create PCI-related documents

Using open source software means you are responsible for 100% of your PCI compliance –– not to mention your store’s uptime. If you don’t want to take on those burdens, skip this approach and read on.

#3: Hosted software as a service (SaaS): Low cost, low risk

Software running as a service is accessed through the web, running on hardware maintained in a secure data center by your service provider. If you want to save money, and can’t spare a lot of staff to develop PCI policies and write reports, consider using a hosted ecommerce.

This way, you can forget about fiddling with ecommerce hardware and software, pay one monthly fee to cover your ecommerce platform, and remain PCI-compliant with a minimum of time and expense.

The SaaS option will work for you, if your company:

  • Wants to save money on hardware, software licenses and support
  • Doesn’t have people to fiddle with hardware and software
  • Prefers to pay one monthly fee to cover your ecommerce platform
  • Wants to remain PCI-compliant with a minimum of effort

With lower costs, less risk, and fewer PCI hassles, this option is the chosen path for many online stores.

Have any questions or concerns regarding PCI compliance for your ecommerce operations? Leave a comment below and we’ll get back to you.

Photo: Flickr, Kris Krug